In this guide, you’ll learn how to create and deploy an SCCM client certificate for Windows computers. The workstation authentication template certificate authenticates the client to site systems that run IIS and support HTTPS client connections.
This guide is an essential part of the PKI certificates deployment for SCCM. In the previous guide, we covered the steps to create and enroll a web server certificate for IIS site systems. The next step is to create a client authentication certificate for Windows devices and auto-enroll it using Group Policy.

Prerequisites
To create a client certificate for Windows computers, the following are the requirements:
- Certificate purpose: Client authentication
- Microsoft certificate template used:Â Workstation Authentication
- The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)
- The Key Usage value must contain Digital Signature, Key Encipherment (a0)
- Client computers must have a unique value in the Subject Name or Subject Alternative Name field.
Check out the detailed guide by Microsoft on PKI requirements for SCCM, including the certificate requirements.
Create Workstation Authentication Certificate Template
This procedure creates a certificate template for Configuration Manager client computers and adds it to the certification authority.
To begin with, on the member server that is running the Certification Authority console, right-click Certificate Templates and then select Manage to load the Certificate Templates management console.

Right-click the Workstation Authentication template and select Duplicate Template.

On the New Template properties window, switch to the Compatibility tab. Here configuring the following:
- Certificate recipient: Windows XP/Server 2003
- Certificate Authority: Windows 2003 Server

In the Properties of New Template dialog box, select the General tab. Enter a template name, like SCCM Client Certificate, to generate the client certificates that will be used on Configuration Manager client computers.
The client certificate will have a validity period of 1 year and the renewal period is set to 6 weeks. Click Apply to save the changes.

Choose the Security tab, select the Domain Computers group, and then select the additional permissions of Read and Autoenroll. Do not clear Enroll. Click OK, and then close the Certificate Templates Console.

Issue Workstation Authentication Certificate Template
In this issue, we’ll issue the SCCM client certificate from the Certificate Authority. In the Certification Authority console, right-click Certificate Templates and select New > Certificate Template to Issue.

Now select the SCCM client certificate that you have just created and then click OK. Close Certification Authority.

Configure Auto enrollment of Workstation Authentication Template using Group Policy
This procedure sets up Group Policy to autoenroll the SCCM client certificate on computers. Log in to the domain controller and launch the Server Manager. Now from the menu, select Tools > Group Policy Management.
Right-click the domain, and then choose Create a GPO in this domain and Link it here. On the New GPO window, specify the policy name as “Autoenroll SCCM Client Certificate” and click OK.

Right-click the GPO and select Edit. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings > Security Settings > Public Key Policies. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.

From the Configuration Model drop-down list, select Enabled. Now check both of the following options:
- Renew expired certificates, update pending certificates, and remove revoked certificates
- Update certificates that use certificate templates
Click Apply and OK. Close the Group Policy Management Editor. That completes the process of creating a GPO to automatically enroll the client certificate.

Automatically Enroll SCCM Client Certificate
In this step, we’ll manually check if the GPO has deployed the client certificate on Windows computers. It is recommended that you restart the client computers before checking for the presence of the client authentication certificate.
Log in to the client computer and run the command certlm.msc to launch the Certificates console. In the console, expand Certificates (Local Computer) > Personal > Certificates. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column and that SCCM Client Certificate is displayed in the Certificate Template column. Close the console.

Next, log in to your management point server and open the certificates console. Navigate to Personal > Certificates and even here you should find the client authentication certificate installed.
This confirms that our client computers are successfully provisioned with a Configuration Manager client certificate. In the next guide, we’ll go through the steps for deploying the client certificate for distribution points.

Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.