In this guide, you’ll learn how to create and deploy an SCCM client certificate for Windows computers. The workstation authentication template certificate authenticates the client to site systems that run IIS and support HTTPS client connections.

This guide is an essential part of the PKI certificates deployment for SCCM. In the previous guide, we covered the steps to create and enroll a web server certificate for IIS site systems. The next step is to create a client authentication certificate for Windows devices and auto-enroll it using Group Policy.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

Prerequisites

To create a client certificate for Windows computers, the following are the requirements:

  1. Certificate purpose: Client authentication
  2. Microsoft certificate template used: Workstation Authentication
  3. The Enhanced Key Usage value must contain Client Authentication (1.3.6.1.5.5.7.3.2)
  4. The Key Usage value must contain Digital Signature, Key Encipherment (a0)
  5. Client computers must have a unique value in the Subject Name or Subject Alternative Name field.

Check out the detailed guide by Microsoft on PKI requirements for SCCM, including the certificate requirements.

Create Workstation Authentication Certificate Template

This procedure creates a certificate template for Configuration Manager client computers and adds it to the certification authority.

To begin with, on the member server that is running the Certification Authority console, right-click Certificate Templates and then select Manage to load the Certificate Templates management console.

Create Workstation Authentication Certificate Template
Create Workstation Authentication Certificate Template

Right-click the Workstation Authentication template and select Duplicate Template.

Create Workstation Authentication Certificate Template
Create Workstation Authentication Certificate Template

On the New Template properties window, switch to the Compatibility tab. Here configuring the following:

  • Certificate recipient: Windows XP/Server 2003
  • Certificate Authority: Windows 2003 Server
Configure Workstation Authentication Certificate Template
Configure Workstation Authentication Certificate Template

In the Properties of New Template dialog box, select the General tab. Enter a template name, like SCCM Client Certificate, to generate the client certificates that will be used on Configuration Manager client computers.

The client certificate will have a validity period of 1 year and the renewal period is set to 6 weeks. Click Apply to save the changes.

Configure Workstation Authentication Certificate Template
Configure Workstation Authentication Certificate Template

Choose the Security tab, select the Domain Computers group, and then select the additional permissions of Read and Autoenroll. Do not clear Enroll. Click OK, and then close the Certificate Templates Console.

Workstation Authentication Certificate Template Security Settings
Workstation Authentication Certificate Template Security Settings

Issue Workstation Authentication Certificate Template

In this issue, we’ll issue the SCCM client certificate from the Certificate Authority. In the Certification Authority console, right-click Certificate Templates and select New > Certificate Template to Issue.

Issue Workstation Authentication Certificate Template
Issue Workstation Authentication Certificate Template

Now select the SCCM client certificate that you have just created and then click OK. Close Certification Authority.

Issue Workstation Authentication Certificate Template
Issue Workstation Authentication Certificate Template

Configure Auto enrollment of Workstation Authentication Template using Group Policy

This procedure sets up Group Policy to autoenroll the SCCM client certificate on computers. Log in to the domain controller and launch the Server Manager. Now from the menu, select Tools > Group Policy Management.

Right-click the domain, and then choose Create a GPO in this domain and Link it here. On the New GPO window, specify the policy name as “Autoenroll SCCM Client Certificate” and click OK.

Create a GPO to Auto enroll Workstation Authentication Template
Create a GPO to Auto enroll Workstation Authentication Template

Right-click the GPO and select Edit. In the Group Policy Management Editor, expand Policies under Computer Configuration, and then navigate to Windows Settings > Security Settings > Public Key Policies. Right-click the object type named Certificate Services Client – Auto-enrollment, and then click Properties.

Configure Auto enrollment of Workstation Authentication Template using Group Policy
Configure Auto enrollment of Workstation Authentication Template using Group Policy

From the Configuration Model drop-down list, select Enabled. Now check both of the following options:

  1. Renew expired certificates, update pending certificates, and remove revoked certificates
  2. Update certificates that use certificate templates

Click Apply and OK. Close the Group Policy Management Editor. That completes the process of creating a GPO to automatically enroll the client certificate.

Configure Auto enrollment of Workstation Authentication Template using Group Policy
Configure Auto enrollment of Workstation Authentication Template using Group Policy

Automatically Enroll SCCM Client Certificate

In this step, we’ll manually check if the GPO has deployed the client certificate on Windows computers. It is recommended that you restart the client computers before checking for the presence of the client authentication certificate.

Log in to the client computer and run the command certlm.msc to launch the Certificates console. In the console, expand Certificates (Local Computer) > Personal > Certificates. In the results pane, confirm that a certificate is displayed that has Client Authentication displayed in the Intended Purpose column and that SCCM Client Certificate is displayed in the Certificate Template column. Close the console.

Automatically Enroll SCCM Client Certificate
Automatically Enroll SCCM Client Certificate

Next, log in to your management point server and open the certificates console. Navigate to Personal > Certificates and even here you should find the client authentication certificate installed.

This confirms that our client computers are successfully provisioned with a Configuration Manager client certificate. In the next guide, we’ll go through the steps for deploying the client certificate for distribution points.

Automatically Enroll Client Certificate
Automatically Enroll Client Certificate

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a strong focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.