How do I provision my SCCM client with workstation authentication certificates?

In order for domain clients to automatically enroll for and receive client authentication certificates (necessary for Internet-based client management), you need to enable certificate auto-enrollment on client machines using Group Policy.

1. The necessary setting can be found under:

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment

2. On the Certificate Services Client – Auto-Enrollment properties dialog:

  • Set Configuration Model to Enabled.
  • Check both checkboxes.
  • Set the log expiry events settings to an appropriate value so the computer generates event log entries when the certificate is close to expiring.
  • Make sure the computer is connected to the domain network, and reboot it.

3. Once the computer restarts, you can check the Local Computer certificate store for the presence of the new certificate under Certificates (Local Computer) > Personal > Certificates.  If the computer obtained a valid certificate, you should verify that it was issued to the machine by either UIC Issuing CA 1 or UIC Issuing CA2 using the template ACCC Workstation Template.


Need help?

Last updated: 

July 27, 2015

Browse by tag