Setting up Client PKI certificates is one of the essential steps for HTTPs communication from CMG to MP/SUP. In this post, we will see how to complete Client PKI setup task for Co-management scenarios. Once you have Root CA, Client PKI certificates configuration is pretty straightforward.
Content of this post
Decision Making - Client PKI Co-Management Related Posts Video Tutorial - Configure Client PKI Certs Configure Settings for Client PKI certificates Step by Step Process to Configure Client PKI Certs Bonus Tips about Client PKI Certificates
Decision Making – Client PKI
This is a critical decision point for your device management strategy. AAD identity is a better alternative for Client PKI. Even though you have AAD joined machines, you should have public certs for CMG and CDP. So, you need to decide whether you are going with internal PKI or Public PKI.
How to Deploy Client PKI Certs to Internet Connected Devices is another important point. Another checkpoint before implementing Client PKI is whether you need to enable Client Check the certificate revocation list (CRL) for site systems or not. I have NOT enabled CRL for my lab environment to reduce the overhead.
Co-Management Related Posts
All Co Management Video Tutorial in one post here.
Overview Windows 10 Co-Management with Intune and SCCM Custom Report to Identify Machines Connected via SCCM CMG How to Setup Co-Management - Introduction - Prerequisites Part 1 How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 Setup Co-Management - AAD Connect UPN Suffix Part 3 Setup Co-Management - CA PKI & Certificates Part 4 Setup Co-Management Cloud DP Azure Blob Storage Part 5 Setup Co-Management Azure Cloud Services CMG Part 6 SCCM Configure Settings for Client PKI certificates Part 7 (This Post) How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8 How to Deploy SCCM Client from Intune - Co-Management - Part 9 End User Experience of Windows 10 Co-Management - Part 10
Video Tutorial – Configure Client PKI Certs
Configure Settings for Client PKI certificates
Select the client computer communication method (HTTP or HTTPS) for the site systems (MP/SUP) that use IIS. To use HTTPS, the server must have a valid PKI web server certificate (server authentication capability).
Client Computer Settings
Specify settings for client computers when the clients communicate with site systems that use IIS. Use PKI client certificate (client authentication capability) when available. Public Cert and AAD authentication are other options instead of using Client PKI certificates (as I mentioned in the above section).
Step by Step Process to Configure Client PKI Certs
- In the SCCM CB console, choose Administration.
2. In the Administration workspace, expand Site Configuration, choose Sites, and then choose the primary site server
3. Right click on Primary site server and choose Properties, and then choose the Client Computer Communication tab.
Client Computer Communication tab is available on a primary site only. If you do not see the Client Computer Communication tab, check that you are not connected to a CAS or an SCCM secondary site.
4. Choose HTTPS or HTTP option when you do not require your existing SCCM clients to use PKI certificates. This will also help to implement client PKI for co-management scenarios.
If you chose HTTPS or HTTP, choose Use client PKI certificate (client authentication capability) when available when you want to use a client PKI certificate for HTTP connections. The client uses this certificate instead of a self-signed certificate to authenticate itself to site systems. This option is automatically chosen if you choose HTTPS only.
When clients are detected to be on the Internet, or they are configured for Internet-only client management, they always use a client PKI certificate.
5. Choose Use PKI client certificate (client authentication capability) when available
6. Choose Modify to configure your chosen client selection method for when more than one valid PKI client certificate is available on a client, and then choose OK. I don’t have more than one client PKI certificates hence I didn’t modify this in my lab environment.
7. Select or Clear the check box for clients to check the Certificate Revocation list (CRL). I clear the check box for CRL to reduce the overhead as mentioned in the above section of this post.
8. Choose SET button under Trusted Root Certification Authorities section. Non mandatory step for Co-Management scenario. Check out the following link for more details.
More details here
9. Browse and Select your Root & Intermediate CA certs from Set Root Certificates windows. I don’t have intermediate CA cert hence I uploaded only Root CA. Specify trusted root certification authority (CA) certificates for clients, choose Set, import the root CA certificate files, and then choose OK.
When you don’t upload Trusted Root CAs in the Trusted Root CA setting on the Client Computer Communication tab, SCCM trusted check but assumes that Trusted Root certificates are otherwise properly implemented on clients and servers in the environment. I have not tested this in the latest version of SCCM CB environment.
10. Choose OK to close the properties dialog box for the site
Bonus Tips about Client PKI Certificates
Following are some of the thought points which I have in mind and implemented in my lab environment.
Intune to deploy Root CA certs to Internet connected client devices or If you have domain joined machines then you can use group policy to deploy root CA cert
Use ARM wherever possible to avoid Azure management certs (otherwise use self signed certs)
Server PKI Cert for MP/SUP – IIS HTTPS communication (Or else we can use SCCM generated cert as you can see in the post here)
Server PKI Cert for CDP/CMG – Client communication
Root and Intermediate CA certs uploaded to CMG