SCCM Configure Settings for Client PKI certificates

3
Client PKI certificates

Setting up Client PKI certificates is one of the essential steps for HTTPs communication from CMG to MP/SUP. In this post, we will see how to complete Client PKI setup task for Co-management scenarios. Once you have Root CA, Client PKI certificates configuration is pretty straightforward.

Content of this post

Decision Making - Client PKI
Co-Management Related Posts
Video Tutorial - Configure Client PKI Certs
Configure Settings for Client PKI certificates
Step by Step Process to Configure Client PKI Certs
Bonus Tips about Client PKI Certificates

Decision Making – Client PKI

This is a critical decision point for your device management strategy. AAD identity is a better alternative for Client PKI. Even though you have AAD joined machines, you should have public certs for CMG and CDP. So, you need to decide whether you are going with internal PKI or Public PKI.

How to Deploy Client PKI Certs to Internet Connected Devices is another important point. Another checkpoint before implementing Client PKI is whether you need to enable Client Check the certificate revocation list (CRL) for site systems or not. I have NOT enabled CRL for my lab environment to reduce the overhead.

Co-Management Related Posts

All Co Management Video Tutorial in one post here.

Overview Windows 10 Co-Management with Intune and SCCM 
Custom Report to Identify Machines Connected via SCCM CMG  
How to Setup Co-Management - Introduction - Prerequisites Part 1 
How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2 
Setup Co-Management - AAD Connect UPN Suffix Part 3 
Setup Co-Management - CA PKI & Certificates Part 4 
Setup Co-Management Cloud DP Azure Blob Storage Part 5 
Setup Co-Management Azure Cloud Services CMG Part 6
SCCM Configure Settings for Client PKI certificates Part 7 (This Post)
How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8
How to Deploy SCCM Client from Intune - Co-Management - Part 9
End User Experience of Windows 10 Co-Management - Part 10

Video Tutorial – Configure Client PKI Certs

Configure Settings for Client PKI certificates

There is two section in Client Computer communication. One is to get the server side  (site system Settings) ready for the secured (HTTPS), and the other is to configure client computer settings.
Site System Settings

Select the client computer communication method (HTTP or HTTPS) for the site systems (MP/SUP) that use IIS. To use HTTPS, the server must have a valid PKI web server certificate (server authentication capability).

Client Computer Settings 

Specify settings for client computers when the clients communicate with site systems that use IIS. Use PKI client certificate (client authentication capability) when available. Public Cert and AAD authentication are other options instead of using Client PKI certificates (as I mentioned in the above section).

Step by Step Process to Configure Client PKI Certs

  1. In the SCCM CB console, choose Administration.

2. In the Administration workspace, expand Site Configuration, choose Sites, and then choose the primary site server

3. Right click on Primary site server and choose Properties, and then choose the Client Computer Communication tab.

Client Computer Communication tab is available on a primary site only. If you do not see the Client Computer Communication tab, check that you are not connected to a CAS or an SCCM secondary site.

Client PKI certificates

4.  Choose HTTPS or HTTP option when you do not require your existing SCCM clients to use PKI certificates. This will also help to implement client PKI for co-management scenarios.

If you chose HTTPS or HTTP, choose Use client PKI certificate (client authentication capability) when available when you want to use a client PKI certificate for HTTP connections. The client uses this certificate instead of a self-signed certificate to authenticate itself to site systems. This option is automatically chosen if you choose HTTPS only.

When clients are detected to be on the Internet, or they are configured for Internet-only client management, they always use a client PKI certificate.

5. Choose Use PKI client certificate (client authentication capability) when available

6. Choose Modify to configure your chosen client selection method for when more than one valid PKI client certificate is available on a client, and then choose OK. I don’t have more than one client PKI certificates hence I didn’t modify this in my lab environment.

7. Select or Clear the check box for clients to check the Certificate Revocation list (CRL). I clear the check box for CRL to reduce the overhead as mentioned in the above section of this post.

8. Choose SET button under Trusted Root Certification Authorities section. Non mandatory step for Co-Management scenario. Check out the following link for more details.

More details here

9. Browse and Select your Root & Intermediate CA certs from Set Root Certificates windows. I don’t have intermediate CA cert hence I uploaded only Root CA. Specify trusted root certification authority (CA) certificates for clients, choose Set, import the root CA certificate files, and then choose OK.

When you don’t upload Trusted Root CAs in the Trusted Root CA setting on the Client Computer Communication tab, SCCM trusted check but assumes that Trusted Root certificates are otherwise properly implemented on clients and servers in the environment. I have not tested this in the latest version of SCCM CB environment.

10. Choose OK to close the properties dialog box for the site

Bonus Tips about Client PKI Certificates

Following are some of the thought points which I have in mind and implemented in my lab environment.

Intune to deploy Root CA certs to Internet connected client devices or If you have domain joined machines then you can use group policy to deploy root CA cert
Use ARM wherever possible to avoid Azure management certs (otherwise use self signed certs)
Server PKI Cert for MP/SUP – IIS HTTPS communication (Or else we can use SCCM generated cert as you can see in the post here)
Server PKI Cert for CDP/CMG – Client communication
Root and Intermediate CA certs uploaded to CMG

Reference:-

  • PKI certificate requirements for SCCM – Read More
  • SCCM Internet Based Client Management Topology Design – Read More

3 COMMENTS

  1. Do you need the PKI cert (SCCM Client Cert) to be added to a secondary site if it’s interforest, two-way, transitive trust? Domain A has my primary, but Domain B has my secondary site. Primary uses HTTPS, but secondary is just HTTP. Computers are being assigned the primary site, but the sccm client is not installing, and I think it’s because of the cert. I wonder if I can put that cert into IIS of Domain B – secondary site – will that work? I have separate CAs, and the Domain A admins don’t want me to put the sccm client cert into the CA.

  2. Thank you

    We have 1 Primary Site with 3 Distribution Points. Is there a easy way to work out which servers will need the Web Server cert ( IIS ) and which will require the Workstation Authentication cert ?

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.