SCCM 2012 – Security (Part 2)

SCCM 2012 – Security (Part 2)

Hi All,

If you missed the Part I you can find it here

today we go ahead with the Part 2 of the series of posts about security and now it is time to talk about certificates. I’m not going to tell you know to create your PKI infrastructure, but what certificates you need in your environment. In this post, we’ll focus on the client certificate.

There are many people out there that like to create a new certificate for the client machines, not that i don’t like but most of the time you don’t need it as the default workstation certificate can be used. If you is like me and don’t want create a new certificate for the workstation authentication, you don’t need, however, you need to make sure a workstation certificate is being applied to all machines.

The easiest way to do this is via GPO (note that i’m not talking about non-domain joined machines here :))
1- Open a GPO and navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Public Key Policies

2- Once there, edit the Certificate Services Client – Auto-Enrollment. My settings are normally: Enabled, renew expired certificate, update certificates that use certificate template, log expired (10%). of course, depending on your environment these settings may need be changed

3- confirm that the workstation certificate allow domain computers to auto-enroll

4- once it is done, next time the machine reboots (or you manually run gpupdate /force) you’ll see the certificate being created for the computers

5- now it is time to wait all client machines to get the certificate and you also can use SCCM reports to see which clients cannot communicate HTTPS


Raphael is a 9 times Microsoft MVP with over 20 years of experience in IT, in which 13 years have been dedicated to System Center and Automation. His extended experience has been developed through several IT roles, from first-line support to principal consultant, towards a wide range of clients and sectors. One of the four MVPs in Enterprise Client Management in the UK, Raphael holds more than 30 Microsoft certifications and is an MCT (Microsoft Certified Trainer). Since 2008, Raphael has been providing Microsoft trainings from basic to advanced levels in several categories. Throughout his career, Raphael has joined as speaker in well-known events such as TechEd and Gartner Security Risk Management. He also organised community events and lectured around the world, sharing best practices and knowledge within the industry. Bilingual in English and Portuguese, Raphael has authored diverse articles published in Microsoft's TechEd, served as the editor-in-chief of a magazine focused on System Center in Brazil and wrote two books: "Understanding System Center 2012 SP1 Configuration Manager: The walkthrough book" and "System Center 2012 R2 Configuration Manager: Automation from Zero to Hero".

Tagged with: , , ,