SCCM 2012 – Security (Part 4)

SCCM 2012 – Security (Part 4)

Hi All,

If you missed the Part I you can find it here and Part II can be found here and Part III can be found here

today we go ahead with the Part 4 of the series of posts about security and now it is time to talk about the DP certificates.

The DP certificate is the certificate that is used by any Distribution Point Site role and need to have the private key exported with it as it will be imported during/after the creation of the role. This is also the certificate that you can use on your media when creating one.

Anyway, if you go to the documentation ( you’ll noticed that in a Microsoft PKI environment, the certificate that you can use as base is the Workstation Authentication, however, if you don’t want to use it, make sure that the Enhanced Key Usage value must contain Client Authentication ( and you’ll also see that The private key must be exportable.

Note: it is a best practices to create one certificate for each DP, but it is not a requirement as you can use same certificate for multiple DP’s.

Well…the 1st part, is to create the certificate. To do it you need:
01. Create an Active Directory Group Called ConfigMgr DP Servers and add all SCCM Servers that will have the DP role installed

02. In the Certification Authority console, right-click Certificate Templates and click Manage to load the Certificate Templates console.

03. In the results pane, right-click the entry that displays Workstation Authentication in the column Template Display Name, and then click Duplicate Template.

04. If your PKI is Windows Server 2012/2012 R2, In the Properties of New Template dialog box, on the Compability tab, make sure that Windows Server 2003 is selected under Certification Authority and Windows XP / Windows Server 2003 under Certificate

04. If your PKI is Windows Server 2008/2008 R2, In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.

05. In the Properties of New Template dialog box, on the General tab, enter ConfigMgr DP Server Certificate as template display name.

06. Click the Request Handling tab, and select Allow private key to be exported.

07. Click the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.

08. Click the Security tab, and remove the Enroll and Autoenroll permission from the security groups Domain Controllers and Domain Computers.

09. Click Add, enter ConfigMgr DP Servers in the text box, and then click OK and Select the Enroll permission, and do not clear the Read permission.

10. Click OK, and close the Certificate Templates Console. In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue. In the Enable Certificate Templates dialog box, select ConfigMgr DP Servers Certificate and then click OK.

Great, now that we now how to create the certificate template, we need to request the certificate, but this will be done in another post


Raphael is a 9 times Microsoft MVP with over 20 years of experience in IT, in which 13 years have been dedicated to System Center and Automation. His extended experience has been developed through several IT roles, from first-line support to principal consultant, towards a wide range of clients and sectors. One of the four MVPs in Enterprise Client Management in the UK, Raphael holds more than 30 Microsoft certifications and is an MCT (Microsoft Certified Trainer). Since 2008, Raphael has been providing Microsoft trainings from basic to advanced levels in several categories. Throughout his career, Raphael has joined as speaker in well-known events such as TechEd and Gartner Security Risk Management. He also organised community events and lectured around the world, sharing best practices and knowledge within the industry. Bilingual in English and Portuguese, Raphael has authored diverse articles published in Microsoft's TechEd, served as the editor-in-chief of a magazine focused on System Center in Brazil and wrote two books: "Understanding System Center 2012 SP1 Configuration Manager: The walkthrough book" and "System Center 2012 R2 Configuration Manager: Automation from Zero to Hero".

Tagged with: , , ,