Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice - Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more

How can we improve Configuration Manager?

← Ideas

More criteria for client certificate selection

Currently the selection criteria when more than one certificate is available are limited to the options “Client authentication capability”, “Certificate Subject contains string”, “Certificate Subject or SAN includes attribute”. This really limits the usability of the feature.
It would be great if there are additional selection criteria like “Issuer” or “Certificate Template”.

114 votes
Vote

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Frank shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

8 comments

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Anonymous commented  ·   ·  Flag as inappropriate

    under Site properties > communication security > client settings : Add the ability to select the pki client certificate based on the certificate template that was used to enroll the certificate.
    This will allow precise selection of certificate from among several present on the client.

  • Joel R commented  ·   ·  Flag as inappropriate

    Also struggling with this issue and engaged Microsoft Support. I agree that being able to specify either the template name, or a unique Application Policy Identifier OID that's specific to SCCM would solve our issues.

  • Paul commented  ·   ·  Flag as inappropriate

    We are struggling with this as well. I currently have a ticket open with Microsoft because the selection criteria isn't working. We need better options than just the subject.

  • Frank Wijten commented  ·   ·  Flag as inappropriate

    I think it would be nice to use the computer variable to select a certificate (like %computername%.domain.com) This would help me a lot.
    In my environment every server has automatically a certificate assigned based on its computer-name. So if I can put a variable in the selection criteria 'Certificate Subject contains string' this would solve many problems.

  • Emmanuel R commented  ·   ·  Flag as inappropriate

    This proposed feature, specifically selection based on "Certificate Template", would really help in situations where the system has multiple certificates with client authentication installed from the same issuer.

    We are encountering that problem on a consistent basis especially on cluster nodes where all those nodes have the same certificate installed, the CM client ends up choosing the wrong certificate on all those nodes, causing those clients to appear as duplicates of each other or only one node showing up in the console.

    Selection based on certificate template would solve this problem by naming, for example, the template as ConfigMgr Client Certificate Template and configuring the client to just search for certificates based on that.

  • Anonymous commented  ·   ·  Flag as inappropriate

    FULLY agree with this request.. the current selection criteria is really limited, and we have major issues with server certficates that also contain client authentication, and that have generic names in the SAN like Exchange and Lync.
    I'd like to add to the request:
    selection criteria: Application Policy.
    So that we can create our own OID, add that OID to the requested Certificate Template, thus make sure that only certificate with the "SCCM OID" purpose are selected !

Ideas: Client deployment and discovery

Categories

Feedback and Knowledge Base

(thinking…)