Microsoft

Microsoft Endpoint Configuration Manager Feedback

Suggestion box powered by UserVoice

How can we improve Configuration Manager?

← Ideas

More criteria for client certificate selection

Currently the selection criteria when more than one certificate is available are limited to the options “Client authentication capability”, “Certificate Subject contains string”, “Certificate Subject or SAN includes attribute”. This really limits the usability of the feature.
It would be great if there are additional selection criteria like “Issuer” or “Certificate Template”.

96 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Frank shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

4 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Frank Wijten commented  ·   ·  Flag as inappropriate

    I think it would be nice to use the computer variable to select a certificate (like %computername%.domain.com) This would help me a lot.
    In my environment every server has automatically a certificate assigned based on its computer-name. So if I can put a variable in the selection criteria 'Certificate Subject contains string' this would solve many problems.

  • Emmanuel R commented  ·   ·  Flag as inappropriate

    This proposed feature, specifically selection based on "Certificate Template", would really help in situations where the system has multiple certificates with client authentication installed from the same issuer.

    We are encountering that problem on a consistent basis especially on cluster nodes where all those nodes have the same certificate installed, the CM client ends up choosing the wrong certificate on all those nodes, causing those clients to appear as duplicates of each other or only one node showing up in the console.

    Selection based on certificate template would solve this problem by naming, for example, the template as ConfigMgr Client Certificate Template and configuring the client to just search for certificates based on that.

  • Anonymous commented  ·   ·  Flag as inappropriate

    FULLY agree with this request.. the current selection criteria is really limited, and we have major issues with server certficates that also contain client authentication, and that have generic names in the SAN like Exchange and Lync.
    I'd like to add to the request:
    selection criteria: Application Policy.
    So that we can create our own OID, add that OID to the requested Certificate Template, thus make sure that only certificate with the "SCCM OID" purpose are selected !

Ideas: Client Deployment

Categories

Feedback and Knowledge Base

(thinking…)