Prerequisites for certificate profiles in Configuration Manager

Applies to: Configuration Manager (current branch)

Certificate profiles in Configuration Manager have external dependencies and dependencies in the product.

Important

Starting in version 2203, this company resource access feature is no longer supported. For more information, see Frequently asked questions about resource access deprecation.

Dependencies External to Configuration Manager

Dependency More information
An enterprise issuing certification authority (CA) that is running Active Directory Certificate Services (AD CS).

To revoke certificates the computer account of the site server at the top of the hierarchy requires Issue and Manage Certificates rights for each certificate template used by a certificate profile in Configuration Manager. Alternatively, grant Certificate Manager permissions to grant permissions on all certificate templates used by that CA

Manager approval for certificate requests is supported. However, the certificate templates that are used to issue certificates must be configured for Supply in the request for the certificate subject so that Configuration Manager can automatically supply this value.
For more information about Active Directory Certificate Services, see Active Directory Certificate Services Overview.
Use the PowerShell script to verify, and if needed, install the prerequisites for the Network Device Enrollment Service (NDES) role service and the Configuration Manager Certificate Registration Point.

The instruction file, readme_crp.txt, is located in ConfigMgrInstallDir\cd.latest\SMSSETUP\POLICYMODULE\X64.

The PowerShell script, Test-NDES-CRP-Prereqs.ps1, is in the same directory as the instructions.

The PowerShell script must be run locally on the NDES server.
The Network Device Enrollment Service (NDES) role service for Active Directory Certificate Services, running on Windows Server 2012 R2.

In addition:

Port numbers other than TCP 443 (for HTTPS) or TCP 80 (for HTTP) are not supported for the communication between the client and the Network Device Enrollment Service.

The server that is running the Network Device Enrollment Service must be on a different server from the issuing CA.
Configuration Manager communicates with the Network Device Enrollment Service in Windows Server 2012 R2 to generate and verify Simple Certificate Enrollment Protocol (SCEP) requests.

If you will issue certificates to users or devices that connect from the Internet, such as mobile devices that are managed by Microsoft Intune, those devices must be able to access the server that runs the Network Device Enrollment Service from the Internet. For example, install the server in a perimeter network (also known as a DMZ, demilitarized zone, and screened subnet).

If you have a firewall between the server that is running the Network Device Enrollment Service and the issuing CA, you must configure the firewall to allow the communication traffic (DCOM) between the two servers. This firewall requirement also applies to the server running the Configuration Manager site server and the issuing CA, so that Configuration Manager can revoke certificates.

If the Network Device Enrollment Service is configured to require SSL, a security best practice is to make sure that connecting devices can access the certificate revocation list (CRL) to validate the server certificate.

For more information about the Network Device Enrollment Service, see Using a Policy Module with the Network Device Enrollment Service.
A PKI client authentication certificate and exported root CA certificate. This certificate authenticates the server that is running the Network Device Enrollment Service to Configuration Manager.

For more information, see PKI certificate requirements for Configuration Manager.
Supported device operating systems. You can deploy certificate profiles to devices that run Windows 8.1, Windows RT 8.1, and Windows 10.

Configuration Manager Dependencies

Dependency More information
Certificate registration point site system role Before you can use certificate profiles, you must install the certificate registration point site system role. This role communicates with the Configuration Manager database, the Configuration Manager site server, and the Configuration Manager Policy Module.

For more information about system requirements for this site system role and where to install the role in the hierarchy, see the Site System Requirements section in the Supported configurations for Configuration Manager article.

The certificate registration point must not be installed on the same server that runs the Network Device Enrollment Service.
Configuration Manager Policy Module that is installed on the server that is running the Network Device Enrollment Service role service for Active Directory Certificate Services To deploy certificate profiles, you must install the Configuration Manager Policy Module. You can find this policy module on the Configuration Manager installation media.
Discovery data Values for the certificate subject and the subject alternative name are supplied by Configuration Manager and retrieved from information that is collected from discovery:

For user certificates: Active Directory User Discovery

For computer certificates: Active Directory System Discovery and Network Discovery
Specific security permissions to manage certificate profiles You must have the following security permissions to manage company resource access settings, such as certificate profiles, Wi-Fi profiles, and VPN profiles:

To view and manage alerts and reports for certificate profiles: Create, Delete, Modify, Modify Report, Read, and Run Report for the Alerts object.

To create and manage certificate profiles: Author Policy, Modify Report, Read, and Run Report for the Certificate Profile object.

To manage Wi-Fi, certificate and VPN profile deployments: Deploy Configuration Policies, Modify Client Status Alert, Read, and Read Resource for the Collection object.

To manage all configuration policies: Create, Delete, Modify, Read, and Set Security Scope for the Configuration Policy object.

To run queries related to certificate profiles: Read permission for the Query object.

To view certificate profiles information in the Configuration Manager console: Read permission for the Site object.

To view status messages for certificate profiles: Read permission for the Status Messages object.

To create and modify the Trusted CA certificate profile: Author Policy, Modify Report, Read, and Run Report for the Trusted CA Certificate Profile object.

To create and manage VPN profiles: Author Policy, Modify Report, Read, and Run Report for the VPN Profile object.

To create and manage Wi-Fi profiles: Author Policy, Modify Report, Read, and Run Report for the Wi-Fi Profile object.

The Company Resource Access Manager security role includes these permissions that are required to manage certificate profiles in Configuration Manager. For more information, see the Configure role-based administration section in the Configure security article.