Hi,
For this you will need to deploy Domain Controller Certificate Template and distribute the certificate via the enrollment policy - Details over here - https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki
==
Please Accept the answer if the information helped you. This will help us and others in the community as well.