Certificate needed for client authentication in CMG

Shashi Dubey 366 Reputation points

HI Everyone,

Hope everyone is doing well and being safe!

Need someone's expertise to understand the authentication procedure of clients with cloud management gateway.

As per the Microsoft current documentation if we have a cert issued by a known third-party cert provider like Digicert we don't need the trusted root certificate for the client to trust the issuer.

But since the certificate authentication is a two process to even though the client would be able to trust the cert and the server identity so it could borrow the content from these servers how could the server trust the identity of these clients?

Need someone help does the client need to have some kind of cert or identity or certificate to make themselves trusted considering when they are not Hybrid/Azure Ad joined?

Hope someone's experience can help me out to clear this confusion :).

Thanking you in advance !!


Shashi Dubey


Microsoft Configuration Manager Deployment
Microsoft Configuration Manager Deployment
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Deployment: The process of delivering, assembling, and maintaining a particular version of a software system at a site.
682 questions
0 comments No comments
{count} votes

Accepted answer
  1. Jason Sandys 30,936 Reputation points Microsoft Employee

    It's not clear exactly what you are asking here. PKI certificate trust is based on trusting the PKI that issued the certificate. That's generally the whole point of using a public CA like DigiCert as certs they issue are automatically trusted by all devices as Microsoft configures Windows to do this by default.

    Note though that trusting the identity of a client doesn't mean the client itself is trusted to gain access to anything. In this case, it simply means that ConfigMgr will manage the device. This is no different than any credential; specifically, just because you have the credential and can authenticate doesn't mean you can actually access anything as authorization is separate and must still be granted.

    Also, keep in mind that every client requires its own, unique client auth certificate. For this reason, it's generally impractical to use a public CA for client auth certificates as it's a recurring expense and recurring logistic nightmare to renew these individual certs on every managed device.

1 additional answer

Sort by: Most helpful
  1. SunnyNiu-MSFT 1,691 Reputation points

    Agree with what Jason said, Here is also an article we could refer to:

    If the response is helpful, please click "Accept Answer"and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.