Lots of articles on this, Microsoft’s own documentation is far more detailed for 2012 R2 than it is for 2016. The concept remains the same.
My problems started as the cert authority (being comprised of an offline root CA and domain enterprise subordinate CA) forming the certificate chain, could not be contacted by agents on the other side of a firewall (without making swiss cheese of the firewall and allowing port 80 to the CRL distribution point, or standing up an alternative CRL location)
Follow the cert template setup guide here.
In the settings for the template, change the subject name handling to supply in the request. These certs are for non domain machines.
Make sure permissions to the template allow read & enroll. Then we can add the template to the CA for use and head for the MMC console + local computer cert snap-in on your DPM server.
Add the cert to your DPM server following the guide above, generate the BIN file, copy to the agent.
If your agent is behind a firewall, make sure to open the additional TCP 6076 port required for the certificate communication.
If your non-domain agent is unable to access the CRL distribution point (required for initial verification of the cert) then you will need to manually import the CRL files. Open explorer to your cert server \\yourcertserver\certenroll – here you will find your CRL files.
Import your CRL files (copied from the CA) using:
certutil -addstore CA “C:\CRLfolderpath\CRLfilename.CRL”
Remember to import the full chain of valid CRL files, once added in, run your DPM agent setup command – then you will have a BIN file with which to complete setup.
Bizarrely – Microsoft doesn’t support backup of machines in a “Perimiter Network” – https://technet.microsoft.com/en-us/library/hh757801(v=sc.12).aspx
I’m not sure about anyone else, but I make extensive use of VLANs, which are subject to firewall rule sets and agents work fine in these scenarios. So why would a “perimiter network” be any different?
I suspect this is just noted as MS have not fully tested support of agents in this scenario, but I do not see any reason why it should not work.
However, follow best practice and remember that if backup of a system is essential, you are best sticking to the official supported guidelines 🙂