This task is carried out bt the system administrator
Launch the Certificate Template Console ("certtmpl.msc") on the Certificate Server
Click Certificate Templates
Right-click Smartcard Logon, and select Duplicate Template.
First, the Compatibility tab is selected
In the Certification Authority box, select the OS version of the CA server
In the Certificate recipient box, select the oldest OS version of the client machine in the domain
Next, select the General tab
Provide the name of the template, e.g. "PIV Smartcard Logon Template for Users"
Optionally, you might want to change the Validity period and Renewal period
Enable the option "Publish certificate in Active Directory"
Next, select the Request Handling tab
Make sure that you have selected the options as highlighted above
Next, select the Cryptography tab.
Make sure that you have selected the options as highlighted above.
Next, select the Security tab,
Make sure that the Read, Enroll and Autoenroll permissions are enabled for the user or group of users who are allowed to enroll their smart cards.
Click Apply, and then click OK to close the template properties window.