To enroll a smart card certificate on behalf of another user, make sure the smart card certificate templates on the CA have been set up to enable this, and make the user that will be doing the enrollment has an "Enrollment Agent" certificate issued to them. (See articles on Setting up Certificate Templates to Enroll on behalf of other Users for the Windows Server version being used.)
The user doing the enrollment should be logged in. Then run MMC.exe. The MMC console will appear.
Select "Add Remove Snap" from the File menu. Select Certificates and then "My User account" or "Current User". Note this may default for you.
Right click the Certificate Current User / Personal / Certificate store, and select "Enroll on behalf of" from All Tasks / Advanced Operations.
Click through the "Before You Begin" screen, and on the "Certificate Enrollment" screen, click the "Browse..." button and select the "Enrollment Agent" certificate you have been issued.
(If no Enrollment Agent certificate is available you will need to request one be issued to you. See the end of Step 1 in the article Setting up Certificate Templates to Enroll on behalf of other Users (Server 21012 R2 & 2016).)
On the next page select the smart card enrollment certificate template you have duplicated and modified.
Click next and select the user for whom you are enrolling the smart card certificate.
Click next. The following dialog may appear asking you to insert the user's smart card if it is not already inserted.
NOTE: if the Enrollment Agent certificate is on the EA's smart card, during enrollment for the other user, you'll be prompted to insert the Enrollment Agent card and PIN, and the other (new) user's card and PIN, possibly multiple times, thus swapping the cards in and out of the reader. If you don't pay careful attention to the prompts, you may end up placing the other user's logon certificate onto the Enrollment Agent's smart card inadvertently.
Enter the PIN.
If the enrollment is successful, the dialog will show the following:
At this point, the smart card is ready to be used if you will be using the PIVKey Minidriver for deployment (Option 1 from the article PIVKey Deployment Overview). Option 1 requires the PIVKey Minidriver User software be installed on all machines where the card will be used.
If you will be using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, for deployment (Option 2 from article PIVKey Deployment Overview), then you must map the PIV certificates (or they could have been set up to map using an OID in the certificate templates Extensions property tab, see Mapping a PIV Certificate using an OID).