To enroll a smart card certificate on behalf of another user, make sure the smart card certificate templates on the CA have been set up to enable this, and make sure you have enrolled a "Enrollment Agent" certificate to the user that will be doing the enrollment. (See articles on Setting up a Certificate Template to Enroll on behalf of other Users for the Windows Server version being used.)
The user doing the enrollment should be logged in. Then run MMC.exe. The MMC console will appear.
Right click the Certificate Current User / Personal / Certificate store, and select "Enroll on behalf of" from All Tasks / Advanced Operations.
Click through the "Before You Begin" screen, and, on the "Certificate Enrollment" screen, click the "Browse.." button and select the "Enrollment Agent" certificate you have been issued.
(If no Enrollment Agent certificate is available you will need to request one be issued to you. See the end of Step 1 in the article Setting up a Certificate Template to Enroll on behalf of other Users (Server 21012 R2 & 2016).)
On the next page select the smart card enrollment certificate you have duplicated and modified.
Click next and select the user for who you are enrolling the smart card certificate.
Click next. The following dialog may appear asking you to insert the user's smart card.
Enter the PIN.
If the enrollment is successful, the dialog will show the following:
At this point, the smart card is ready to be used if you will be using the PIVKey Minidriver for deployment (Option 1 from the article PIVKey Deployment Overview). Option 1 requires the PIVKey Minidriver User software be installed on all machines where the card will be used.
If you will be using the standard Windows PIV minidriver, or any other middleware that supports PIV cards, for deployment (Option 2 from article PIVKey Deployment Overview), then you must map the PIV certificates (or they could have been set up to map using an OID in the certificate templates Extensions property tab, see Mapping a PIV Certificate using an OID).