Here is the final word from support. In short, you can only do machine cert checking if you have the client login as a service, which I dont want to do. You can not do machine cert checking on demand. You can do user cert checking.

would like to inform you we have only two possibilites via PCS device.

Possibility 1:
- Enabling host checker based certificate restriction.
- To enable you to configure host checker policy on the PCS device.

Possibility 2:
- Pulse Secure client machine certificate authentication.
- User will be getting connected automatically once the machine boots up.
- However, you cannot connect via browser when certificate authentication enabled at realm level. It works only through Pulse Secure client.

Possibility 3: (Your actual requirement)
- Certificate restrictiion should be configured on the PCS device at realm or role level and the configuration should check the machine certificate store and connects the user.
- We can configure only user certificate authentication/restriction at realm or role level.

I would like to inform you that the third possibility is not achievable through PCS device. It is a new feature needs to implemented on the code level, so you need to go via sales channel to add the feature support.

Also I will invole the sales engineer Robin to create feature enhancement request.

Ok, I was able to get this working. I followed the guide created by my SE and as qsaiki stated earlier in this thread you have to install referencing the config file that you download from admin gui. We also path out to a branding file so the install looks like this:

msiexec /i c:\temp\JunosPulse.x64.msi BRANDINGFILE=c:\temp\PulseWin.PulseBranding CONFIGFILE=c:\temp\MyPulse.jnprpreconfig /qb

Thanks for all the posts. We're excited we able to do the poor mans 2-factor authentication. (id/password and device cert)

Thanks,
Justin