Thanks Crypt32 and FanFan-MSFT for responses. to rephrase my question, I have an autoenrollment enabled for client OS and client template is configured with "domain computers" permission. if I enable auto enroll permission for server OS, will it also get client cert because server will also falls under "domain computers" ?
Certificate auto-enrollment
Hi Guys,
I have a client certificate template which is configured with auto enrollment for "Domain Computers". Laptops are configured with auto-enroll group policy and getting this client cert.
Now, I have a requirement to enable auto-enrollment for all servers. My question is, if I enable auto enrollment GPO for servers and configure "domain computers" with auto enroll permission for server cert template, will this new server cert will get installed on laptops too and vice versa ?
Any thoughts how to overcome this challenge ?
Thanks
Jaichandru
3 answers
Sort by: Newest
-
-
Vadims Podāns 9,111 Reputation points MVP
2021-03-05T07:42:52.393+00:00 Any thoughts how to overcome this challenge ?
it isn't a challenge, it is a standard procedure. What you need is:
- create a new global group named
<TemplateName> AutoEnroll
. - Put Domain Computers group there. If domain controllers should get this certificate as well -- add Enterprise Domain Controllers group there as well.
- Assign this group to certificate template ACL and select
Read
,Enroll
andAutoenroll
. - Create new GPO and configure autoenrollment under
Computer Configuration
. - Link this GPO to domain.
- create a new global group named
-
Fan Fan 15,306 Reputation points Microsoft Vendor
2021-03-05T05:24:45.207+00:00 Hi,
All the clients in the domain will get the cert installed once the device refresh the group policy.
Here are 2 methods for your reference:1,If you don't want the specific computer apply the policy , you can filter the clients from the GPO security.
Put the computers which will apply the policy into one group named auto enroll.
Assign the group read and apply group policy permission.
Remove the apply group policy permission for the authenticated users.
2,Or if you don't want the laptops to install the specific certs ,you can remove the auto enroll permission and enroll permission for the specific laptops on the templates of the cert.
On the templates assign the "auto enroll group' enroll and auto enroll permission.
Keep the authenticated users with only read permission.
Best Regards,