question

Jaichandru-3777 avatar image
0 Votes"
Jaichandru-3777 asked ·

Certificate auto-enrollment

Hi Guys,
I have a client certificate template which is configured with auto enrollment for "Domain Computers". Laptops are configured with auto-enroll group policy and getting this client cert.

Now, I have a requirement to enable auto-enrollment for all servers. My question is, if I enable auto enrollment GPO for servers and configure "domain computers" with auto enroll permission for server cert template, will this new server cert will get installed on laptops too and vice versa ?

Any thoughts how to overcome this challenge ?

Thanks

Jaichandru

windows-server-security
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered ·

Hi,

All the clients in the domain will get the cert installed once the device refresh the group policy.
Here are 2 methods for your reference:

1,If you don't want the specific computer apply the policy , you can filter the clients from the GPO security.
Put the computers which will apply the policy into one group named auto enroll.
Assign the group read and apply group policy permission.
Remove the apply group policy permission for the authenticated users.
74642-354.jpg
2,Or if you don't want the laptops to install the specific certs ,you can remove the auto enroll permission and enroll permission for the specific laptops on the templates of the cert.
On the templates assign the "auto enroll group' enroll and auto enroll permission.
Keep the authenticated users with only read permission.
74609-355.jpg

Best Regards,


354.jpg (84.1 KiB)
355.jpg (114.1 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Crypt32 avatar image
0 Votes"
Crypt32 answered ·

Any thoughts how to overcome this challenge ?

it isn't a challenge, it is a standard procedure. What you need is:

1. create a new global group named <TemplateName> AutoEnroll.
2. Put Domain Computers group there. If domain controllers should get this certificate as well -- add Enterprise Domain Controllers group there as well.
3. Assign this group to certificate template ACL and select Read, Enroll and Autoenroll.
4. Create new GPO and configure autoenrollment under Computer Configuration.
5. Link this GPO to domain.


·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jaichandru-3777 avatar image
0 Votes"
Jaichandru-3777 answered ·

Thanks Crypt32 and FanFan-MSFT for responses. to rephrase my question, I have an autoenrollment enabled for client OS and client template is configured with "domain computers" permission. if I enable auto enroll permission for server OS, will it also get client cert because server will also falls under "domain computers" ?

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

if I enable auto enroll permission for server OS

based on your description, they already have autoenroll permissions. What do you want to enable here?
0 Votes 0 ·