Controlling CSP selection during autoenrollment through the pKIDefaultCSPs attribute
We want to enable autoenrollment for our Bitlocker installations but want to allow clients without TPM's to enroll from the same certificate template as backup.
The pKIDefaultCSPs attribute in certificate templates contains a numbered list of CSP's that are valid for enrollments against that template.
The numeric value determines the priority so if you populate it with the list of TPM´s you have in your organization and also put the MSRSA entry as the last entry then the result should be that if the machine has a TPM CSP available then that one should be used for the enrollment while the MSRSA should only be picked if no other CSP’s above it in the list are present.
Note that is not an enforcement of the priority; if a manual enrollment is performed then the enrollee can still choose which of the acceptable CSP’s are used – the preference only applies for autoenrollment.
I.e. a local user with local Admin rights would be able to manually initiate an enrollment operation and explicitly choose MSRSA as a CSP even if the machine she is enrolling from has a TPM chip and the appropriate TPM CSP is present and that CSP is listed with a higher priority in the PKIDefaultCSPs attribute for that template.
Each list element MUST be in the following format:
where intNum is an integer that specifies the priority order in which the system administrator wants the client to use the CSPs listed, and <strCSP> is the CSP name.
The implication of this list of CSPs is that any one of the listed CSPs is acceptable to the system administratorbut that a preference is indicated by the value of intNum if a client has more than one of those CSPs.
The security implications of violating this expressed priority are up to the system administrator who established that priority ranking to determine and to document.