This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 42%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Is there any sort of issues or security risks that can occur with a duplicate root certificate (Intended Purposes is All) deployed to Windows clients/servers from an internal PKI infrastructure?
For MECM root certificates, it's not clear in the below link if the intended purposes should be set to All or something more specific such as client authentication only if someone can clarify and possibly send a link that is more detailed on MECM root certificate configuration configuration/requirements.
Auto enrollment seems to be failing on some clients and an option is to use a GPO as a backup method to make sure clients receive the root cert. Targeting the GPO to only clients that are missing the cert is possible but adds more management overhead. A configuration item/baseline deployment may be another option, but this may not work on clients that are not receiving the root cert.
The client authentication cert issued to the FQDN of the host under Local Computer>Personal>Certificates client certification path requires the PKI root cert to be deployed.
As noted, this is only true for PKI issued certs and not self-signed certs as self-signed certs don't have root authorities.
To clarify, when I look in certmgr under Local Computer>Trusted Root Certification Authorities>Certificates on a MECM client, all of the root certs are either set to <All> or to something more specific such as Time Stamping for Intended Purposes.
Ah, OK. That purpose simply calls out what purposes are valid for certs issued by that CA and have no true impact or significance.
Should the PKI deployed root cert deployed be left to <All> for intended purposes or set to something more specific such as only server and client authentication?
That's determined by the PKI's configuration as noted and is not something you should change. The purpose is metadata set when the root CAs cert is imported into the system. As noted, it's based on the certs eligible to be issued by that CA/PKI. Changing it limits systems from trusting certs issued by that PKI based on the purpose of the cert which in general probably is not desirable. Bottom line is to not change anything about the root CA's cert.