This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 15%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Do computer machines (both desktops and servers) in a windows environment need a computer certificate?
I just noticed a computer having an expired machine certificate and it did not renew. Just want to ask what would happen if its not renewed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for your kindly reply.
So sorry that we are not professional with Radius server. According to my research, the server must host a certificate from a Certificate Authority (CA) trusted by clients on the network. So as we also mentioned, the radius server needs the certificate.
Here we would like to share with you the below documents. Hope it could be some helpful to you.
Plan NPS as a RADIUS server
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-plan-server
Network Policy Server Best Practices
https://learn.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices
Deploy Server Certificates for 802.1X Wired and Wireless Deployments
https://learn.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/deploy-server-certificates-for-802.1x-wired-and-wireless-deployments
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello,
Thank you so much for posting here.
Are our computer machines joined to the domain? Whether needs a computer certificate depends on our requirement.
If the computer certificate has expired, we could request a new certificate. Or have we configured computer certificate auto-enrollment?
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Like at what instance would you need a computer certificate for your desktops?
What would happen if computer expired but no certificate renewal was made?
Is it a good practice that only domain controllers have auto-enrolment of computer certificates?
Hello,
Thank you so much for your kindly reply.
"They are typically used for 802.1x WLAN or wired authentication, or they might be used for VPN logon. Then you might used them for IPsec / "domain isolation" or perhaps DirectAccess or related solutions by other vendors.
So they are needed for some sort of "network isolation" but they are not required for default AD operations. With some the mentioned scenarios (e.g. 802.1x / IPsec) you have the choice to pick either certificates or other credentials."
If the computer certificate expired, then it will not be used in the above mentioned scenarios. So to avoid any authentication issue, we need to renew the certificate before expiring. Or if it has expired, we need to request a new certificate.
To configure the Group policy for the autoenrollment, we do not need to manually request for new certificate on our domain controllers. Besides, it will automatically renew expired certificate. We could choose to do this.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
We have Microsoft Radius server role in our environment catering to wireless devices (mobile phones and domain joined laptops).
And we are using PEAP mschapv2 so only the radius server needs the certificate.
Auto renew in gpo is only for domain controllers.