This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 72%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hello
We have a template called "Template A". We duplicated that template and called it "Template A New" and set the old template "Template A" as superseded.
"Template A" was configured for auto-enrollement, and all our clients and servers have a machine certificate from the old template.
Now I want to test "Template A New". From the new template I removed the group that contained all of our clients and servers and added a group that only contains 3 Test servers.
Now my question: Since the old template is marked as superseded, does that have any impact on the certificates based on the old template?
Thanks in advance for any clarification
Michael
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello Michael,
Thank you so much for more explanation.
So sorry that I do not have the same environment to do the test. Below is my similar test, we could kindly have a check whether it helps.
I have a template called "Copy of Computer" for Client/Server Authentication. A group called "comp" has rights for auto-enrollement on "Copy of Computer".
The client within the "comp" group have this certificate based on "Copy of Computer" template.
I duplicated "Copy of Computer" to "Copy 2 of Computer" and marked "Copy of Computer" as superseded. I also removed "comp" group from the new Template "Copy 2 of Computer".
In the security tab on "Copy 2 of Computer" I add another Server, and give permissions for read and auto-enrollment.
The results are shown below:
1, On the SRV server, the new certificate based on "Copy 2 of Computer" will be installed.
2, In my test, the client within the "comp" group still have the certificate based on a template that is superseded.
So from my test, the old certificate will not be affected by the superseded setting. It is suggested that we could try to do the test firstly to avoid any problems.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hallo Hannah
Thanks for all your effort.
I think I can do my test now without any worries.
Thanks again
Michael
Hello,
Thank you so much for posting here.
Certificate autoenrollment also supports the concept of superseding a template or a previously enrolled certificate. Superseding a template allows an administrator to reenroll, change or combine previously issued certificate enrollments into a new certificate enrollment. Autoenrollment always examines existing certificates in the user's store and determines if the template used in the issued certificate has been superseded. If a certificate template has been superseded, the user will automatically be enrolled with the new template, and the old certificates will be deleted or archived depending on the template setting.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hello Hannah
Thank you for the reply.
As I wrote, before I auto-enroll new certicates based on the new template, I want to do a test with only 3 Test servers. All the certificates (with the exception for the 3 Test Servers) based on the old template should remained untouched.
Since I marked the old template as superseded, my question is, are the old certificates affected in any way by the superseded flag?
For clarification: I want to do this Test because our Exchange guy told me that there might will be a problem with Exchange Servers with UM Role when the Computer Certificate will be changed.
Thanks
Michael
Hello Michael,
You are welcome. Thank you so much for your kindly reply.
I did the test. Once we marked the old template as superseded, the certificates based on the old template will be deleted and the computers will get the certificates based on the new template.
As mentioned before, If a certificate template has been superseded, the user will automatically be enrolled with the new template, and the old certificates will be deleted or archived depending on the template setting.
The old certificates will be affected once the old template is marked as superseded.
We could try to do the test. For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I one more thing to add,
the certificates based on the superseded template will be archived/deleted only if you have rights on auto-enrolling the new template. So you can test the new template for the respective three servers, but you need to keep in mind that for these three servers the certicates will be archived / deleted.
Martin