Certificate auto-enrollment

Jaichandru 1 Reputation point
2021-03-05T03:15:33.43+00:00

Hi Guys,
I have a client certificate template which is configured with auto enrollment for "Domain Computers". Laptops are configured with auto-enroll group policy and getting this client cert.

Now, I have a requirement to enable auto-enrollment for all servers. My question is, if I enable auto enrollment GPO for servers and configure "domain computers" with auto enroll permission for server cert template, will this new server cert will get installed on laptops too and vice versa ?

Any thoughts how to overcome this challenge ?

Thanks

Jaichandru

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,720 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fan Fan 15,291 Reputation points Microsoft Vendor
    2021-03-05T05:24:45.207+00:00

    Hi,

    All the clients in the domain will get the cert installed once the device refresh the group policy.
    Here are 2 methods for your reference:

    1,If you don't want the specific computer apply the policy , you can filter the clients from the GPO security.
    Put the computers which will apply the policy into one group named auto enroll.
    Assign the group read and apply group policy permission.
    Remove the apply group policy permission for the authenticated users.
    74642-354.jpg
    2,Or if you don't want the laptops to install the specific certs ,you can remove the auto enroll permission and enroll permission for the specific laptops on the templates of the cert.
    On the templates assign the "auto enroll group' enroll and auto enroll permission.
    Keep the authenticated users with only read permission.
    74609-355.jpg

    Best Regards,

    0 comments
  2. Vadims Podāns 8,866 Reputation points MVP
    2021-03-05T07:42:52.393+00:00

    Any thoughts how to overcome this challenge ?

    it isn't a challenge, it is a standard procedure. What you need is:

    1. create a new global group named <TemplateName> AutoEnroll.
    2. Put Domain Computers group there. If domain controllers should get this certificate as well -- add Enterprise Domain Controllers group there as well.
    3. Assign this group to certificate template ACL and select Read, Enroll and Autoenroll.
    4. Create new GPO and configure autoenrollment under Computer Configuration.
    5. Link this GPO to domain.
    0 comments
  3. Jaichandru 1 Reputation point
    2021-03-05T07:48:19.557+00:00

    Thanks Crypt32 and FanFan-MSFT for responses. to rephrase my question, I have an autoenrollment enabled for client OS and client template is configured with "domain computers" permission. if I enable auto enroll permission for server OS, will it also get client cert because server will also falls under "domain computers" ?