Confused about Certificate template selection in Auto Enrollment RRS feed

  • Pergunta

  • Hi everyone I would apprecaite your wisdom as I can't seem to get my head around this...

    If with Auto Enrollment enabled in Group Policy, I then createe a new certificate template by duplicating a User or Computer template, then add that new certificate to the list of available templates, how does the Windows computer know to use these new templates and not the original default ones that are still enabled?

    I have been reading up on NDES and apparently there are registry settings we can change to specify the template name so it won't use the default IPSEC template when a device (like a router) goes to request a certificate from it. I just can't seem to find any clear info on how the new User/Computer templates are being selected. The only thing I can assume is that Auto Enrollment just "magically" chooses the latest duplicated certificate? Any guidance would be greatly appreciated.

    Should I then remove the original User and Computer templates after I careted the duplicate templates so the "old" original templates won't be available anymore?

    I am dazed and confused at the moment on this. Any insight would be appreciated. Thank you!

    sexta-feira, 10 de julho de 2020 19:53

Todas as Respostas

  • Hi,

    for autoenrollment to work, the following conditions must be met:

    • autoenrollment is activated by group policy
    • template is capable of autoenrollment (i.e. subject info is taken from AD, no additional issuance requirements etc.)
    • target computers have Autoenroll permission on template
    • template is published by one of the CAs

    If these conditions are met for more than one template, the computer will request (and receive) a certificate from each unique template. If a template is published by more than one CA, the computer will usually receive only one certificate from that template.

    Side note: You can't easily remove the built-in templates from the template collection. You can, however, unpublish them from every CA that was offering them.

    If the previous template has already be used for autoenrollment (i.e. there are valid certs issued from that template) you can set up supercedence for your modified template so the attempt to *renew* the old certs will lead to the issuance of a cert from the modified template.

    Evgenij Smirnov

    sábado, 11 de julho de 2020 13:02
  • Hello,

    Thank you for posting in our TechNet forum.

    We would like to hear your feedback about whether our issue has been solved. We are checking in to see if the provided information was helpful. If the replies as above are helpful, we would appreciate you to mark them as answers. 

    Here are more information for your reference. Hope they will be helpful.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    segunda-feira, 13 de julho de 2020 04:53
  • Hello,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    Thank you so much for your time and support.

    Best regards,
    Hannah Xiong

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    quinta-feira, 16 de julho de 2020 05:06