Client Certificate Template Settings

I'm setting up a new 2012 R2 CA that will be used for distributing Config Manager 2012R2 client certificates to Windows 7 and 8.1 laptops that will be primarily Internet based as well as for other purposes for servers as old as Server 2008.

They will connect to VPN or come into the LAN to receive their certificates and client software.

The changes I have made from the default workstation certificate are as follows:

Created custom template name.

Certification Authority: Windows Server 2012 R2

Certificate recipient: Windows Vista/2008

Security:  Domain Computers, allow read, enroll, autoenroll

Subject name format: None. Include this information in alternate subject name: DNS name (may be default)

Everything else is set from default settings from workstation authentication template, (1 year validity, 6 week renewal etc.)

Does anything need to be changed before I start allowing workstations to autoenroll using this template?


  • Edited by MyGposts Wednesday, May 27, 2015 12:36 AM
May 27th, 2015 12:35am

The laptop users do not use VPN regularly enough to rely on and they will never remember to connect to VPN for the sole purpose of getting software updates and security patches.

Many users only connect to VPN once every few months since they can access email and SharePoint and surf the net from these laptops without using VPN.  However, they cannot get WSUS updates or other software updates without connecting to VPN, so it isn't happening.

Laptops are not being updated in a timely basis when we wait for users to decide to connect to VPN and this is one of the reasons we are deploying Config Manager with IBCM.

When the users eventually connect to VPN or bring the laptops on premises, they will receive the client certificates via group policy and the client software via WSUS. This may take a few months for every laptop to check in and then we should be able to update the laptops whenever they are online instead of waiting several weeks for the users to connect to VPN.




  • Edited by MyGposts Wednesday, May 27, 2015 2:39 AM
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2015 2:35am

What are the recommended workstation template settings for IBCM?
May 29th, 2015 10:42am

There is nothing recommended. You must fulfill the requirements outlined at https://technet.microsoft.com/en-us/library/gg699362.aspx.

There are various walk-throughs available both on TechNet and in the blog-sphere, as mentioned though, if you are trying to do this on your own, get a PKI smart person involved ASAP as there are many ramifications for setting up a PKI incorrectly or without knowing the many caveats.

Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 11:00am

There is no one else.  I'm actually fixing a worse setup from people who were here before me who set up a 1 tier system in production and retired servers with CAs on them without properly removing the CA first.

I was trying to follow the set up used in this Microsoft training video, but I now see that his demo skips some important steps.

http://www.microsoftvirtualacademy.com/training-courses/windows-server-2012-r2-implementing-a-basic-pki?prid=ch9videolink




  • Edited by MyGposts 14 hours 42 minutes ago
May 29th, 2015 1:03pm

There is no one else.  I'm actually fixing a worse setup from people who were here before me who set up a 1 tier system in production and retired servers with CAs on them without properly removing the CA first.

I was trying to follow the set up used in this Microsoft training video, but I now see that his demo skips some important steps.

http://www.microsoftvirtualacademy.com/training-courses/windows-server-2012-r2-implementing-a-basic-pki?prid=ch9videolink




  • Edited by MyGposts Friday, May 29, 2015 5:02 PM
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2015 4:59pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics