We need to autoenroll certificates to our servers and clients to be used for RDS.
The Auto-enrollment is set through "Public Key Policies/Certificate Services Client - Auto-Enrollment Settingss" where it gets deployed nicely.
For RDS security we also have to set "Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security" the certificate template.
Unfortunately, when we set both settings we receive two times the same certificate from the same template and pki deployed! This polutes the pki when you want to serve a bunch of systems.
Worth to mention, that this certs are equal in premises of template, pki and key usage - only differ in date of issue for about 10seconds.
We also checked the debug output for certificate enrollment, and found that the first certificate is requested by the "svchost.exe" which is expected while the second one is requested by "taskhost.exe".
Interestingly, if we delete both certs we receive then only one new certificate! That would suggest that the received cert is actually satisfying both GP settings...
- Edited by universam 23 hours 8 minutes ago