SCCM 2012 – Security (Part 2)

Hi All,

If you missed the Part I you can find it here

today we go ahead with the Part 2 of the series of posts about security and now it is time to talk about certificates. I’m not going to tell you know to create your PKI infrastructure, but what certificates you need in your environment. In this post, we’ll focus on the client certificate.

There are many people out there that like to create a new certificate for the client machines, not that i don’t like but most of the time you don’t need it as the default workstation certificate can be used. If you is like me and don’t want create a new certificate for the workstation authentication, you don’t need, however, you need to make sure a workstation certificate is being applied to all machines.

The easiest way to do this is via GPO (note that i’m not talking about non-domain joined machines here :))
1- Open a GPO and navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Public Key Policies

2- Once there, edit the Certificate Services Client – Auto-Enrollment. My settings are normally: Enabled, renew expired certificate, update certificates that use certificate template, log expired (10%). of course, depending on your environment these settings may need be changed

3- confirm that the workstation certificate allow domain computers to auto-enroll

4- once it is done, next time the machine reboots (or you manually run gpupdate /force) you’ll see the certificate being created for the computers

5- now it is time to wait all client machines to get the certificate and you also can use SCCM reports to see which clients cannot communicate HTTPS


Recent Posts

Comments are closed.
%d bloggers like this: