SCCM 2012 – Security (Part 2)
If you missed the Part I you can find it here
today we go ahead with the Part 2 of the series of posts about security and now it is time to talk about certificates. I’m not going to tell you know to create your PKI infrastructure, but what certificates you need in your environment. In this post, we’ll focus on the client certificate.
There are many people out there that like to create a new certificate for the client machines, not that i don’t like but most of the time you don’t need it as the default workstation certificate can be used. If you is like me and don’t want create a new certificate for the workstation authentication, you don’t need, however, you need to make sure a workstation certificate is being applied to all machines.
The easiest way to do this is via GPO (note that i’m not talking about non-domain joined machines here :))
1- Open a GPO and navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Public Key Policies
2- Once there, edit the Certificate Services Client – Auto-Enrollment. My settings are normally: Enabled, renew expired certificate, update certificates that use certificate template, log expired (10%). of course, depending on your environment these settings may need be changed