SCCM 2012 – Security (Part 2)

Rate this post

Hi All,

If you missed the Part I you can find it here

today we go ahead with the Part 2 of the series of posts about security and now it is time to talk about certificates. I’m not going to tell you know to create your PKI infrastructure, but what certificates you need in your environment. In this post, we’ll focus on the client certificate.

There are many people out there that like to create a new certificate for the client machines, not that i don’t like but most of the time you don’t need it as the default workstation certificate can be used. If you is like me and don’t want create a new certificate for the workstation authentication, you don’t need, however, you need to make sure a workstation certificate is being applied to all machines.

The easiest way to do this is via GPO (note that i’m not talking about non-domain joined machines here :))
1- Open a GPO and navigate to Computer Configuration->Policies->Windows Settings->Security Settings->Public Key Policies
cert01

2- Once there, edit the Certificate Services Client – Auto-Enrollment. My settings are normally: Enabled, renew expired certificate, update certificates that use certificate template, log expired (10%). of course, depending on your environment these settings may need be changed
cert02

3- confirm that the workstation certificate allow domain computers to auto-enroll
cert03

4- once it is done, next time the machine reboots (or you manually run gpupdate /force) you’ll see the certificate being created for the computers
cert03

5- now it is time to wait all client machines to get the certificate and you also can use SCCM reports to see which clients cannot communicate HTTPS
cert05

Tags:

Recent Posts

Comments are closed.
%d bloggers like this: