Vadims Podāns
Vadims Podāns 18.01.2019 14:32 (GMT+2) Certificate Autoenrollment in Windows Server 2016 (part 4)

@Miguel, look at the figure 26 again, there is a "require the following for reenrollment". There are two radiobuttons. If you select "valid existing certificate", then:

  1. Initial certificate provision will require RA and extra enrollment agent signature
  2. certificate renewal (reenrollment) won't require RA and extra signature, existing certificate (which was provisioned at step 1) will be used to sign renewal request.

This configuration is best for manual initial certificate provisioning and automatic certificate renewal during certificate lifecycle.

Vadims Podāns
Vadims Podāns 18.01.2019 14:27 (GMT+2) Certificate Autoenrollment in Windows Server 2016 (part 3)

> Basically an autoenrollment policy with no templates that have autoenroll permission will have no effect, correct?

yes, it is correct. Certificate autoenrollment requires both, configured policy AND available templates with autoenroll permissions. If any is missing, the policy will have no effect.

Miguel
Miguel 18.01.2019 08:55 (GMT+2) Certificate Autoenrollment in Windows Server 2016 (part 4)

Hi Vadims, my question is about your self RA example above (figure 26): If I have issued a smart card certificate using an enrollment station (using a template requiring one authorized signaure, application policy = certificate request agent), in order to have this certificate to be automatically renewed, do I need to supersede the corresponding template with another that also requires one autorized signature and ha application policy = smart card logon? Is this the best/only way to get automatic renewal in this case?

Miguel
Miguel 18.01.2019 08:40 (GMT+2) Certificate Autoenrollment in Windows Server 2016 (part 3)

Hi Vadims, just to confirm I'm understanding correctly: If I have no certificate templates with autoenroll permision for a user, and I also have an enabled autoenrollment policy in the domain that has the "Update certificates that use certificate templates" option checked then the user will not be prompted for autoenrollment, is this correct?

Basically an autoenrollment policy with no templates that have autoenroll permission will have no effect, correct?

 

asdf
asdf 08.01.2019 18:18 (GMT+2) Goodbye Applocker and welcome back SRP

Reviving this 3 year old discussion. AppLocker is supported on Windows 10 since September 2017.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview