1
00:00:02,340 --> 00:00:04,470
So to create this user certificate template,

2
00:00:04,470 --> 00:00:09,600
we are going to duplicate the, yes you guessed it, User certificate template.

3
00:00:09,600 --> 00:00:12,130
So we'll right‑click, choose Duplicate Template.

4
00:00:12,130 --> 00:00:16,240
And here, we're going to once again uncheck Show resulting changes,

5
00:00:16,240 --> 00:00:20,380
choose Windows Server 2016 or whatever your latest CA is

6
00:00:20,380 --> 00:00:23,300
there, and the same thing, Certificate recipient is

7
00:00:23,300 --> 00:00:27,140
Windows 10 or Windows Server 2016.

8
00:00:27,140 --> 00:00:30,180
Go to the General tab, and we'll provide a descriptive

9
00:00:30,180 --> 00:00:35,570
name here. And here, once again,

10
00:00:35,570 --> 00:00:38,880
validity period's fine, one year. The option to

11
00:00:38,880 --> 00:00:41,070
publish in Active Directory is checked.

12
00:00:41,070 --> 00:00:43,400
We need to make sure that we uncheck this.

13
00:00:43,400 --> 00:00:49,490
This is completely unnecessary for 99.9% of the certificates you'll ever use.

14
00:00:49,490 --> 00:00:53,210
It is not necessary here, so please uncheck it. Checking it doesn't

15
00:00:53,210 --> 00:00:57,300
do anything in terms of performance or security.

16
00:00:57,300 --> 00:01:02,460
It doesn't break anything, but it does kind of populate Active Directory user

17
00:01:02,460 --> 00:01:05,810
objects with a certificate that is completely unnecessary.

18
00:01:05,810 --> 00:01:10,310
So, it can lead to object bloat and user account bloat in Active

19
00:01:10,310 --> 00:01:14,140
Directory, so we definitely don't want to choose that.

20
00:01:14,140 --> 00:01:17,510
So we'll go to the Request Handling tab. And by default,

21
00:01:17,510 --> 00:01:20,060
Allow private key to be exported is checked.

22
00:01:20,060 --> 00:01:21,580
We want to uncheck that.

23
00:01:21,580 --> 00:01:22,940
That's very critical.

24
00:01:22,940 --> 00:01:26,390
And then we'll go to the Cryptography tab. And here, once again,

25
00:01:26,390 --> 00:01:31,770
we'll choose the Key Storage Provider, and this is critical for a

26
00:01:31,770 --> 00:01:35,390
user certificate or any certificate that's going to be deployed to

27
00:01:35,390 --> 00:01:38,700
a mobile or portable platform.

28
00:01:38,700 --> 00:01:43,080
We want to select the option Requests must use one of the following providers.

29
00:01:43,080 --> 00:01:48,240
And here we're going to select Microsoft Platform Crypto Provider.

30
00:01:48,240 --> 00:01:52,210
The Microsoft Platform Crypto Provider is the provider used by the

31
00:01:52,210 --> 00:01:57,780
TPM on the endpoint. So this ensures that this request can only be

32
00:01:57,780 --> 00:02:01,270
made from a device that has a TPM.

33
00:02:01,270 --> 00:02:07,370
Now, I will give you or will share with you that it's possible you may want to

34
00:02:07,370 --> 00:02:11,740
enroll a certificate for a user who does not have a TPM.

35
00:02:11,740 --> 00:02:13,930
I would avoid that as much as possible.

36
00:02:13,930 --> 00:02:18,210
Most modern hardware devices today have the TPM, so we want to

37
00:02:18,210 --> 00:02:20,170
make sure we use it as much as possible.

38
00:02:20,170 --> 00:02:25,610
I would also suggest that if you have a need or requirement to issue

39
00:02:25,610 --> 00:02:30,470
a user certificate to a user who has a device that does not have a

40
00:02:30,470 --> 00:02:32,690
TPM, that that would be an exception.

41
00:02:32,690 --> 00:02:36,140
My suggestion is make another template that uses the software

42
00:02:36,140 --> 00:02:39,240
key storage provider and go that route.

43
00:02:39,240 --> 00:02:44,060
It is possible to prefer the platform crypto provider by

44
00:02:44,060 --> 00:02:45,880
clicking this green arrow button here,

45
00:02:45,880 --> 00:02:50,800
pushing it to the top, and also selecting Software Key Storage Provider.

46
00:02:50,800 --> 00:02:54,560
This means that it would prefer the crypto provider, but fall

47
00:02:54,560 --> 00:02:57,340
back to the KSP, or the key storage provider.

48
00:02:57,340 --> 00:03:01,110
I prefer not to do that because it's an unknown.

49
00:03:01,110 --> 00:03:04,980
It means that I don't know for certain that most of my

50
00:03:04,980 --> 00:03:09,050
devices or all of them have the platform crypto provider or

51
00:03:09,050 --> 00:03:12,300
the TPM‑protected certificate.

52
00:03:12,300 --> 00:03:17,190
So in this case, I'm recommending that you uncheck this box. that you

53
00:03:17,190 --> 00:03:21,800
leave it set to Platform Crypto Provider only and then deal with anybody

54
00:03:21,800 --> 00:03:25,770
who needs a certificate on a device without a TPM as exceptions. Create a

55
00:03:25,770 --> 00:03:30,080
separate template and maybe a manual enrollment process, and make sure

56
00:03:30,080 --> 00:03:32,770
that somebody in your organization accepts the risk for that because that

57
00:03:32,770 --> 00:03:34,140
is a huge risk.

58
00:03:34,140 --> 00:03:39,690
We'll also bump the Request hash up to SHA256, and then we'll go

59
00:03:39,690 --> 00:03:43,180
to the Extensions tab. And here, as I said before, the default is

60
00:03:43,180 --> 00:03:45,740
to conclude EFS and Secure Email.

61
00:03:45,740 --> 00:03:47,270
We don't need either of these.

62
00:03:47,270 --> 00:03:50,380
You certainly can leave them, but I prefer to remove them.

63
00:03:50,380 --> 00:03:55,110
So we'll click Edit, and we'll remove EFS, and we will remove Secure

64
00:03:55,110 --> 00:03:58,540
Email. That leaves us with just Client Authentication, and honestly

65
00:03:58,540 --> 00:04:01,340
that's all we need for this template.

66
00:04:01,340 --> 00:04:05,080
So we'll click OK, and we'll move to the Subject Name field. Here again,

67
00:04:05,080 --> 00:04:09,080
we'll build from Active Directory. We're going to select the

68
00:04:09,080 --> 00:04:13,920
Common name as the Subject name format. By default, the Include

69
00:04:13,920 --> 00:04:16,400
e‑mail name in subject name is selected.

70
00:04:16,400 --> 00:04:18,240
We don't need that.

71
00:04:18,240 --> 00:04:21,350
And I suggest that you remove it because if you do have

72
00:04:21,350 --> 00:04:22,950
the email name in the user account,

73
00:04:22,950 --> 00:04:25,240
that's great, but if you don't have it defined, it can be

74
00:04:25,240 --> 00:04:29,140
problematic in the future. I also suggest removing it from

75
00:04:29,140 --> 00:04:31,450
the alternative name field as well.

76
00:04:31,450 --> 00:04:34,600
The only thing we really need here is UPN, or User Principal Name,

77
00:04:34,600 --> 00:04:37,640
and that's really the critical aspect of that.

78
00:04:37,640 --> 00:04:40,640
So then we'll go to the Security tab, and here we're

79
00:04:40,640 --> 00:04:43,640
going to remove our Domain Users.

80
00:04:43,640 --> 00:04:55,300
And now we will add our VPN Users group. And we will grant this group

81
00:04:55,300 --> 00:05:02,000
Read, Enroll, and Autoenroll. Once that's done, click OK.