1
00:00:02,140 --> 00:00:05,600
If you plan to use the device tunnel with Always On VPN again,

2
00:00:05,600 --> 00:00:09,560
this would be for your domain joined devices, a certificate template

3
00:00:09,560 --> 00:00:12,280
for the device certificate is going to be required.

4
00:00:12,280 --> 00:00:15,540
That certificate is, of course, a machine certificate.

5
00:00:15,540 --> 00:00:18,280
The only required EKU for this certificate, again,

6
00:00:18,280 --> 00:00:21,960
is Client Authentication. And in this case, the subject name

7
00:00:21,960 --> 00:00:24,760
is the host name of the device itself.

8
00:00:24,760 --> 00:00:27,030
And much like the user certificate,

9
00:00:27,030 --> 00:00:32,010
we want to ensure that this is enrolled to a TPM only, and again,

10
00:00:32,010 --> 00:00:43,000
handle any cases where you can't enroll a device TPM as an exception. So let's take a look at deploying a device certificate template.