1
00:00:02,540 --> 00:00:05,940
So as you can see, creating certificate templates and publishing them is

2
00:00:05,940 --> 00:00:09,340
not terribly difficult, honestly. The process of enrolling those

3
00:00:09,340 --> 00:00:12,960
certificate for endpoints, again if it's just a handful of servers,

4
00:00:12,960 --> 00:00:17,840
probably easy enough, if it's maybe even just a few devices or users,

5
00:00:17,840 --> 00:00:20,210
obviously not difficult either, however,

6
00:00:20,210 --> 00:00:22,720
deploying certificates at scale becomes challenging, and at

7
00:00:22,720 --> 00:00:25,060
the end of the day we also want to ensure that the

8
00:00:25,060 --> 00:00:26,790
administrative burden is as low as possible.

9
00:00:26,790 --> 00:00:30,550
Anything that we can do to automate processes should be done, and with

10
00:00:30,550 --> 00:00:34,440
that, we're going to use certificate auto‑enrollment in Active Directory.

11
00:00:34,440 --> 00:00:38,440
Certificate auto‑enrollment can be used for both users and devices, so we

12
00:00:38,440 --> 00:00:43,100
can automate the enrollment and provisioning of certificates users and

13
00:00:43,100 --> 00:00:45,670
devices using Group Policy.

14
00:00:45,670 --> 00:00:50,640
The important part to remember here is not only does it work for provisioning,

15
00:00:50,640 --> 00:00:53,390
but it also works for renewing those certificates as

16
00:00:53,390 --> 00:00:54,850
well, and that's really critical.

17
00:00:54,850 --> 00:00:57,240
Obviously the certificates have an expiry,

18
00:00:57,240 --> 00:01:00,040
they have a lifetime, and they will have to be renewed at some point,

19
00:01:00,040 --> 00:01:03,550
so in this case we can ensure not only that they are provisioned

20
00:01:03,550 --> 00:01:06,410
without administrative intervention required,

21
00:01:06,410 --> 00:01:08,580
but we can also ensure that those certificates are

22
00:01:08,580 --> 00:01:12,240
automatically renewed prior to their expectation.

23
00:01:12,240 --> 00:01:14,890
The recommendation for this GPO for enabling

24
00:01:14,890 --> 00:01:18,040
auto‑enrollment is to link it at the domain level.

25
00:01:18,040 --> 00:01:21,030
Honestly, there's no reason not to, however,

26
00:01:21,030 --> 00:01:24,590
it's really important that it just gets to our VPN servers,

27
00:01:24,590 --> 00:01:27,590
NPS servers, VPN users, and VPN devices.

28
00:01:27,590 --> 00:01:33,540
So, if you want to target this particular GPO at an OU or what have you,

29
00:01:33,540 --> 00:01:37,810
ultimately that's a design choice you have to make. It's far easier just

30
00:01:37,810 --> 00:01:40,080
to link it at the domain level and be done with it, and that's what we're

31
00:01:40,080 --> 00:01:42,040
going to do in this demonstration.

32
00:01:42,040 --> 00:01:49,000
So let's create a certificate auto‑enrollment GPO and apply that using Active Directory and Group Policy.