These steps assume Active Directory functional level is 2012R2 or higher, a working CA is deployed, clients have working TPM, and you are familiar with Microsoft Certificate Services.
- Copy a working computer certificate template
- General tab
a. Name the certificate template - Compatibility
a. Upgrade Certificate Authority compatibility to 2008 R2
b. Upgrade Certificate recipient compatibility to Windows 7/2008R2 - Cryptography
a. Change Provider Category to “Key Storage Provider”
b. Algorithm: RSA
c. Minimum key size: 2048
d. Select, “Requests must use one of the following providers”
e. Check only “Microsoft Platform Crypto Provider”
f. Thumbprint: SHA256 - Click OK
- Security
a.Ensure security settings are appropriate
Hosts that need to enroll should have only the following rights:- Enroll
- Autoenroll
- Request Handling
a. Ensure all selectable options are unchecked - Publish the template. At this step you can publish a group policy object to have the machines auto-enroll.