Planning certificate template permissions - Configuration Manager (2024)

Table of Contents
In this article Default Security Permissions and Considerations Adding Read and Enroll Permissions for Users and Computers
  • Article

Applies to: Configuration Manager (current branch)

Important

See Also
Benefits of Using Ready-Made Certificate TemplatesLoad or unload a template or add-in program

Starting in version 2203, this company resource access feature is no longer supported. For more information, see Frequently asked questions about resource access deprecation.

The following information can help you plan for how to configure permissions for the certificate templates that Configuration Manager uses when you deploy certificate profiles.

Default Security Permissions and Considerations

The default security permissions that are required for the certificate templates that Configuration Manager will use to request certificates for users and devices are as follows:

  • Read and Enroll for the account that the Network Device Enrollment Service application pool uses

  • Read for the account that runs the Configuration Manager console

    For more information about these security permissions, see Configuring certificate infrastructure.

    When you use this default configuration, users and devices can't directly request certificates from the certificate templates and all requests must be initiated by the Network Device Enrollment Service. This is an important restriction, because these certificate templates must be configured with Supply in the request for the certificate Subject, which means that there is a risk of impersonation if a rogue user or a compromised device requests a certificate. In the default configuration, the Network Device Enrollment Service must initiate such a request. However, this risk of impersonation remains if the service that runs the Network Device Enrollment Service is compromised. To help avoid this risk, follow all security best practices for the Network Device Enrollment Service and the computer that runs this role service.

    If the default security permissions don't fulfill your business requirements, you have another option for configuring the security permissions on the certificate templates: You can add Read and Enroll permissions for users and computers.

Adding Read and Enroll Permissions for Users and Computers

Adding Read and Enroll permissions for users and computers might be appropriate if a separate team manages your certification authority (CA) infrastructure team, and that separate team wants Configuration Manager to verify that users have a valid Active Directory Domain Services account before sending them a certificate profile to request a user certificate. For this configuration, you must specify one or more security groups that contain the users, and then grant those groups Read and Enroll permissions on the certificate templates. In this scenario, the CA administrator manages the security control.

You can similarly specify one or more security groups that contain computer accounts and grant these groups Read and Enroll permissions on the certificate templates. If you deploy a computer certificate profile to a computer that is a domain member, the computer account of that computer must be granted Read and Enroll permissions. These permissions aren't required if the computer isn't a domain member. For example, if it's a workgroup computer or personal mobile device.

Although this configuration uses another security control, we don't recommend it as a best practice. The reason is that the specified users or owners of the devices might request certificates independently from Configuration Manager and supply values for the certificate Subject that might be used to impersonate another user or device.

In addition, if you specify accounts that can't be authenticated at the time that the certificate request occurs, the certificate request will fail by default. For example, the certificate request will fail if the server that is running the Network Device Enrollment Service is in an Active Directory forest that is untrusted by the forest that contains the certificate registration point site system server. You can configure the certificate registration point to continue if an account can't be authenticated because there's no response from a domain controller. However, this isn't a security best practice.

If the certificate registration point is configured to check for account permissions and a domain controller is available and rejects the authentication request (for example, the account is locked out or has been deleted), the certificate enrollment request will fail.

To check for Read and Enroll permissions for users and domain-member computers

  1. On the site system server that hosts the certificate registration point, create the following DWORD registry key to have a value of 0: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheck

  2. If an account can't be authenticated because there's no response from a domain controller, and you want to bypass the permissions check:

    • On the site system server that hosts the certificate registration point, create the following DWORD registry key to have a value of 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SCCM\CRP\SkipTemplateCheckOnlyIfAccountAccessDenied

  3. On the issuing CA, on the Security tab in the properties for the certificate template, add one or more security groups to grant the user or device accounts Read and Enroll permissions.

Planning certificate template permissions - Configuration Manager (2024)
Top Articles
Our brother got power of attorney for our dad and we're worried
Flux Power (FLUX) Stock Price, News & Analysis
Friskies Tender And Crunchy Recall
Bild Poster Ikea
Best Pizza Novato
Brady Hughes Justified
Beacon Schnider
Ds Cuts Saugus
What Auto Parts Stores Are Open
O'reilly's In Monroe Georgia
Think Of As Similar Crossword
Declan Mining Co Coupon
Best Pawn Shops Near Me
Classic Lotto Payout Calculator
Arboristsite Forum Chainsaw
Louisiana Sportsman Classifieds Guns
Talbots.dayforce.com
Libinick
Persona 4 Golden Taotie Fusion Calculator
Exterior insulation details for a laminated timber gothic arch cabin - GreenBuildingAdvisor
Panic! At The Disco - Spotify Top Songs
Shopmonsterus Reviews
Menus - Sea Level Oyster Bar - NBPT
Talkstreamlive
Boston Dynamics’ new humanoid moves like no robot you’ve ever seen
Regal Amc Near Me
The Banshees Of Inisherin Showtimes Near Broadway Metro
Creed 3 Showtimes Near Island 16 Cinema De Lux
Ocala Craigslist Com
Ff14 Sage Stat Priority
Dubois County Barter Page
One Credit Songs On Touchtunes 2022
Great Clips On Alameda
Trebuchet Gizmo Answer Key
Appraisalport Com Dashboard /# Orders
Tamilyogi Ponniyin Selvan
The Land Book 9 Release Date 2023
American Bully Xxl Black Panther
Space Marine 2 Error Code 4: Connection Lost [Solved]
Chatropolis Call Me
Spectrum Outage in Genoa City, Wisconsin
Craigslist En Brownsville Texas
How to Quickly Detect GI Stasis in Rabbits (and what to do about it) | The Bunny Lady
Sun Tracker Pontoon Wiring Diagram
Directions To Cvs Pharmacy
Gas Buddy Il
UNC Charlotte Admission Requirements
Page 5747 – Christianity Today
10 Best Tips To Implement Successful App Store Optimization in 2024
Noelleleyva Leaks
Inloggen bij AH Sam - E-Overheid
Qvc Com Blogs
Latest Posts
What Are Constraints in Project Management?
How to use Katana Guide: How to convert SLP to AXS and AXS to SLP
Article information

Author: Ms. Lucile Johns

Last Updated:

Views: 6176

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Ms. Lucile Johns

Birthday: 1999-11-16

Address: Suite 237 56046 Walsh Coves, West Enid, VT 46557

Phone: +59115435987187

Job: Education Supervisor

Hobby: Genealogy, Stone skipping, Skydiving, Nordic skating, Couponing, Coloring, Gardening

Introduction: My name is Ms. Lucile Johns, I am a successful, friendly, friendly, homely, adventurous, handsome, delightful person who loves writing and wants to share my knowledge and understanding with you.