1
00:00:02,040 --> 00:00:05,610
To create our Device Authentication certificate template, we're going to

2
00:00:05,610 --> 00:00:09,020
duplicate the Workstation Authentication template this time.

3
00:00:09,020 --> 00:00:13,420
So we'll right‑click, choose Duplicate Template. And once again,

4
00:00:13,420 --> 00:00:18,620
uncheck Show resulting changes, select 2016 for the server, Windows

5
00:00:18,620 --> 00:00:22,230
10 for the endpoint. Go to the General tab, and we'll give it a

6
00:00:22,230 --> 00:00:29,890
name. Once again, your one‑year validity period is fine. Don't

7
00:00:29,890 --> 00:00:31,350
publish in Active Directory.

8
00:00:31,350 --> 00:00:34,390
We'll go to the Cryptography tab. Here, we're going to

9
00:00:34,390 --> 00:00:37,040
select Key Storage Provider once more.

10
00:00:37,040 --> 00:00:38,570
And in this case, once again,

11
00:00:38,570 --> 00:00:42,370
much like the User Authentication template, this is a certificate

12
00:00:42,370 --> 00:00:45,460
that's going to be enrolled for by devices that we don't have

13
00:00:45,460 --> 00:00:47,230
physical control over all the time, right?

14
00:00:47,230 --> 00:00:49,120
So these are laptops and tablets.

15
00:00:49,120 --> 00:00:52,650
We want to select Requests must use one of the following providers and

16
00:00:52,650 --> 00:00:56,770
select Platform Crypto Provider. And much like I discussed on the User

17
00:00:56,770 --> 00:00:59,540
template, if you have exceptions to this,

18
00:00:59,540 --> 00:01:04,840
I would treat them as such and have a separate template that uses the KSP

19
00:01:04,840 --> 00:01:08,990
and have them enroll manually for them and know that you are actually

20
00:01:08,990 --> 00:01:12,620
enrolling a certificate in a rather non‑secure way.

21
00:01:12,620 --> 00:01:18,380
So we'll bump the Request hash up to SHA256. We'll go to the Subject Name

22
00:01:18,380 --> 00:01:24,910
field, and here we want to select DNS name from the Subject name format and

23
00:01:24,910 --> 00:01:29,570
ensure that DNS name is selected here and only the DNS name. We'll go to the

24
00:01:29,570 --> 00:01:34,130
Extensions tab. And here, the application policy that's already defined is

25
00:01:34,130 --> 00:01:36,760
Client Authentication, and we don't have to make any changes here because

26
00:01:36,760 --> 00:01:38,740
that's all we need for this template.

27
00:01:38,740 --> 00:01:42,440
So we'll go to the Security tab, and here we want to remove Domain

28
00:01:42,440 --> 00:02:05,000
Computers, and we'll add our VPN Devices group, and we'll also grant Read, Enroll, and Autoenroll permissions here as well.