We had previously autoenrolled certificates to all domain-joined Windows servers using a specific certificate template (e.g. Template A). This was done by targeting the autoenroll GPO to the OU where servers reside. The autoenroll permission on Template A was granted to 'Domain Computers'.
We now have a use case for autoenrolling certificates to all domain-joined workstations (i.e. computers running a client OS - Windows 10) . We would like to use a separate certificate template (e.g. Template B) for workstations. The autoenroll permission on Template B is granted to 'Domain Computers'.
By, default, when we apply the autoenroll GPO to the workstations OU, they will receive certificates for both Template A AND Template B. We would like workstations to only receive certificates for Template A (i.e. only workstation certificate and NOT server certificate)
One way to accomplish this to maintain an AD group of server computers, and target the autoenroll permission to this group on Template A.
However, we would like to avoid the overhead of maintaining this separate AD group, if possible, since it would involve running custom PowerShell code on a schedule to populate the AD group etc.
Is there any way to specify via GPO which specific certificate templates a computer should autoenroll for ? Or any other ideas on how to accomplish what I'm looking for ?
Thanks,
Mario
