Your network contains an Active Directory domain named contoso.com. The domain
contains a server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution.
Choose two.)
A.
From Certificate Templates, modify the certificate template.
B.
From Certification Authority, add a certificate template to be issued.
C.
From Certificate Authority, modify the CA properties.
D.
From Certificate Templates, duplicate a certificate template.
E.
From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS)
service.
Explanation:
First modify the certificate template in Certificate Templates, then add it in Certification
Authority.
I think it should be D & B
You can add AutoEnroll when you duplicate the template and go to the Security tab.
I think it should be D then A.
D & B
In order to have the auto-enrollment option available you must duplicate that template; if someone will test that, will see that in the template properties in CA, only enroll option is available, but after you duplicate the template, this option appears. After that, you need to issue that certificate and assume that every Group Policy setting for auto-enrollment is in place.
Correct Answer: AD
The correct answers should be A and D: First duplicate it, then modify it
http://blogs.technet.com/b/deploymentguys/archive/2013/06/14/signing-windows-8-applications-using-an-internal-pki.aspx The section on “Creating a
Custom Certificate Template” shows steps to create and states…
…”New certificate templates are created by copying an existing template and using the existing template’s properties as the default for the new template.
Copy the existing certificate template closest to the configuration of the intended new template to minimize the work necessary.” This is step 2 in the
creation process. Step 4 is to make desired changes.
Building an Enterprise Root Certification Authority in Small and Medium Businesses
http://technet.microsoft.com/en-us/library/cc700804.aspx
Question says: “The certificates must be issued automatically to the members.”, in my opinion this means you need to enable auto enroll on the template, and you can only do that by duplicating the template. You can then modify the template after you duplicated it, by enabling the auto enroll option on the security tab.
Since question asks for 2 steps, i would say B and D are the correct answers in this case.
B is absolutely needed for users to request the certificate and D for the reason i gave above.
If question asked for 3 steps, then i would also include A.
A and D