Your network contains an Active Directory domain named contoso.com.
The domain contains a server named Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing
certificates. The certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose
two.)
A.
From Certificate Templates, modify the certificate template.
B.
From Certification Authority, add a certificate template to be issued.
C.
From Certificate Authority, modify the CA properties.
D.
From Certificate Templates, duplicate a certificate template.
E.
From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.
Explanation:
The correct answers should be A and D: First duplicate it, then modify it
http://blogs.technet.com/b/deploymentguys/archive/2013/06/14/signing-windows-8-applicationsusing-an-internal-pki.aspx
The section on “Creating a Custom Certificate Template” shows steps to create and states…
…”New certificate templates are created by copying an existing template and using the existing
template’s properties as the default for the new template. Copy the existing certificate template
closest to the configuration of the intended new template to minimize the work necessary.”
This is step 2 in the creation process. Step 4 is to make desired changes.
Building an Enterprise Root Certification Authority in Small and Medium Businesses
http://technet.microsoft.com/en-us/library/cc700804.aspx
And then you still need to publish the template for it to be used…
The “best” answer would be D, A, B.
B is absolutely required. Without it, users can’t request a cert at all.
C and E are useless to our goals here.
Now the choice is between A and D and that depends on what you need to do.
While it is best practice to never edit the templates, the default template doesn’t allow authenticated users to enroll and we need to give access to group1.
Since we can only choose two options, that means we need to edit the template and publish it; making the correct answer A and B.
Woah, moment of dumb.
Part of the duplication is configuring the new copy.
Duplicate it (configuring it) and then issue it.
B and D.
Exactly. Duplicating and modifying are done with the same click.
B and D
Another reason why D might be a better option than A, is, the fact that auto-enrolment is not available unless a user certificate is duplicated.
B&D
Correct Answer: AD
The correct answers should be A and D: First duplicate it, then modify it
http://blogs.technet.com/b/deploymentguys/archive/2013/06/14/signing-windows-8-applications-using-an-internal-pki.aspx The section on “Creating a
Custom Certificate Template” shows steps to create and states…
…”New certificate templates are created by copying an existing template and using the existing template’s properties as the default for the new template.
Copy the existing certificate template closest to the configuration of the intended new template to minimize the work necessary.” This is step 2 in the
creation process. Step 4 is to make desired changes.
Building an Enterprise Root Certification Authority in Small and Medium Businesses
http://technet.microsoft.com/en-us/library/cc700804.aspx
Question says: “The certificates must be issued automatically to the members.”, in my opinion this means you need to enable auto enroll on the template, and you can only do that by duplicating the template. You can then modify the template after you duplicated it, by enabling the auto enroll option on the security tab.
Since question asks for 2 steps, i would say B and D are the correct answers in this case.
B is absolutely needed for users to request the certificate and D for the reason i gave above.
If question asked for 3 steps, then i would also include A.