Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012 R2.
Server1 is an enterprise root certification authority (CA) for contoso.com.
You need to ensure that the members of a group named Group1 can request code signing certificates. The
certificates must be issued automatically to the members.
Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A.
From Certificate Templates, modify the certificate template.
B.
From Certification Authority, add a certificate template to be issued.
C.
From Certificate Authority, modify the CA properties.
D.
From Certificate Templates, duplicate a certificate template.
E.
From Certificate Authority, stop and start the Active Directory Certificate Services (AD CS) service.
Explanation:
First modify the certificate template in Certificate Templates, then add it in Certification Authority.
There are many questions like this and the debate seems to be centered around whether the users should get the certificates automatically, or be automatically granted them if they request it.
I think this question is stating that they should be granted the certificate automatically if they request it. If that is the case, the correct answer would be A and B. The code signing cert will need to settings modified to enable group1 to request the certificates, then the template would need to be issued. That solution will 100% work if that is what the question is asking.
If the question is saying that the members of group1 need to be given the certificate automatically without asking for it, then the answer would be D and B. You would need to duplicate the template because one cannot select autoenroll with the default template. The settings can be modified when you duplicate a template. Then you would still have to issue the template.
I’m going with D & B. Dup-mod-issue is pretty much all you’ll be doing with certs once the CA is built and your GPO’s are in place.
Answer: A & B
Modify the security settings of the template to allow Group 1 read, enroll, autoenroll permissions, and then issue the template to the CA.
Ideally, you would duplicate the template first, however we can only choose 2 answers.
Regardless of the meaning of the wording in the question (enroll vs autoenroll), the same steps would need to be followed.
Correction: Answer is D & B.
It dawned on me while I was looking at question 86, that the test questions are assuming that settings are being changed/configured on a certificate when it is being duplicated. Also, the auto enroll security option for authenticated users is not available on the default COde Signing certificate.
Therefore D (which is the duplication and modification of security rights) & B would definitely be the correct answer.