1
00:00:08,210 --> 00:00:17,780
On a Windows server 2016, see, you can configure certificate enrollment so that designated users can

2
00:00:17,780 --> 00:00:22,010
enroll on behalf of other users in your organization.

3
00:00:23,030 --> 00:00:32,870
A designated user is referred to as an enrollment agent, which is a user account used to request certificates

4
00:00:33,530 --> 00:00:40,400
on behalf of another user account to enable enrollment on behalf of another user.

5
00:00:40,700 --> 00:00:43,670
The enrollment agent must process.

6
00:00:45,030 --> 00:00:54,210
The certificate, based on the enrollment agent template, unlike a certificate manager and enrollment

7
00:00:54,210 --> 00:01:04,200
agent, can only process the enrollment request and cannot approve pandan request or revoke issued certificates.

8
00:01:05,180 --> 00:01:11,360
Please know that since a user who possesses an enrollment agent certificate.

9
00:01:12,540 --> 00:01:15,630
Can impersonate other users.

10
00:01:16,110 --> 00:01:19,770
You can secure the enrollment agent template appropriately.

11
00:01:21,510 --> 00:01:30,030
As a best practice, it is recommended that you publish the enrollment agent template only on a C whenever

12
00:01:30,420 --> 00:01:39,870
it is necessary to designate an enrollment agent to your organization after the enrollment agent has

13
00:01:39,870 --> 00:01:42,380
received the necessary certificate.

14
00:01:42,880 --> 00:01:48,750
You should remove the enrollment agent and bleed from any is where it was published.

15
00:01:50,810 --> 00:01:59,780
Windows Server 2016 includes three Cert templates that enable different types of enrollment agents.

16
00:02:00,810 --> 00:02:02,070
Enrollment agent.

17
00:02:03,560 --> 00:02:08,990
Already mentioned youth to request certificates on behalf of another subject.

18
00:02:10,140 --> 00:02:18,090
Enrollment agent computer, which is used to request certificates on behalf of another computer subject

19
00:02:18,720 --> 00:02:22,710
and exchange enrollment agent or will fly and request.

20
00:02:23,310 --> 00:02:30,450
It was used to request certificates on behalf of another subject and supply the subject name in the

21
00:02:30,450 --> 00:02:31,110
request.

22
00:02:32,250 --> 00:02:41,460
The networking device enrollment service uses this template to for its enrollment agent certificate.

23
00:02:42,650 --> 00:02:51,170
Typically, you would designate one or more authorized individuals with an organization as enrollment

24
00:02:51,170 --> 00:02:57,140
agent, enrollment agents typically or members of corporate security.

25
00:02:57,780 --> 00:03:07,460
I do security or helpdesk teams because these individuals are already trusted to safeguard valuable

26
00:03:07,460 --> 00:03:08,320
resources.

27
00:03:09,330 --> 00:03:17,820
In some organizations, such as banks that have many branches, help desk and security workers might

28
00:03:17,820 --> 00:03:22,260
not be in a convenient location for performing this task.

29
00:03:23,510 --> 00:03:32,720
This is a case you might need to designate a branch manager or another trusted employee other than enrollment

30
00:03:32,720 --> 00:03:39,080
agent to enable the issuance of smartcard credentials in multiple locations.

31
00:03:40,450 --> 00:03:47,950
When you create an enrollment agent, you can restrict the agent's ability to enroll for certificates

32
00:03:48,460 --> 00:03:58,330
on behalf of all the providers by limiting their scope to a specific security group and specific certificate

33
00:03:58,340 --> 00:03:59,230
templates.

34
00:03:59,830 --> 00:04:08,180
For example, you might want to restrict the enrollment agent to perform an Smartcard Logan certificate

35
00:04:08,200 --> 00:04:16,210
enrollment for only users belonging to a specific department security group.

36
00:04:17,650 --> 00:04:28,030
Prior to Windows Server 2008 Enterprise, it was not possible to restrict the scope of a do sales enrollment

37
00:04:28,030 --> 00:04:28,570
agent.

38
00:04:30,600 --> 00:04:39,990
As a result, every user is an enrollment Agent Cert was able to enroll any user in an organization

39
00:04:40,230 --> 00:04:42,390
for any certificate template.

40
00:04:43,170 --> 00:04:52,230
However, with more recent versions of it, it says you can limit the scope of the enrollment agent

41
00:04:52,500 --> 00:04:58,860
to specific groups and certificate templates for each certificate template.

42
00:04:59,130 --> 00:05:05,310
You can select the users or security groups on behalf of reach and enrollment.

43
00:05:05,310 --> 00:05:07,050
Agents can enroll.

44
00:05:07,890 --> 00:05:15,510
Please know that you cannot restrict an unromantic agent based on specific a religious or organizational

45
00:05:15,510 --> 00:05:17,190
units or containers.

46
00:05:18,060 --> 00:05:27,150
You can restrict enrollment agents on behalf of other users only to specific users or security groups.

47
00:05:27,150 --> 00:05:28,380
And it is.

48
00:05:29,800 --> 00:05:39,100
Restricting the scope of enrollment, agent can affect the performance of the CAA to optimize performance

49
00:05:39,100 --> 00:05:40,090
and security.

50
00:05:40,270 --> 00:05:50,290
You should minimize the number of accounts designated as enrollment agents by modifying the access control

51
00:05:50,290 --> 00:05:53,050
list on the enrollment agents template.