I'm trying to enable Bitlocker Network Unlock feature. I followed this article:
https://technet.microsoft.com/en-us/library/jj574173(v=ws.11).aspx
My environment is:
- Domain Functional Level: 2012
- Forest Functional Level: 2008 R2
- all Domain Controllers are running Windows 2012 R2
- WDS & Network Unlock feature running on Windows Server 2016 (WDS running flawlessly)
Following the article I created a certificate template by copying "User" template on my CA. The template is published so it can be requested.
Then, on my WDS server I open up certificates console as a user and I request a new certificate. The certificate request appears as pending on a CA, which I accept manually.
The issued certificate never shows in the "Personal" store on the WDS server, even though on the CA it appears as issued.
I feel this article may be wrong, because "Bitlocker Network Unlock" cert store only appears in certificate console ran as Local Computer, not the User. But the current cert template doesn't allow requests from computer accounts.
What should I do?
Best Answer
Turns out the technet article left one thing out. To make issued certificate appear in Personal store, user who is requesting the certificate must have autoenrollment permissions. This is configured via GPO: User Configuration > Windows Settings > Security Settings > Public Key Policies for Users. After I applied this GPO for my account, the issued certificate was automatically placed in the proper store and I could go on with the steps.