Creating Certificate Profiles
You will need to create three different certificate profiles from each certificate template described below to enable Windows Hello for Business for your organization.
Certificate Template Name | Description |
---|---|
Domain Controller | For Microsoft® Domain Controller certificates. Enables authentication of computers or other devices to your Active Directory domains, including users making use of Windows Hello for Business credentials. |
Microsoft® Enrollment Agent | Enables organizations to issue Microsoft® Enrollment Agent certificates which allows for certificate enrollments on behalf of another entity in your Active Directory domains. |
Windows Hello for Business Authentication | Enables organizations to issue Windows Hello for Business certificates to users in your Active Directory domains. |
Please refer to the DigiCert® Trust Lifecycle Manager | Autoenrollment Server deployment guide, section “Creating Autoenrollment Certificate Profile”, which will guide you through how to create certificate profiles for Autoenrollment Server. When selecting a certificate template, ensure that you are selecting from one of the three templates described above.
After you create the profiles, make sure that you note the Profile GUID for the two profiles created from the following templates.
Microsoft® Enrollment Agent
Windows Hello for Business Authentication
This information will be required later in section “Setting Up Active Directory Federation Services”.
Note
Microsoft® Enrollment Agent template Seat ID will be mapped to ‘cn’ (Common Name) by default. This should not be changed to mail when the AD FS is run by Service Accounts, since Service Accounts do not have an email address.