Your company has a marketing department and a security department. The network contains an Active Directory domain named contoso.com. The domain contains an enterprise certification authority (CA).
You have two organizational units (OUs) named MKT_UsersOU and MKT_ComputersOU. MKT_UsersOU contains the user accounts for the users in the marketing department. MKT_ComputersOU contains the computer accounts for the computers in the marketing department.
A Group policy object (GPO) named GPO1 is linked to MKT_UsersOU.
A GPO named GPO2 linked to MKT_ComputersOU.
You plan to deploy a web application for the marketing department users.
The application will require certificates for authentication.
The security department configures the CA to support the planned deployment.
You need to ensure that the web application can authenticate the marketing department users. What should you do?
A. From the User Configuration node of GPO1, create an Internet Setting preference.
B. From the User Configuration node of GPO1, configure the Certificate Services Client – Auto-enrollment settings.
C. From the Computer Configuration node of GPO2, configure the Certificate Services Client – Certificate Enrollment Policy settings.
D. From the Computer Configuration node of GPO2, create the Automatic Certificate Request Settings.
125given answer B is correct.
You have to ensure that all users in MKT_UsersOU to automatically enroll user certificates to achieve the questions requirement, therefore you should implement
User Certificate Autoenrollment in GPO1.
https://technet.microsoft.com/en-us/library/cc771882.aspx
To configure user certificate autoenrollment
1. On the computer where AD DS is installed, click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove Snap-ins dialog box opens.
3. In Available snap-ins, scroll down to and double-click Group Policy Management Editor, and then click OK. The Group Policy Wizard opens.
4. In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens.
5. In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
6. Click Finish, and then click OK.
7. Double-click Default Domain Policy. In the console, expand the following path: User Configuration, Policies, Windows Settings, Security Settings, Public
Key Policies.
8. Double-click Certificate Services Client – Auto-Enrollment. The Certificate Services Client – Auto-Enrollment Properties dialog box opens. Configure the
following items, and then click OK:
9. In Configuration Model, select Enabled.
Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
Select the Update certificates that use certificate templates check box.