{"id":462,"date":"2014-10-29T00:01:00","date_gmt":"2014-10-29T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2014\/10\/29\/automatedlab-tutorial-series-part-4-install-a-simple-pki-environment\/"},"modified":"2022-06-22T12:05:52","modified_gmt":"2022-06-22T19:05:52","slug":"automatedlab-tutorial-series-part-4-install-a-simple-pki-environment","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/automatedlab-tutorial-series-part-4-install-a-simple-pki-environment\/","title":{"rendered":"AutomatedLab Tutorial Series Part 4: Install a Simple PKI Environment"},"content":{"rendered":"<p><b style=\"font-size:12px\">Summary<\/b><span style=\"font-size:12px\">: Learn how to easily deploy a PKI environment by using <\/span><b style=\"font-size:12px\">AutomatedLab<\/b><span style=\"font-size:12px\">.<\/span><\/p>\n<p>Microsoft Scripting Guy, Ed Wilson, is here. Welcome back Microsoft PFEs, Raimund Andree and Per Pedersen, and their series about AutomatedLab. Read their previous posts here:<\/p>\n<ul>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/automatedlab-tutorial-part-1-introduction-to-automatedlab\/\" target=\"_blank\" rel=\"noopener\">AutomatedLab Tutorial Part\u00a01: Introduction to AutomatedLab<\/a><\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/automatedlab-tutorial-part-2-create-a-simple-lab\/\" target=\"_blank\" rel=\"noopener\">AutomatedLab Tutorial Part 2: Create a Simple Lab<\/a><\/li>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/scripting\/automatedlab-tutorial-part-3-working-with-predefined-server-roles\/\" target=\"_blank\" rel=\"noopener\">AutomatedLab Tutorial Part 3: Working with Predefined Server Roles<\/a><\/li>\n<\/ul>\n<p>This blog post shows how to use AutomatedLab to easily deploy a public key infrastructure (PKI) environment. The PKI environment will be a single server, which is installed with the certification authority (CA) role. Subsequently, you will be able to request and issue certificates to all computers and users in your lab. Also, if you want to sign Windows PowerShell scripts in the lab, a certificate can be created for this purpose.<\/p>\n<h2>Installation<\/h2>\n<p>If you have a version of AutomatedLab that is earlier than AutomatedLab\u00a02.5, please uninstall it and install the latest version. You can find what you need on Microsoft TechNet: <a href=\"https:\/\/gallery.technet.microsoft.com\/AutomatedLab-026d81f9\" target=\"_blank\" rel=\"noopener\">AutomatedLab<\/a>.<\/p>\n<p>The installation process for AutomatedLab is explained in <a href=\"https:\/\/devblogs.microsoft.com\/scripting\/automatedlab-tutorial-part-2-create-a-simple-lab\/\" target=\"_blank\" rel=\"noopener\">AutomatedLab Tutorial Part 2: Create a Simple Lab<\/a>.<\/p>\n<h2>Prerequisites for AutomatedLab<\/h2>\n<p>AutomatedLab requires Hyper-V and Windows PowerShell\u00a03.0 (or higher). Hence, you need one of the following operating systems on the host where you want to install the lab:<\/p>\n<ul>\n<li>Windows Server\u00a02012 R2<\/li>\n<li>Windows Server\u00a02012<\/li>\n<li>Windows\u00a08.1<\/li>\n<li>Windows\u00a08<\/li>\n<\/ul>\n<p><strong>\u00a0 \u00a0 \u00a0Note<\/strong>\u00a0 Although Windows Server\u00a02008\u00a0R2 could work, and Windows\u00a010 hasn\u2019t been tested, at this time, we recommend<br \/>\n<span style=\"font-size:12px\">\u00a0 \u00a0 \u00a0that you\u00a0<\/span><span style=\"font-size:12px\">use one of the listed operating systems on the host machine.<\/span><\/p>\n<p>AutomatedLab scripts need to be running directly on the host where the lab environment (the virtual machines) will be created.<\/p>\n<h2>Prerequisites for installing a CA in the lab<\/h2>\n<p>The only prerequisite for the certification authority (CA) installation is that the server needs to be running Windows Server 2012\u00a0R2 or Windows Server 2012.<\/p>\n<p>There are two types of certification authorities: Stand-alone or Enterprise. There are two major differences for the installation for the Enterprise CA:<\/p>\n<ul>\n<li>It requires the server to be domain joined.<\/li>\n<li>The account used during the installation of the role needs to have Domain Admin permissions.<\/li>\n<\/ul>\n<p>In this post, we install an Enterprise CA.<\/p>\n<h2>Define the lab machines<\/h2>\n<p>For simplicity, we will use two machines. One machine will be become a domain controller and the other machine will become the certification authority server. The domain controller is defined as follows:<\/p>\n<p style=\"margin-left:30px\">\n  $role = Get-LabMachineRoleDefinition -Role RootDC `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0 -Properties @{DomainFunctionalLevel = &#8220;Win2012R2&#8221;\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ForestFunctionalLevel = &#8220;Win2012R2&#8221;}\n<\/p>\n<p style=\"margin-left:30px\">\n  Add-LabMachineDefinition -Name S1DC1 -MemoryInMb 512 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Network $labNetworkName -IpAddress 192.168.81.10 -DnsServer1 192.168.81.10 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DomainName test1.net -IsDomainJoined `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Roles $role `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -InstallationUserCredential $installationCredential `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -ToolsPath $labSources\\Tools `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\n<\/p>\n<p><strong>\u00a0 \u00a0 \u00a0Note<\/strong>\u00a0 Refer to the previous posts in this series for details about defining machine roles.<\/p>\n<p>The certification authority (like the domain controller) is a role in AutomatedLab, and this role needs to be specified when defining the lab machine. The role is selected by using the <strong>Get-LabMachineRoleDefinition<\/strong> cmdlet as follows:<\/p>\n<p style=\"margin-left:30px\">\n  $role = Get-LabMachineRoleDefinition -Role CaRoot\n<\/p>\n<p>Next, the lab machine can defined using the selected role.<\/p>\n<p style=\"margin-left:30px\">\n  Add-LabMachineDefinition -Name S1CA1 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -MemoryInMb 512 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Network $labNetworkName `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IpAddress 192.168.81.11 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DnsServer1 192.168.81.10 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DomainName test1.net `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IsDomainJoined `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Roles $role `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -InstallationUserCredential $installationCredential `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -ToolsPath $labSources\\Tools `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\n<\/p>\n<p>After defining the lab machines, start the installation of the lab as usual:<\/p>\n<ol>\n<li>Export the lab definition.<\/li>\n<li>Import it (which also validates the configuration and reports any errors).<\/li>\n<li>Start the installation, which will create the virtual network, create base images, create virtual machines running Hyper-V, and install the roles found in the lab.<\/li>\n<\/ol>\n<p>The script looks like this:<\/p>\n<p style=\"margin-left:30px\">\n  Export-LabDefinition -Force -ExportDefaultUnattendedXml\n<\/p>\n<p style=\"margin-left:30px\">\n  Import-Lab -Path (Get-LabDefinition).LabFilePath\n<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab -NetworkSwitches -BaseImages -VMs\n<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab -Domains\n<\/p>\n<p>At this point, the domain controller is installed and ready. Now the installation of the certification authority needs to be started. This is done like this:<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab -CA\n<\/p>\n<p>Notice that you do not need to instruct the <strong>Install-Lab<\/strong> cmdlet about how to install the CA and how it should be configured. This is done automatically.<\/p>\n<p>The lab is ready with a domain controller (hosting a domain, of course) and with an Enterprise CA. You can request and issue certificates from the subordinate CA for use in your lab.<\/p>\n<h3>Customize the configuration of the CA<\/h3>\n<p>The first installation was very easy because the entire configuration is automatic when you call <strong>Install-Lab -CA. **Now<\/strong> **let\u2019s try installing a PKI environment where we define some of the CA configuration. Even though the default installation will work in the majority of situations for a test lab, it could be necessary to specify certain parts of the configuration for the PKI environment.<\/p>\n<p>First the current lab needs to be removed:<\/p>\n<p style=\"margin-left:30px\">\n  Remove-Lab -Path <path to the <b>lab.xml<\/b> file>\n<\/p>\n<p>The <strong>Remove-Lab<\/strong> cmdlet turns off and removes the virtual machines, the disks, and the network adapter.<\/p>\n<p>The domain and the domain controller need to be defined as they were previously:<\/p>\n<p style=\"margin-left:30px\">\n  $role = Get-LabMachineRoleDefinition -Role RootDC `\n<\/p>\n<p style=\"margin-left:30px\">\n  -Properties @{DomainFunctionalLevel = &#8220;Win2012R2&#8221;\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ForestFunctionalLevel = &#8220;Win2012R2&#8221;}\n<\/p>\n<p style=\"margin-left:30px\">\n  Add-LabMachineDefinition -Name S1DC1 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -MemoryInMb 512 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Network $labNetworkName `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IpAddress 192.168.81.10 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DnsServer1 192.168.81.10 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DomainName test1.net `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IsDomainJoined `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Roles $role `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -InstallationUserCredential $installationCredential `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -ToolsPath $labSources\\Tools `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\n<\/p>\n<p>When you define the CA, you have the option of specifying configuration parameters. Take a look at the following:<\/p>\n<p style=\"margin-left:30px\">\n  $role = Get-LabMachineRoleDefinition `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0 -Role CaRoot @{CACommonName = &#8220;MySpecialRootCA1&#8221;\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0KeyLength = \u201c2048\u201d\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ValidityPeriod = &#8220;Weeks&#8221;\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ValidityPeriodUnits = &#8220;4&#8221;}\n<\/p>\n<p>The lab machine can be defined by using the selected role with the customized configuration. This command is the same as we used previously\u2014only the content of the <strong>$role<\/strong> variable is different:<\/p>\n<p style=\"margin-left:30px\">\n  Add-LabMachineDefinition -Name S1CA1 -MemoryInMb 512 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Network $labNetworkName `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IpAddress 192.168.81.11 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DnsServer1 192.168.81.10 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DomainName test1.net `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IsDomainJoined `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Roles $role `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -InstallationUserCredential $installationCredential `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -ToolsPath $labSources\\Tools `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0-OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217;\n<\/p>\n<p>As previously, perform the actual installation of the lab by using:<\/p>\n<p style=\"margin-left:30px\">\n  Export-LabDefinition -Force -ExportDefaultUnattendedXml\n<\/p>\n<p style=\"margin-left:30px\">\n  Import-Lab -Path (Get-LabDefinition).LabFilePath\n<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab -NetworkSwitches -BaseImages -VMs\n<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab \u2013Domains\n<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab -CA\n<\/p>\n<p>Notice that the command for installing the CA is almost the same as we used previously. The difference is that now the parameters specified in the <strong>Role<\/strong> parameter will be passed to the CA installation code.<\/p>\n<p>This time, the lab is ready with a domain controller (hosting a domain, of course) and with an Enterprise CA configured by using our customized parameters.<\/p>\n<p>To see all the parameters that are possible to specify when you install a CA server in AutomatedLab, you can type the following:<\/p>\n<p style=\"margin-left:30px\">\n  Get-Help Install-LWLabCAServers -Parameter *\n<\/p>\n<p>Or to see only the names of the parameters (without the detailed information), type:<\/p>\n<p style=\"margin-left:30px\">\n  (Get-Command Install-LWLabCAServers).Parameters.Keys\n<\/p>\n<p><strong>\u00a0 \u00a0 \u00a0Note<\/strong>\u00a0\u00a0Changing the parameters for the CA servers requires that you know about how the corresponding configuration<br \/>\n\u00a0 \u00a0 \u00a0parameters for CA servers are working. Hence, it is only recommended to customize parameters if you know about<br \/>\n\u00a0 \u00a0 \u00a0the PKI and have the need to customize parameters.<\/p>\n<h2>Supported PKI configurations in AutomatedLab<\/h2>\n<p>AutomatedLab supports one-tier and two-tier deployments for the PKI. This means that you can solely deploy a root CA, or you can deploy a root CA with a subordinate CA to this root CA.<\/p>\n<p>AutomatedLab supports only PKI deployments in the same Active Directory forest. That is, deployment of a root CA in one Active Directory forest and a subordinate CA in another Active Directory forest is not supported.<\/p>\n<h2>Use the CA in the lab<\/h2>\n<p>Now that your CA server is set up, you can request a certificate for a user, request a certificate for a computer, or configure automatic enrollment.<\/p>\n<h3>Request a certificate for a user<\/h3>\n<p>To make a manual request, we can use the Web Enrollment interface on the CA server. Open a browser on the CA server, and type http:\/\/localhost\/CertSrv. The following website is displayed:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-1.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-1.png\" alt=\"Image of site\" title=\"Image of site\" \/><\/a><\/p>\n<ol>\n<li>Open Internet Options, and on the Security tab, click Custom level, and Enable the setting called Initialize and script ActiveX controls not marked as safe for scripting.<\/li>\n<li>Click Request a certificate, and then click User Certificate.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-2.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-2.png\" alt=\"Image of webpage\" title=\"Image of webpage\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  3. The following confirmation message appears. Click <b>Yes<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-3.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-3.png\" alt=\"Image of warning\" title=\"Image of warning\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  4. Click <b>Submit<\/b>, and then click <b>Yes<\/b>.\n<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/4263.4.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/4263.4.PNG\" alt=\"Image of webpage\" title=\"Image of webpage\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  5. Click <b>Install this certificate<\/b>. The following message appears:\n<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/0334.7.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/0334.7.PNG\" alt=\"Image of message\" title=\"Image of message\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  6. Press the <b>Windows key + R<\/b>, type <b>certmgr.msc<\/b>, and press ENTER. The Certificate Manager console appears.\n<\/p>\n<p style=\"margin-left:30px\">\n  <span style=\"font-size:12px\">7. To see the certificate listed, select Certificates &#8211; Current User\\Personal\\Certificates.<\/span>\n<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/5543.8.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/5543.8.PNG\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  8. Double-click the certificate name.\n<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/9.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/9.PNG\" alt=\"Image of certificate\" title=\"Image of certificate\" \/><\/a><\/p>\n<p><strong>Congratulations!<\/strong>\u00a0You now have a user certificate issued to contoso\\Administrator installed locally on the CA server.<\/p>\n<h3>Request a certificate for a computer<\/h3>\n<p>It is also possible to request certificates for computers. We will make a manual request by using the certificates console on the CA server.<\/p>\n<ol>\n<li>On the CA server, press <strong>Windows key + R<\/strong>, type <strong>mmc<\/strong>, and press ENTER.<\/li>\n<li>Click the <strong>File<\/strong> menu, and then click <strong>Add\/Remove Snap-in<\/strong>.<\/li>\n<li>Click <strong>Certificates<\/strong>, and click on <strong>Add<\/strong>.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-10.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-10.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  4. Select <b>Computer account<\/b> and click <b>Next<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-11.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-11.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  5. Click <b>Finish<\/b>. The root CA (license to be a certification authority) is present.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-13.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-13.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  6. Under <b>Certificates (Local Computer)<\/b>, double-click the <b>Personal<\/b> folder, right-click the <b>Certificates<\/b> folder, and click <b>All Tasks<\/b>, and then click <b>Request New Certificate<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-14.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-14.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  7. Click <b>Next <\/b>on the next two screens that appear.\n<\/p>\n<p style=\"margin-left:30px\">\n  8. Select the check box next to <b>Computer<\/b>,<b> <\/b>and click<b> Enroll<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-17.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-17.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  9. Click <b>Details<\/b>, and then click <b>View Certificate<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-18.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-18.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p><strong>Congratulations<\/strong>! Now you have issued a computer certificate for the CA server!<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-19.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-19.png\" alt=\"Image of certificate\" title=\"Image of certificate\" \/><\/a><\/p>\n<h3>Enable automatic enrollment of certificates<\/h3>\n<p>Issuing the user and computer certificates was good fun. However, it will not be so much fun if you deploy a lab with 10+ computers and 50+ users and you need to enroll 60 certificates manually! Instead, you can configure automatic enrollment by following these steps.<\/p>\n<ol>\n<li>On the CA server, press <strong>Windows key + R<\/strong>, type <strong>certtmpl.msc<\/strong>, and press ENTER.<\/li>\n<li>All the <strong>Certificate Templates Console<\/strong> appears. These templates represent the types of certificates that are possible to be issued by the CA server.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-20.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-20.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  3. Right-click the <b>Computer<\/b> certificate template, and click <b>Duplicate Template<\/b>.\n<\/p>\n<p style=\"margin-left:30px\">\n  4. In the <b>Template display name<\/b> field, type <b>Computer Auto Enroll<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-21.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-21.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  5. Click the <b>Security<\/b> tab, and then click <b>Domain Computers<\/b>.\n<\/p>\n<p style=\"margin-left:30px\">\n  <span style=\"font-size:12px\">6. In the <\/span><b style=\"font-size:12px\">Permissions for Domain Computers<\/b><span style=\"font-size:12px\"> area, select the check boxes to allow <\/span><b style=\"font-size:12px\">Read<\/b><span style=\"font-size:12px\">, <\/span><b style=\"font-size:12px\">Enroll<\/b><span style=\"font-size:12px\">, and <\/span><b style=\"font-size:12px\">Autoenroll<\/b><span style=\"font-size:12px\">.<\/span>\n<\/p>\n<p style=\"margin-left:30px\">\n  <span style=\"font-size:12px\">7. Add <\/span><b style=\"font-size:12px\">Domain Controllers<\/b><span style=\"font-size:12px\"> with the same permissions.<\/span>\n<\/p>\n<p style=\"margin-left:30px\">\n  <span style=\"font-size:12px\">8. Perform the same procedure for the <\/span><b style=\"font-size:12px\">User<\/b><span style=\"font-size:12px\"> certificate template where permissions for <\/span><b style=\"font-size:12px\">Domain Users<\/b><span style=\"font-size:12px\"> and the <\/span><b style=\"font-size:12px\">Administrator<\/b><span style=\"font-size:12px\"> are modified to allow <\/span><b style=\"font-size:12px\">Read<\/b><span style=\"font-size:12px\">, <\/span><b style=\"font-size:12px\">Enroll<\/b><span style=\"font-size:12px\">, and <\/span><b style=\"font-size:12px\">Autoenroll<\/b><span style=\"font-size:12px\">.<\/span>\n<\/p>\n<p style=\"margin-left:30px\">\n  <span style=\"font-size:12px\">9. Additionally, when duplicating the <\/span><b style=\"font-size:12px\">User<\/b><span style=\"font-size:12px\"> certificate template&#8230;<\/span>\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0 \u00a0 In <b>User Autoenroll Properties<\/b>, click the <b>Subject Name<\/b> tab, and clear the following check boxes:\n<\/p>\n<li style=\"list-style-type:none\">\n<ul>\n<li>\n      <b>Include e-mail name in<\/b> <b>alternate subject name<\/b>\n    <\/li>\n<li>\n      <b>E-mail name<\/b>\n    <\/li>\n<\/ul>\n<\/li>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-23.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-23.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  10. On the CA server, press <b>Windows key + R<\/b>, and type <b>certsrv.msc<\/b>, and press ENTER.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-24.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-24.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  11. Right-click <b>Certificate Templates<\/b>, click <b>New<\/b>, and click <b>Certificate Template to Issue<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-25.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-25.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  12. Click the newly created certificate template, <b>Computer Auto Enroll<\/b>, and then click <b>OK<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-26.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-26.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p>Follow the same procedure for the <strong>User Auto Enroll<\/strong> certificate template.<\/p>\n<h3>Configure a Group Policy setting<\/h3>\n<p>The certificate templates on the CA server are in place, and they will be issued by request. To make all computers and users automatically request certificates, you configure a Group Policy setting.<\/p>\n<ol>\n<li>To open the <strong>Group Policy Management Tool<\/strong>, on the domain controller, press <strong>Windows key + R<\/strong>, type <strong>gpmc.msc<\/strong>, and then press ENTER.****<\/li>\n<li>Click <strong>Forest: test1.net<\/strong> > <strong>Domains<\/strong> > <strong>test1.net<\/strong>.<\/li>\n<\/ol>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-29.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-29.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  3. Right-click the <b>Default Domain Policy<\/b>, and click <b>Edit<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-30.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-30.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  4. Click <b>Default Domain Policy<\/b> > <b>Computer Configuration<\/b> > <b>Policies<\/b> > <b>Windows Settings<\/b> > <b>Security Settings<\/b> > <b>Public Key Policies<\/b>.\n<\/p>\n<p style=\"margin-left:30px\">\n  5. In the Object Type area, double-click <b>Certificate Services Client &#8211; Auto-Enrollment<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-31.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-31.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  6. Change the <b>Configuration Model<\/b> to <b>Enabled<\/b>, then select both check boxes and click <b>OK<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-33.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-33.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  7. Perform the exact same changes for users under <b>Default Domain Policy<\/b> > <b>User Configuration<\/b> > <b>Policies<\/b> > <b>Windows Settings<\/b> > <b>Security Settings<\/b> > <b>Public Key Policies<\/b>.\n<\/p>\n<p style=\"margin-left:30px\">\n  8.\u00a0<span style=\"font-size:12px\">To test the auto enrollment, press <\/span><b style=\"font-size:12px\">Windows key + R<\/b><span style=\"font-size:12px\">, type <\/span><b style=\"font-size:12px\">mmc<\/b><span style=\"font-size:12px\">, and press ENTER.<\/span>\n<\/p>\n<p style=\"margin-left:30px\">\n  <span style=\"font-size:12px\">9. Click the <\/span><b style=\"font-size:12px\">File<\/b><span style=\"font-size:12px\"> menu and click <\/span><b style=\"font-size:12px\">Add or Remove Snap-ins<\/b><span style=\"font-size:12px\">.<\/span>\n<\/p>\n<p style=\"margin-left:30px\">\n  <span style=\"font-size:12px\">10. Click <\/span><b style=\"font-size:12px\">Certificates<\/b><span style=\"font-size:12px\">, and then click <\/span><b style=\"font-size:12px\">Add<\/b><span style=\"font-size:12px\">.<\/span>\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-34.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-34.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  11. Select <b>Computer account<\/b>, and then click <b>Next<\/b>.\n<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-35.png\"><img decoding=\"async\" src=\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/hsg-10-29-14-35.png\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  12. Select <b>Local computer<\/b>, and then click <b>Finish<\/b>.\n<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/36.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/36.PNG\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  13. Click the <b>Certificates<\/b> tab again, and then click <b>Add<\/b>. This time, select <b>My user account<\/b>, and click <b>Finish<\/b>.\n<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/37.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/37.PNG\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  14. Click <b>Certificate (Local Computer)<\/b> > <b>Personal<\/b> > <b>Certificates<\/b>. The list contains three certificates, but none of these are issued from the certificate templates we created earlier.\n<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/39.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/39.PNG\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  15. Click <b>Certificate (Current User)<\/b> > <b>Personal<\/b> > <b>Certificates<\/b>. Only one self-signed certificate is present. There are no certificates from our CA server.\n<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/40.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/40.PNG\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p style=\"margin-left:30px\">\n  16. To update Group Policy, open a Windows PowerShell console and type:\n<\/p>\n<p style=\"margin-left:60px\">\n  gpupdate \/force\n<\/p>\n<p>A certificate has been automatically issued to the domain controller from our new certificate template. Also, user certificate has been issued!<\/p>\n<p><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/42.PNG\"><img decoding=\"async\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/TNBlogsFS\/prod.evol.blogs.technet.com\/CommunityServer.Blogs.Components.WeblogFiles\/00\/00\/00\/76\/18\/42.PNG\" alt=\"Image of menu\" title=\"Image of menu\" \/><\/a><\/p>\n<p><strong>Congratulations<\/strong>! When new computers are joined to the domain, they will automatically get a certificate.<\/p>\n<h2>The full script<\/h2>\n<p style=\"margin-left:30px\">\n  $start = Get-Date\n<\/p>\n<p style=\"margin-left:30px\">\n  #Some definitions about folder paths\n<\/p>\n<p style=\"margin-left:30px\">\n  #This folder contains two sub folders\n<\/p>\n<p style=\"margin-left:30px\">\n  # -ISOs &#8211; Stores all the DVD images\n<\/p>\n<p style=\"margin-left:30px\">\n  # -PostInstallationActivities &#8211; any scripts to customize the environment after installation\n<\/p>\n<p style=\"margin-left:30px\">\n  $labSources = &#8216;E:\\LabSources&#8217;\n<\/p>\n<p style=\"margin-left:30px\">\n  $vmDrive = &#8216;D:&#8217;\n<\/p>\n<p style=\"margin-left:30px\">\n  $labName = &#8216;PKISmall1&#8217;\n<\/p>\n<p style=\"margin-left:30px\">\n  #this folder stores the XML files that contain all the information about the lab\n<\/p>\n<p style=\"margin-left:30px\">\n  $labPath = &#8220;$vmDrive\\$labName&#8221;\n<\/p>\n<p style=\"margin-left:30px\">\n  #create the target directory if it does not exist\n<\/p>\n<p style=\"margin-left:30px\">\n  if (-not (Test-Path $labPath)) { New-Item $labPath -ItemType Directory | Out-Null }\n<\/p>\n<p style=\"margin-left:30px\">\n  #create an empty lab template and define where the lab XML files and the VMs will be stored\n<\/p>\n<p style=\"margin-left:30px\">\n  New-LabDefinition -Path $labPath -VmPath $labPath -Name $labName -ReferenceDiskSizeInGB 60\n<\/p>\n<p style=\"margin-left:30px\">\n  #make the network definition\n<\/p>\n<p style=\"margin-left:30px\">\n  Add-LabVirtualNetworkDefinition -Name $labName -IpAddress 192.168.81.1 -PrefixLength 24\n<\/p>\n<p style=\"margin-left:30px\">\n  #and the domain definition with the domain admin account\n<\/p>\n<p style=\"margin-left:30px\">\n  Add-LabDomainDefinition -Name test1.net -AdminUser administrator -AdminPassword Password1\n<\/p>\n<p style=\"margin-left:30px\">\n  #these images are used to install the machines\n<\/p>\n<p style=\"margin-left:30px\">\n  Add-LabIsoImageDefinition -Name Server2012 -Path $labSources\\ISOs\\en_windows_server_2012_r2_with_update_x64_dvd_4065220.iso -IsOperatingSystem\n<\/p>\n<p style=\"margin-left:30px\">\n  #these credentials are used for connecting to the machines. As this is a lab we use clear-text passwords\n<\/p>\n<p style=\"margin-left:30px\">\n  $installationCredential = New-Object PSCredential(&#8216;Administrator&#8217;, (&#8216;Password1&#8217; | ConvertTo-SecureString -AsPlainText -Force))\n<\/p>\n<p style=\"margin-left:30px\">\n  #the first machine is the root domain controller. Everything in $labSources\\Tools get copied to the machine&#8217;s Windows folder\n<\/p>\n<p style=\"margin-left:30px\">\n  $role = Get-LabMachineRoleDefinition -Role RootDC @{ DomainFunctionalLevel = &#8216;Win2012R2&#8217;; ForestFunctionalLevel = &#8216;Win2012R2&#8217; }\n<\/p>\n<p style=\"margin-left:30px\">\n  Add-LabMachineDefinition -Name S1DC1 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -MemoryInMb 512 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IsDomainJoined `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DomainName test1.net `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0 \u00a0\u00a0-Network $labName `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IpAddress 192.168.81.10 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DnsServer1 192.168.81.10 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -InstallationUserCredential $installationCredential `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -ToolsPath $labSources\\Tools `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217; `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Roles $role\n<\/p>\n<p style=\"margin-left:30px\">\n  #the second will be a member server configured as Root CA server. Everything in $labSources\\Tools get copied to the machine&#8217;s Windows folder\n<\/p>\n<p style=\"margin-left:30px\">\n  $role = Get-LabMachineRoleDefinition -Role CaRoot\n<\/p>\n<p style=\"margin-left:30px\">\n  Add-LabMachineDefinition -Name S1CA1 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -MemoryInMb 512 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IsDomainJoined `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DomainName test1.net `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Network $labName `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -IpAddress 192.168.81.20 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -DnsServer1 192.168.81.10 `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -InstallationUserCredential $installationCredential `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -ToolsPath $labSources\\Tools `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -OperatingSystem &#8216;Windows Server 2012 R2 SERVERDATACENTER&#8217; `\n<\/p>\n<p style=\"margin-left:30px\">\n  \u00a0\u00a0\u00a0 -Roles $role\n<\/p>\n<p style=\"margin-left:30px\">\n  #This all has created the lab configuration in memory. Next step is to export it to XML. You could have made the\n<\/p>\n<p style=\"margin-left:30px\">\n  #lab definitions in XML as well or can do modifications in the XML if this seems easier.\n<\/p>\n<p style=\"margin-left:30px\">\n  Export-LabDefinition -Force -ExportDefaultUnattendedXml\n<\/p>\n<p style=\"margin-left:30px\">\n  #Set trusted hosts to &#8216;*&#8217; and enable CredSSP\n<\/p>\n<p style=\"margin-left:30px\">\n  Set-LabHostRemoting\n<\/p>\n<p style=\"margin-left:30px\">\n  #Now the XML files needed to be reimported. Some basic checks are done for duplicate IP addresses, machine names, domain\n<\/p>\n<p style=\"margin-left:30px\">\n  #membership, etc. If this reports errors please run &#8220;Test-LabDefinition D:\\LabSettings\\Lab.xml&#8221; for more information\n<\/p>\n<p style=\"margin-left:30px\">\n  Import-Lab -Path (Get-LabDefinition).LabFilePath\n<\/p>\n<p style=\"margin-left:30px\">\n  #Now the actual work begins. First the virtual network adapter is created and then the base images per OS\n<\/p>\n<p style=\"margin-left:30px\">\n  #All VMs are diffs from the base.\n<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab -NetworkSwitches -BaseImages -VMs\n<\/p>\n<p style=\"margin-left:30px\">\n  #This sets up all domains \/ domain controllers\n<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab -Domains\n<\/p>\n<p style=\"margin-left:30px\">\n  #Install CA server(s)\n<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab -CA\n<\/p>\n<p style=\"margin-left:30px\">\n  #Start all machines what have not yet started\n<\/p>\n<p style=\"margin-left:30px\">\n  Install-Lab -StartRemainingMachines\n<\/p>\n<p style=\"margin-left:30px\">\n  $end = Get-Date\n<\/p>\n<p style=\"margin-left:30px\">\n  Write-Host &#8220;Setting up the lab took $($end &#8211; $start)&#8221;\n<\/p>\n<h2>What\u2019s next?<\/h2>\n<p>The next post describes how to install a typical PKI hierarchy the way it is typically set up in production. This means there will be two CAs\u2014one Stand-alone (the root CA) and one Enterprise (the subordinate CA).<\/p>\n<p>~ Raimund and Per<\/p>\n<p>Be sure to join us tomorrow when Raimund and Per bring us Part 5.<\/p>\n<p>I invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\" rel=\"noopener\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\" rel=\"noopener\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"mailto:scripter@microsoft.com\" target=\"_blank\" rel=\"noopener\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\" rel=\"noopener\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><strong>Ed Wilson, Microsoft Scripting Guy<\/strong><span style=\"font-size:12px\">\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Learn how to easily deploy a PKI environment by using AutomatedLab. Microsoft Scripting Guy, Ed Wilson, is here. Welcome back Microsoft PFEs, Raimund Andree and Per Pedersen, and their series about AutomatedLab. Read their previous posts here: AutomatedLab Tutorial Part\u00a01: Introduction to AutomatedLab AutomatedLab Tutorial Part 2: Create a Simple Lab AutomatedLab Tutorial Part [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[56,543,544,3,45],"class_list":["post-462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-guest-blogger","tag-per-pedersen","tag-raimund-andree","tag-scripting-guy","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Learn how to easily deploy a PKI environment by using AutomatedLab. Microsoft Scripting Guy, Ed Wilson, is here. Welcome back Microsoft PFEs, Raimund Andree and Per Pedersen, and their series about AutomatedLab. Read their previous posts here: AutomatedLab Tutorial Part\u00a01: Introduction to AutomatedLab AutomatedLab Tutorial Part 2: Create a Simple Lab AutomatedLab Tutorial Part [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=462"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/462\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}