Contents

Auto Enroll Certificates with Group Policy

You are here:
← All Topics

Steps on how to configure Auto Enroll Certificates with Group Policy

Prepare Certificate Template for Computer

Right click on Certificate Templates – Manage in Certificate Authority

Auto Enroll Certificates with Group Policy

Right click on Computer – Duplicate Template

Auto Enroll Certificates with Group Policy

Create a new Template called Computer_Auto_Enrollment

Auto Enroll Certificates with Group Policy

Enabled Allow private key to be exported in Request Handling

Auto Enroll Certificates with Group Policy

Ensure that Domain Computers are assigned with Allow Enroll & Autoenroll in Security

Auto Enroll Certificates with Group Policy

Verify DNS Name is selected in Subject Name and Subject Name Format=DNS Name

Auto Enroll Certificates with Group Policy

Prepare Certificate Template for User

Right click on Users – Duplicate Template

Create a new Template called User_Auto_Enrollment with Publish certificate in Active Directory enabled

Enabled Allow private key to be exported in Request Handling

Ensure that Read, Enroll and Autoenroll permission are assigned to Domain Users

Issue Certificate Template

Right click on Certificate Template-New-Certificate Template to Issue, and select both Computer_Auto_Enrollment & User_Auto_Enrollment

Configuration of Group Policy

Set the Configuration Model = Enabled in Computer Configuration – Windows Settings – Security Settings – Public Key Policies – Certificate Services Client – Auto Enrollment in Default Domain Policy to enable Certificate Auto Enroll for all domain computers

Set the Configuration Model = Enabled in User Configuration – Windows Settings – Security Settings – Public Key Policies – Certificate Services Client – Auto Enrollment in Default Domain Policy to enable Certificate Auto Enroll for all domain users

Auto Enroll Certificates with Group Policy for Windows 10

Computer & User Certificate will be generated automatically when Group Policy is updated in the background every 90 Minutes

"gpupdate /force" can be used to force latest GPO to be applied on users’ workstation immediately

Verify Computer & User Certificate are created successfully in Certificate Authority

Reference Links

  1. Configure Group Policy to Autoenroll and Deploy Certificates

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top