Auto Enroll Certificates with Group Policy
Steps on how to configure Auto Enroll Certificates with Group Policy
Prepare Certificate Template for Computer
Right click on Certificate Templates – Manage in Certificate Authority
Right click on Computer – Duplicate Template
Create a new Template called Computer_Auto_Enrollment
Enabled Allow private key to be exported in Request Handling
Ensure that Domain Computers are assigned with Allow Enroll & Autoenroll in Security
Verify DNS Name is selected in Subject Name and Subject Name Format=DNS Name
Prepare Certificate Template for User
Right click on Users – Duplicate Template
Create a new Template called User_Auto_Enrollment with Publish certificate in Active Directory enabled
Enabled Allow private key to be exported in Request Handling
Ensure that Read, Enroll and Autoenroll permission are assigned to Domain Users
Issue Certificate Template
Right click on Certificate Template-New-Certificate Template to Issue, and select both Computer_Auto_Enrollment & User_Auto_Enrollment
Configuration of Group Policy
Set the Configuration Model = Enabled in Computer Configuration – Windows Settings – Security Settings – Public Key Policies – Certificate Services Client – Auto Enrollment in Default Domain Policy to enable Certificate Auto Enroll for all domain computers
Set the Configuration Model = Enabled in User Configuration – Windows Settings – Security Settings – Public Key Policies – Certificate Services Client – Auto Enrollment in Default Domain Policy to enable Certificate Auto Enroll for all domain users
Auto Enroll Certificates with Group Policy for Windows 10
Computer & User Certificate will be generated automatically when Group Policy is updated in the background every 90 Minutes
"gpupdate /force" can be used to force latest GPO to be applied on users’ workstation immediately
Verify Computer & User Certificate are created successfully in Certificate Authority
Reference Links