docs.mjcb.io
GitHub Toggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto mode Back to homepage
  1. docs.mjcb.io
  2. /
  3. Microsoft
  4. /
  5. Windows Server
  6. /
  7. Windows Server Roles
  8. /
  9. AD CS
  10. /
  11. AD CS on Windows Server 2022
  12. /
  13. Certificate Auto-Enrollment
Edit page

Certificate Auto-Enrollment

Enabling the auto-enrollment feature in Group Policy will allow users and workstations within the organization the ability to automatically receive a certificate from the Active Directory Certificate Authority server. This level of automation is helpful for large organizations that need to quickly deploy certificates for users or workstations.

Certificate Auto-Enrollment
This entire section is optional. Not implementing certificate auto-enrollment will have no impact on the functionality of your Certificate Authority, nor will it interfere with any later steps. This functionality can be added at any time in the future if needed.

8.1 User Auto-Enrollment

To enable certificate auto-enrollment for user accounts in the TFS Labs domain, perform the following steps on the TFS-DC01 server:

  1. On the TFS-DC01 server, open the Group Policy Management console.
  2. Open the TFS Labs Certificates GPO that was created earlier.
  3. Open the User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies node.
  4. Open the Certificate Services Client - Certificate Enrollment Policy object.
  5. In the Properties window, change the Configuration Model option to Enabled. Click the OK button to close the window.
  6. Open the Certificate Services Client - Auto-Enrollment object.
  7. In the Properties window, change the Configuration Model option to Enabled. Select the options for Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificate that use certificate templates options. Click the OK button to close the window.
Once the auto-enrollment options have been added to Group Policy, allow up to 1 hour for the update to be processed in the entire Active Directory Forest.

8.2 Workstation Auto-Enrollment

To enable certificate auto-enrollment for workstation accounts in the TFS Labs domain, perform the following steps on the TFS-DC01 server:

  1. On the TFS-DC01 server, open the Group Policy Management console.
  2. Open the TFS Labs Certificates GPO that was created earlier.
  3. Open the Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies node.
  4. Open the Certificate Services Client - Certificate Enrollment Policy object.
  5. In the Properties window, change the Configuration Model option to Enabled. Click the OK button to close the window.
  6. Open the Certificate Services Client - Auto-Enrollment object.
  7. In the Properties window, change the Configuration Model option to Enabled. Select the options for Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificate that use certificate templates options. Click the OK button to close the window.
Once the auto-enrollment options have been added to Group Policy, allow up to 1 hour for the update to be processed in the entire Active Directory Forest.

AD CS on Windows Server 2022 Guide

This site uses cookies. By continuing to use this website you agree to their use. To find out more about how this site uses cookies, including how to control cookies used for this website, please review the Privacy Policy and Cookie Policy.