Hi everyone! In the last post, I walked through how I created and published custom certificate templates. Now it’s time to automate the certificate issuance process using Auto-Enrollment.
This is one of my favorite AD CS features—once configured, certificates are issued silently in the background to users and computers without any manual intervention.
🤖 What Is Auto-Enrollment?
Auto-enrollment allows domain-joined computers and users to automatically request and install certificates from the CA based on the permissions set on certificate templates and Group Policy.
This is super helpful for:
- Domain computer certificates (for RDP, Wi-Fi, VPN, etc.)
- User certificates (for S/MIME or client authentication)
- Web servers, file servers, and other domain-joined machines
🧰 Prerequisites
Before setting up auto-enrollment, I make sure:
✅ My CA is Enterprise Root or Subordinate CA
✅ Certificate templates are published and have Autoenroll permissions
✅ Computers and users are domain-joined
✅ Group Policy is applied properly
🧭 Step-by-Step: Enable Auto-Enrollment via GPO
🖥️ Step 1: Open Group Policy Management
- On a domain controller or GPMC-equipped server, open Group Policy Management
- Right-click an OU or domain → Create a GPO (or edit an existing one)
- Name it something like:
Auto-Enrollment Policy
🧑💻 Step 2: Configure User Auto-Enrollment (Optional)
If I want users to get certificates:
- Navigate to:
User Configuration→Policies→Windows Settings→Security Settings→Public Key Policies - Double-click Certificate Services Client – Auto-Enrollment
- Set to:
- Configuration Model: Enabled
- Check both boxes:
- ✅ Renew expired certificates
- ✅ Update certificates that use certificate templates
🖥️ Step 3: Configure Computer Auto-Enrollment
For issuing certificates to computers:
- Navigate to:
Computer Configuration→Policies→Windows Settings→Security Settings→Public Key Policies - Double-click Certificate Services Client – Auto-Enrollment
- Set to:
- Configuration Model: Enabled
- ✅ Renew expired certificates
- ✅ Update and manage templates
🔁 Step 4: Link the GPO to the OU
- Right-click the OU (or domain) where the target machines/users are located
- Select Link an Existing GPO → Choose your
Auto-Enrollment Policy
🧪 Step 5: Test on a Client Machine
On a test domain-joined computer:
- Run
gpupdate /force - Then run:
certutil -pulseThis triggers certificate auto-enrollment immediately.
- Check the Certificates MMC →
Computer→Personal→Certificates- You should see a certificate from your template auto-installed
🛠️ Troubleshooting Tips
| Problem | Fix |
|---|---|
| No certificate issued | Check template permissions (Enroll + Autoenroll) |
| Wrong certificate | Ensure the correct template is published and scoped |
| Nothing happens | Check if GPO is applied (gpresult /r) |
| Still not enrolling | Run certutil -v -pulse for detailed logs |
🧭 What’s Next?
In the next blog, I’ll show you how to issue SSL certificates to internal web servers like IIS or Exchange using AD CS—both manually and via enrollment.