How to auto enroll client certificates using group policy

Home > Search > How-to
  by

A new group policy object can created that will automatically add a certificate when a domain users sign into a domain PC. 

Create a new group policy object

  1. In Server Manager, select Tools > Group Policy Management.
  2. In the left panel of Group Policy Management, expand Forest > Domains > Your Domain, right-click on Group Policy Objects, and select New.
  3. In the pop-up box, give the new Group Policy Object a name (such as CertAutoEnroll).

 

The Group Policy Object should now appear under your domain.

 

Enable the group policy object

  1. Right-click on CertAutoEnroll and select Edit.
  2. In the left panel, expand User Configuration > Policies > Windows Settings > Security Settings, and select Public Key Policies.
  3. Double-click Certificate Services Client - Auto-Enrollment.
    • Set Configuration Model to Enabled.
    • Tick Renew expired certificates . . .
    • Tick Update certificates that use certificate templates.
    • Select OK.

 

Link the group policy to the group policy object

  1. In the left panel of Group Policy Management, right-click on your domain and select Link an Existing GPO.
  2. Select CertAutoEnroll and select OK.

 

 


On the certificate server . . . 

  1. In Server Manager, select Tools > Certification Authority.
  2. In the left panel, expand right-click on Certification Templates and select Manage.
  3. Double-click on the new basic EFS template you created.
  4. Select the Security tab, highlight Domain Users, tick to Allow Autoenroll, and select OK.
  5. In the left panel, expand right-click on Certification Templates and select New > Certificate Template to Issue.
  6. Select the new basic EFS template you created and select OK.

 

The new certificate template should now appear in the Certificate Templates folder. In this example, new certificate template EFS-2012 is listed.

 

 


To confirm that domain users automatically get the certificate, sign into the domain using any client PC in the network, and do the following.

  1. Select the Windows Start icon, type MMC  in Run, and select OK.
  2. In the console, press Ctrl + M (or select File > Add /Remove Snap In).
  3. In the left panel, select Certificates, Add, and select OK.
  4. In the left panel, expand Certificates, expand Personal, and select Certificates. The user that the certificate was issued to should be displayed (test cert in this example).

 

 

This can also be viewed on the certificate server.

  1. In Server Manager, select Tools > Certification Authority.
  2. In the left panel, select Issued Certificates.

 

The certificates that have been issued from the certificate server to a client will be displayed. In this example, one certificate has been issued to one client.

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments