Building a Certificate Authority in Windows Server 2019 Part 7 - Certificate Auto-Enrollment

Practical Guide to PKI with Windows Server - First Edition

Now available for purchase, a complete book version of this guide. Includes an expanded version of this guide which includes over 300 screenshots, CLI configuration commands, quick start guide, additional details and more.

Note: This guide is archived and is no longer updated on this website. For any future updates to this guide, please refer to the version that can be found on docs.mjcb.io.

Table Of Contents

7.1 User Auto-Enrollment

Enabling the User Auto-Enrollment feature will allow Users within the organization the ability to automatically receive a Certificate from the Active Directory Certificate Authority Server when they login to a Workstation.

  1. On the TFS-DC01 Server, open the Group Policy Management Console (gpmc.msc).
  2. Open the TFS Labs Certificates GPO that was created earlier.
  3. Open the User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies node.
  4. Open the Certificate Services Client - Certificate Enrollment Policy object.
  5. In the Properties window, change the Configuration Model option to Enabled. Click the OK button to close the window.
  6. Open the Certificate Services Client - Auto-Enrollment object.
  7. In the Properties window, change the Configuration Model option to Enabled. Select the options for Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificate that use certificate templates options. Click the OK button to close the window.

7.1.1 Group Policy Propagation

Once the Auto-Enrollment options have been added to Group Policy, allow up to 1 hour for the update to be processed in the entire Active Directory Forest.

7.2 Workstation Auto-Enrollment

Enabling the Workstation Auto-Enrollment feature will allow Workstations within the organization the ability to automatically receive a Certificate from the Active Directory Certificate Authority Server when they come online.

  1. On the TFS-DC01 Server, open the Group Policy Management Console (gpmc.msc).
  2. Open the TFS Labs Certificates GPO that was created earlier.
  3. Open the Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies node.
  4. Open the Certificate Services Client - Certificate Enrollment Policy object.
  5. In the Properties window, change the Configuration Model option to Enabled. Click the OK button to close the window.
  6. Open the Certificate Services Client - Auto-Enrollment object.
  7. In the Properties window, change the Configuration Model option to Enabled. Select the options for Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificate that use certificate templates options. Click the OK button to close the window.

7.2.1 Group Policy Propagation

Once the Auto-Enrollment options have been added to Group Policy, allow up to 1 hour for the update to be processed in the entire Active Directory Forest.

7.3 Auto-Enrollment Verification

Confirm that the Auto-Enrollment of the TFS Labs User Certificate and TFS Labs Workstation Certificate is working correctly by running the gpupdate /force command on the TFS-WIN10 and restarting it. If Auto-Enrollment is working correctly, there should be an additional Certificate in the Personal Store belonging to the User Account and the Workstation Account.

Certificate Authority in Windows Server 2019

This site uses cookies. By continuing to use this website you agree to their use. To find out more about how this site uses cookies, including how to control cookies used for this website, please review the Privacy Policy and Cookie Policy.