Wednesday 8 April 2015

Configure auto-enrollment for computer certificates via GPO

Firstly - ensure that the certificate templates you wish to auto-enroll have the appropriate permissions designated for the target machines.

Create and link a new GPO to your OU containing all of your workstations e.g. Computer Policy.

Edit the GPO and navigate to User Configuration >> Windows Settings >> Security Settings >> Public Key Policies >> Certificate Services Client - Auto-Enrollment:

- Configuration Model = Enabled.
- Renew expired certificates, update pending certificates, and remove revoked certificates = Ticked.
- Update certificates that use certificate templates = Ticked.

Apply the settings and then test on the clients by issuing:

gpupdate /force

(Sometimes a restart of the computer can do the trick if the certificates are not showing up after a gpupdate.)


Post a Comment