Deploy Client Computer Certificates

Applies To: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

You can use this procedure to configure the certificate template that Active Directory® Certificate Services (AD CS) uses as the basis for computer certificates that are enrolled to domain member client computers.

Membership in both the Enterprise Admins group and the Domain Admins group of the root domain is the minimum required to complete this procedure.

Important

If you have already deployed server certificates using the steps provided in NPS Server Certificate: Configure the Template and Autoenrollment, you do not need to perform steps 13 through 20 of this procedure. These steps are used to configure computer certificate autoenrollment, and they are the same steps found in the aforementioned topic.

To configure the certificate template and autoenrollment

  1. On the computer where Active Directory Certificate Services is installed, click Start , click Run , type mmc , and then click OK .

  2. On the File menu, click Add/Remove Snap-in . The Add or Remove Snap-ins dialog box opens.

  3. In Available snap-ins , double-click Certification Authority . Select the certification authority (CA) that you want to manage by using the snap-in, and then click Finish . The Certification Authority dialog box closes, returning to the Add or Remove Snap-ins dialog box.

  4. In Available snap-ins , double-click Certificate Templates , and then click OK .

  5. In the console tree, click Certificate Templates . All of the certificate templates are displayed in the details pane.

  6. In the details pane, click the Workstation Authentication template.

  7. On the Action menu, click Duplicate Template . The Duplicate Template dialog box opens. Select the template version appropriate for your deployment, and then click OK . The new template properties dialog box opens.

  8. On the General tab, in Display Name , type a new name for the certificate template or keep the default name.

  9. Click the Security tab. In Group or user names , click Domain Computers .

  10. In Permissions for Domain Computers , under Allow , select the Enroll and Autoenroll permission check boxes, and then click OK .

  11. Double-click Certification Authority , double-click the CA name, and then click Certificate Templates . On the Action menu, point to New , and then click Certificate Template to Issue . The Enable Certificate Templates dialog box opens.

  12. Click the name of the certificate template you just configured, and then click OK . For example, if you did not change the default certificate template name, click Copy of Workstation Authentication , and then click OK .

  13. On the computer where Active Directory Domain Services (AD DS) is installed, click Start , click Run , type mmc , and then click OK .

  14. On the File menu, click Add/Remove Snap-in . The Add or Remove Snap-ins dialog box opens.

  15. In the Add or Remove Snap-ins dialog box, in Available snap-ins , double-click Group Policy Management Editor . The Select Group Policy Object wizard opens. Click Browse , and then select Default Domain Policy . Click OK , click Finish , and then click OK again.

  16. Double-click Default Domain Policy . Open Computer Configuration , then Policies , then Windows Settings , then Security Settings , and then Public Key Policies .

  17. In the details pane, double-click Certificate Services Client - Auto-Enrollment . The Certificate Services Client - Auto-Enrollment Properties dialog box opens.

  18. In the Certificate Services Client - Auto-Enrollment Properties dialog box, in Configuration Model , select Enabled .

  19. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.

  20. Select the Update certificates that use certificate templates check box, and then click OK .

Additional considerations

After you complete this procedure, domain member client computers automatically enroll a client computer certificate when Group Policy is refreshed. To refresh Group Policy, restart the client computer or, at the command prompt, run gpupdate .