Share via


Configure Certificate Autoenrollment

Applies To: Windows Server 2008

Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users.

To automatically enroll clients for certificates in a domain environment, you must:

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure autoenrollment Group Policy for a domain

  1. On a domain controller running Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.

  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  3. Right-click the Default Domain Policy GPO, and then click Edit.

  4. In the Group Policy Management Console (GPMC), go to User Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  5. Double-click Certificate Services Client - Auto-Enrollment.

  6. Select the Enroll certificates automatically check box to enable autoenrollment. If you want to block autoenrollment from occurring, select the Do not enroll certificates automatically check box.

  7. If you are enabling certificate autoenrollment, you can select the following check boxes:

    • Renew expired certificates, update pending certificates, and remove revoked certificates

    • Update certificates that use certificate templates

  8. Click OK to accept your changes.

Additional references