.png)
Configure Computer Certificate Autoenrollment
Updated: March 14, 2008
Applies To: Windows Server 2008
You can use this procedure to automatically enroll client computer certificates to domain member computers.
 Note |
|---|
| In this procedure, you are instructed to enable the Certificate Services Client - Auto-Enrollment Group Policy setting. If you have previously deployed server certificates and configured autoenrollment of server certificates, you do not need to perform this procedure again; however, you can use this procedure to verify that Group Policy is configured correctly to autoenroll certificates. |
Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.
-
On the computer where Active Directory Domain Services (AD DS) is installed, click Start, click Run, type mmc, and then click OK.
-
On the File menu, click Add/Remove Snap-in, and then click Add. The Add or Remove Snap-ins dialog box opens.
-
In Available snap-ins, scroll down to and double-click Group Policy Management Editor, and then click OK. The Group Policy Wizard opens.
-
In Select Group Policy Object, click Browse. The Browse for a Group Policy Object dialog box opens.
-
In Domains, OUs, and linked Group Policy Objects, click Default Domain Policy, and then click OK.
-
Click Finish, and then click OK.
-
Double-click Default Domain Policy. In the console, expand the following path: Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies.
-
Double-click Certificate Services Client - Auto-Enrollment. The Properties dialog box opens. Configure the following items, and then click OK:
-
In Configuration Model, select Enabled.
-
Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
-
Select the Update certificates that use certificate templates check box.
-
In Configuration Model, select Enabled.
