AD CS: Computer autoenrollment should be enabled when an enterprise CA is installed
Applies To: Windows Server 2008 R2, Windows Server 2012
This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.
Operating System |
Windows Server® 2008 R2 and Windows Server® 2012 |
Product/Feature |
Active Directory Certificate Services |
Severity |
Warning |
Category |
Configuration |
This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for computer autoenrollment have not been enabled.
An enterprise CA provides autoenrollment features that enable certificates to be issued without user interaction. The autoenrollment operations on client computers and CAs are controlled by Group Policy settings and certificate template settings. Several default certificate templates are enabled for autoenrollment during CA installation. However, Group Policy settings must be enabled by an administrator before client computers can initiate autoenrollment.
An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected.
Autoenrollment simplifies certificate issuance and helps prevent service interruption by enabling client computers to automatically request and renew certificates. If certificates are not issued or renewed, applications and services that require certificates might fail and new domain users and computers might be unable to access domain resources.
Use the Group Policy Management Console to configure computer autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate template.
To automatically enroll client computers for certificates in a domain environment, you must:
Configure an autoenrollment policy for the domain.
Configure certificate templates for autoenrollment.
Configure an enterprise CA.
Membership in Domain Admins or Enterprise Admins is required to complete these procedures.
On a domain controller, open the Group Policy Management console.
In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
Right-click the Default Domain Policy GPO, and then click Edit.
In the Group Policy Management Console (GPMC), click Computer Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
Double-click Certificate Services Client - Auto-Enrollment.
Select the Enroll certificates automatically check box to enable autoenrollment. If you want to disable autoenrollment, select the Do not enroll certificates automatically check box.
If you are enabling certificate autoenrollment, you can optionally select the following check boxes:
Renew expired certificates, update pending certificates, and remove revoked certificates
Update certificates that use certificate templates
Click OK to accept your changes.
On the CA, taskbar, open the Certification Authority snap-in.
In the console pane, expand the CA. Right-click Certificate Templates and then click Manage.
Select the certificate template that you want to enable for autoenrollment.
On the Action menu, click Properties, and then click the Security tab.
Select or add the user or group that you want to permit for autoenrollment.
In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish.
The enterprise CA does not require autoenrollment configuration, but the certificate templates that you have enabled for autoenrollment must be assigned to the CA before client computers can automatically enroll for those certificates.
On the CA, open the Certification Authority snap-in.
In the console tree, click Certificate Templates.
On the Action menu, point to New, and then click Certificate Template to Issue.
Select the certificate template that you enabled for autoenrollment, and click OK.
For a detailed description of certificate deployment, see the Foundation Network Companion Guides Deploying Computer and User Certificates and Deploying Server Certificates.
Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.