Hello @Hal3s510 ,
Thank you for psoting here.
Besides having been rejected, If I am not wrong MIM CM wouldn't support auto-enroll for certificates, therefore users should have to connect to the MIM portal and request/download/install it manually. So, no automation here.
Am I right ?
A1: Certificate quto enrollment is for certificate template, I mean we should check the read , enroll and autoenroll permissions on the corresponding certificate templates.
First, auto-enrollment does not happen automatically. Group policy must be set to allow clients to auto-enroll and the types of auto-enrollment allowed. Next, that policy must be pushed out to all of the clients in the domain. Lastly, the certificate authority registered to that domain must have the templates issued for the certificates to be auto-enrolled. These include machine/computer, domain controller, and user certificates.
From the link we mentioned, it does not mention the information about the certificate auto enrollment.
I am not sure how MIM CM works.
Menawhile, we can consult our question on Microsoft Identity Manager forum so that dedicated support professional can further assist you with this request.
Microsoft Identity Manager
https://social.technet.microsoft.com/Forums/en-US/home?forum=ilm2&sort=lastpostdesc&brandIgnore=true&page=7
Reference
Deploying Microsoft Identity Manager Certificate Manager 2016 (MIM CM)
https://video2.skills-academy.com/en-us/microsoft-identity-manager/mim-cm-deploy
The second proposal seems not technically feasible, as it is recommended for stand-alone CA only, not for enterprise CA like mine
https://video2.skills-academy.com/en-us/windows/win32/api/certpol/nn-certpol-icertpolicy
A2: From the link you mentioned, it seems you are right.
Here is a similar case for your reference.
Autoenrollment using custom subject name
https://social.technet.microsoft.com/Forums/office/en-US/6c852c72-a65a-40ad-b87a-3306c2940884/autoenrollment-using-custom-subject-name?forum=winserversecurity
Thank you for yopur understanding and supports.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.