Certificate Autoenrollment

  • Article
  • In simple, as the word says it automatically enrolls the certificate without any user input.
  • Below are the minimum requirement for auto enrollment to work: 

User and Machine should have Read, Enroll and Auto Enroll permissions on the certificate template

"Supply in the request" should NOT be enabled, if enabled the details has to be filled manually.

Make sure the certificate template version is NOT V1. (Autoenrollment will not work with V1 template.)

Below settings need to be enabled in the group policy.

Browse to Computer Configuration - Windows Settings - Security Settings - Public Key Policies - Certificate Services Client - Auto-Enrollment

 

 

Once we have above requirement met, the certificates will be enrolled :

  • During the restart of the machine
  • During logon
  • During GPO refresh interval.

In case if it finds a valid certificate in the Personal store, the process will NOT trigger the new certificate request.
To manually trigger the autoenrollment we can use Certutil –pulse from an elevated command prompt. This will be useful while troubleshooting Autoenrollment issues.

 Vista onwards autoenrollment functionality works with the help of Task Scheduler.

 

(Task Scheduler - Microsoft - Windows – CertificateServicesClient)

 

If the autoenrollment group policy settings not set or if the task scheduler service is disabled or stopped, autoenrollment will fail.  

  • When autoenrollment is enabled there are scenarios in which the users will have multiple certificates getting installed on his or her personal store.
  • You can enable below settings as per the screenshot to avoid this issue. Enabling ‘Publish Certificates in Active Directory’ option will publish the certificates into Active Directory. That can be verified using the ‘UserCertificates’ attribute on the object properties. Now, whenever a new certificate request comes for the same user, Certificate Authority will first check in Active Directory database to see if there are any certificates already published. If there are, it will not issue the new certificate rather will use the existing one.