AD CS: User autoenrollment should be enabled when an enterprise CA is installed

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Certificate Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System	Windows Server® 2008 R2 and Windows Server® 2012
Product/Feature	Active Directory Certificate Services
Severity	Warning
Category	Configuration

Issue

This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled.

An enterprise CA provides autoenrollment features that enable certificates to be issued without user interaction. The autoenrollment operations on client computers and CAs are controlled by Group Policy settings and certificate template settings. Several default certificate templates are enabled for autoenrollment during CA installation. However, Group Policy settings must be enabled by an administrator before client computers can initiate autoenrollment.

Impact

An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected.

Autoenrollment simplifies certificate issuance and helps prevent service interruption by enabling client computers to automatically request and renew certificates. If certificates are not issued or renewed, applications and services that require certificates might fail and new domain users and computers might be unable to access domain resources.

Resolution

Use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate template.

To automatically enroll client computers for certificates in a domain environment, you must:

• Configure an autoenrollment policy for the domain.

• Configure certificate templates for autoenrollment.

• Configure an enterprise CA.

Membership in Domain Admins or Enterprise Admins is required to complete these procedures.

To configure autoenrollment Group Policy for a domain

1. On a domain controller, open the Group Policy Management console.

2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

3. Right-click the Default Domain Policy GPO, and then click Edit.

4. In the Group Policy Management Console (GPMC), click User Configuration, Policies, Windows Settings, Security Settings, and then click Public Key Policies.

5. Double-click Certificate Services Client - Auto-Enrollment.

6. In Configuration Model, select Enabled to enable autoenrollment. If you want to disable autoenrollment, select Disabled.

7. If you are enabling certificate autoenrollment, you can select the following check boxes:

   • Renew expired certificates, update pending certificates, and remove revoked certificates

   • Update certificates that use certificate templates

   • Expiration notification

8. Click OK to accept your changes.

To configure certificate templates for autoenrollment

1. On the CA, open the Certification Authority snap-in.

2. Expand the CA. Right-click Certificate Templates and then click Manage.

3. Select the certificate template that you want to enable for autoenrollment.

4. On the Action menu, click Properties, and then click the Security tab.

5. Select or add the user or group that you want to permit for autoenrollment.

6. In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish.

Tip

The Autoenroll permission is not available in version 1 certificate templates. You must either select a version 2 or version 3 template, or duplicate a certificate template to create a version 2, version 3, or version 4 certificate template in order to see the Autoenroll permission.

The enterprise CA does not require autoenrollment configuration, but the certificate templates that you have enabled for autoenrollment must be assigned to the CA before client computers can automatically enroll for those certificates.

To assign certificate templates to an enterprise CA

1. On the CA, open the Certification Authority snap-in.

2. In the console tree, click Certificate Templates.

3. On the Action menu, point to New, and then click Certificate Template to Issue.

4. Select the certificate template that you enabled for autoenrollment, and click OK.

Additional references

• For a detailed description of certificate deployment, see the Foundation Network Companion Guides Deploying Computer and User Certificates and Deploying Server Certificates.

• Premier Support customers can use an intensive PKI Health Check to review this issue in addition to a thorough evaluation of other issues. For more information, see Public Key Infrastructure Server Health Check Datasheet.