With autoenrollment, certificates can be requested, issued, or renewed without user intervention. Autoenrollment automatically downloads and manages certificates from Active Directory into the local machine registry for all users who log on to domain-joined machines. Autoenrollment also manages certificates for user objects in Active Directory by deleting revoked and expired certificates.
Autoenrollment can only be configured for version 2 certificates, which means that you also need a Windows 2003 or better CA. Configuring autoenrollment requires the following steps:
- Edit the certificate template. If the certificate template is a version 1 template, duplicate the template to make it a version 2 or version 3 template. This allows you to configure the Autoenroll settings.
- Grant users or computers the Read, Enroll, and Autoenroll permissions.
- On the Request Handling tab, make sure that the Enroll subject without requiring any user input option is selected to allow enrollment without prompts. (This option is automatically deselected for smart cards, and the Prompt for user action option becomes the default option to allow users to input their personal identification numbers.)
- On the Subject Name tab, make sure the Build from this Active Directory information option is selected. Selecting the Supply in the request option requires the user to manually specify the certificate subject name.
- Do not require multiple signatures for certificate approval. Multiple signatures require manual approval. Certificate requests will be in a pending state until the necessary signatures are obtained.
- Publish the certificate template on the CA (issue the certificate template).
- Edit Group Policy and enable autoenrollment for computers, users, or both. Within either Computer or User Configuration, browse to \Policies\Windows Settings\Security Settings\Public Key Policies and configure the Certificate Services Client – Auto-Enrollment policy.
You can also configure whether certificates are automatically renewed or updated. If automatic renewal is enabled:
- You can force users to re-enroll for a certificate template by updating the templates version number. During logon, when autoenrollment queries Active Directory for required templates, the autoenrollment process examines the template version number. If the certificate number has incremented, users must re-enroll.
- To increment a template version number, right-click the template and select Reenroll all certificate holders.