Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users.
To automatically enroll clients for certificates in a domain environment, you must:
- Configure a certificate template with
Autoenroll permissions. For more information, see Issuing
Certificates Based on Certificate Templates (http://go.microsoft.com/fwlink/?LinkId=142333).
- Configure an autoenrollment policy for the
domain.
Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.
To configure autoenrollment Group Policy for a domain |
-
On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.
-
In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.
-
Right-click the Default Domain Policy GPO, and then click Edit.
-
In the Group Policy Management Console (GPMC), go to User Configuration, Windows Settings, Security Settings, and then click Public Key Policies.
-
Double-click Certificate Services Client - Auto-Enrollment.
-
Select the Enroll certificates automatically check box to enable autoenrollment. If you want to block autoenrollment from occurring, select the Do not enroll certificates automatically check box.
-
If you are enabling certificate autoenrollment, you can select the following check boxes:
- Renew expired certificates, update pending
certificates, and remove revoked certificates enables
autoenrollment for certificate renewal, issuance of pending
certificate requests, and the automatic removal of revoked
certificates from a user's certificate store.
- Update certificates that use certificate
templates enables autoenrollment for issuance of certificates
that supersede issued certificates.
- Renew expired certificates, update pending
certificates, and remove revoked certificates enables
autoenrollment for certificate renewal, issuance of pending
certificate requests, and the automatic removal of revoked
certificates from a user's certificate store.
-
Click OK to accept your changes.