Many certificates can be distributed without the client even being aware that enrollment is taking place. These can include most types of certificates issued to computers and services, as well as many certificates issued to users.

To automatically enroll clients for certificates in a domain environment, you must:

  • Configure a certificate template with Autoenroll permissions. For more information, see Issuing Certificates Based on Certificate Templates (http://go.microsoft.com/fwlink/?LinkId=142333).

  • Configure an autoenrollment policy for the domain.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure. For more information, see Implement Role-Based Administration.

To configure autoenrollment Group Policy for a domain
  1. On a domain controller running Windows Server 2008 R2 or Windows Server 2008, click Start, point to Administrative Tools, and then click Group Policy Management.

  2. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

  3. Right-click the Default Domain Policy GPO, and then click Edit.

  4. In the Group Policy Management Console (GPMC), go to User Configuration, Windows Settings, Security Settings, and then click Public Key Policies.

  5. Double-click Certificate Services Client - Auto-Enrollment.

  6. Select the Enroll certificates automatically check box to enable autoenrollment. If you want to block autoenrollment from occurring, select the Do not enroll certificates automatically check box.

  7. If you are enabling certificate autoenrollment, you can select the following check boxes:

    • Renew expired certificates, update pending certificates, and remove revoked certificates enables autoenrollment for certificate renewal, issuance of pending certificate requests, and the automatic removal of revoked certificates from a user's certificate store.

    • Update certificates that use certificate templates enables autoenrollment for issuance of certificates that supersede issued certificates.

  8. Click OK to accept your changes.

Additional references