Certificate Services Windows 2008 Autoenroll not working

I can manually request a certificate from the browser for my workstation or user. I can also request one from MMC / Certificates / Request New Certificate.
However, autoenroll is not working on any of my duplicate templates I have created.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Some quick things to check:

- Are certificates for the template set to be issued by the CA? Having the template is not enough
- Are the templates auto-enroll compatible? E.g. they cannot require any user input.
- are the permissions correct? Users/Computers will need Read and Autoenroll permission
- is AutoEnroll enabled on the clients? Can be done using GPO.

This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled.
An enterprise CA provides autoenrollment features that enable certificates to be issued without user interaction. The autoenrollment operations on client computers and CAs are controlled by Group Policy settings and certificate template settings. Several default certificate templates are enabled for autoenrollment during CA installation. However, Group Policy settings must be enabled by an administrator before client computers can initiate autoenrollment.


An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected.
Autoenrollment simplifies certificate issuance and helps prevent service interruption by enabling client computers to automatically request and renew certificates. If certificates are not issued or renewed, applications and services that require certificates might fail and new domain users and computers might be unable to access domain resources.


Use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate template.
To automatically enroll client computers for certificates in a domain environment, you must:

Configure an autoenrollment policy for the domain.

Configure certificate templates for autoenrollment.

Configure an enterprise CA.

Membership in Domain Admins or Enterprise Admins is required to complete these procedures.

To configure autoenrollment Group Policy for a domain
On a domain controller, click Start, point to Administrative Tools, and then click Group Policy Management.

In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

Right-click the Default Domain Policy GPO, and then click Edit.

In the Group Policy Management Console (GPMC), click User Configuration, Policies, Windows Settings, Security Settings, and then click Public Key Policies.

Double-click Certificate Services Client - Auto-Enrollment.

In Configuration Model, select Enabled to enable autoenrollment. If you want to disable autoenrollment, select Disabled.

If you are enabling certificate autoenrollment, you can select the following check boxes:

Renew expired certificates, update pending certificates, and remove revoked certificates

Update certificates that use certificate templates

Expiration notification

Click OK to accept your changes.

To configure certificate templates for autoenrollment
On the taskbar, click Start, and then click Run.

In the Run dialog box, type certtmpl.msc, and then click OK to open the Certificate Templates snap-in.

Select the certificate template that you want to enable for autoenrollment.

On the Action menu, click Properties, and then click the Security tab.

Select or add the user or group that you want to permit for autoenrollment.

In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish.

The enterprise CA does not require autoenrollment configuration, but the certificate templates that you have enabled for autoenrollment must be assigned to the CA before client computers can automatically enroll for those certificates.

To assign certificate templates to an enterprise CA
On the taskbar, click Start, and then click Run.

In the Run dialog box, type certsrv.msc, and then click OK to open the Certification Authority snap-in.

In the console tree, click Certificate Templates.

On the Action menu, point to New, and then click Certificate Template to Issue.

Select the certificate template that you enabled for autoenrollment, and click OK.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.