Certificate Services Windows 2008 Autoenroll not working

Posted on 2011-10-04
Last Modified: 2012-08-14
I can manually request a certificate from the browser for my workstation or user. I can also request one from MMC / Certificates / Request New Certificate.
However, autoenroll is not working on any of my duplicate templates I have created.
Question by:lanman777
    LVL 14

    Expert Comment

    Some quick things to check:

    - Are certificates for the template set to be issued by the CA? Having the template is not enough
    - Are the templates auto-enroll compatible? E.g. they cannot require any user input.
    - are the permissions correct? Users/Computers will need Read and Autoenroll permission
    - is AutoEnroll enabled on the clients? Can be done using GPO.
    LVL 8

    Accepted Solution


    This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled.
    An enterprise CA provides autoenrollment features that enable certificates to be issued without user interaction. The autoenrollment operations on client computers and CAs are controlled by Group Policy settings and certificate template settings. Several default certificate templates are enabled for autoenrollment during CA installation. However, Group Policy settings must be enabled by an administrator before client computers can initiate autoenrollment.


    An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected.
    Autoenrollment simplifies certificate issuance and helps prevent service interruption by enabling client computers to automatically request and renew certificates. If certificates are not issued or renewed, applications and services that require certificates might fail and new domain users and computers might be unable to access domain resources.


    Use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate template.
    To automatically enroll client computers for certificates in a domain environment, you must:

    Configure an autoenrollment policy for the domain.

    Configure certificate templates for autoenrollment.

    Configure an enterprise CA.

    Membership in Domain Admins or Enterprise Admins is required to complete these procedures.

    To configure autoenrollment Group Policy for a domain
    On a domain controller, click Start, point to Administrative Tools, and then click Group Policy Management.

    In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

    Right-click the Default Domain Policy GPO, and then click Edit.

    In the Group Policy Management Console (GPMC), click User Configuration, Policies, Windows Settings, Security Settings, and then click Public Key Policies.

    Double-click Certificate Services Client - Auto-Enrollment.

    In Configuration Model, select Enabled to enable autoenrollment. If you want to disable autoenrollment, select Disabled.

    If you are enabling certificate autoenrollment, you can select the following check boxes:

    Renew expired certificates, update pending certificates, and remove revoked certificates

    Update certificates that use certificate templates

    Expiration notification

    Click OK to accept your changes.

    To configure certificate templates for autoenrollment
    On the taskbar, click Start, and then click Run.

    In the Run dialog box, type certtmpl.msc, and then click OK to open the Certificate Templates snap-in.

    Select the certificate template that you want to enable for autoenrollment.

    On the Action menu, click Properties, and then click the Security tab.

    Select or add the user or group that you want to permit for autoenrollment.

    In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish.

    The enterprise CA does not require autoenrollment configuration, but the certificate templates that you have enabled for autoenrollment must be assigned to the CA before client computers can automatically enroll for those certificates.

    To assign certificate templates to an enterprise CA
    On the taskbar, click Start, and then click Run.

    In the Run dialog box, type certsrv.msc, and then click OK to open the Certification Authority snap-in.

    In the console tree, click Certificate Templates.

    On the Action menu, point to New, and then click Certificate Template to Issue.

    Select the certificate template that you enabled for autoenrollment, and click OK.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    This tutorial will show how to inventory, catalog, and restore media from legacy versions of Backup Exec into both 2012 and 2014 versions of the software. Select Storage from the tabs along the ribbon bar as the top: Ensure the proper storage devi…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now