• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2038
  • Last Modified:

Certificate Services Windows 2008 Autoenroll not working

I can manually request a certificate from the browser for my workstation or user. I can also request one from MMC / Certificates / Request New Certificate.
However, autoenroll is not working on any of my duplicate templates I have created.
1 Solution
Some quick things to check:

- Are certificates for the template set to be issued by the CA? Having the template is not enough
- Are the templates auto-enroll compatible? E.g. they cannot require any user input.
- are the permissions correct? Users/Computers will need Read and Autoenroll permission
- is AutoEnroll enabled on the clients? Can be done using GPO.

This certification authority (CA) was installed as an enterprise CA, but Group Policy settings for user autoenrollment have not been enabled.
An enterprise CA provides autoenrollment features that enable certificates to be issued without user interaction. The autoenrollment operations on client computers and CAs are controlled by Group Policy settings and certificate template settings. Several default certificate templates are enabled for autoenrollment during CA installation. However, Group Policy settings must be enabled by an administrator before client computers can initiate autoenrollment.


An enterprise CA can use autoenrollment to simplify certificate issuance and renewal. If autoenrollment is not enabled, certificate issuance and renewal may not occur as expected.
Autoenrollment simplifies certificate issuance and helps prevent service interruption by enabling client computers to automatically request and renew certificates. If certificates are not issued or renewed, applications and services that require certificates might fail and new domain users and computers might be unable to access domain resources.


Use the Group Policy Management Console to configure user autoenrollment policy settings, and use the Certificate Templates snap-in to configure autoenrollment settings on the certificate template.
To automatically enroll client computers for certificates in a domain environment, you must:

Configure an autoenrollment policy for the domain.

Configure certificate templates for autoenrollment.

Configure an enterprise CA.

Membership in Domain Admins or Enterprise Admins is required to complete these procedures.

To configure autoenrollment Group Policy for a domain
On a domain controller, click Start, point to Administrative Tools, and then click Group Policy Management.

In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

Right-click the Default Domain Policy GPO, and then click Edit.

In the Group Policy Management Console (GPMC), click User Configuration, Policies, Windows Settings, Security Settings, and then click Public Key Policies.

Double-click Certificate Services Client - Auto-Enrollment.

In Configuration Model, select Enabled to enable autoenrollment. If you want to disable autoenrollment, select Disabled.

If you are enabling certificate autoenrollment, you can select the following check boxes:

Renew expired certificates, update pending certificates, and remove revoked certificates

Update certificates that use certificate templates

Expiration notification

Click OK to accept your changes.

To configure certificate templates for autoenrollment
On the taskbar, click Start, and then click Run.

In the Run dialog box, type certtmpl.msc, and then click OK to open the Certificate Templates snap-in.

Select the certificate template that you want to enable for autoenrollment.

On the Action menu, click Properties, and then click the Security tab.

Select or add the user or group that you want to permit for autoenrollment.

In the Permissions for Authenticated Users list, select Read, Enroll, and Autoenroll in the Allow column, and then click OK and Close to finish.

The enterprise CA does not require autoenrollment configuration, but the certificate templates that you have enabled for autoenrollment must be assigned to the CA before client computers can automatically enroll for those certificates.

To assign certificate templates to an enterprise CA
On the taskbar, click Start, and then click Run.

In the Run dialog box, type certsrv.msc, and then click OK to open the Certification Authority snap-in.

In the console tree, click Certificate Templates.

On the Action menu, point to New, and then click Certificate Template to Issue.

Select the certificate template that you enabled for autoenrollment, and click OK.

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now