Configuring certificate approval on a Windows internal CA

I have an enterprise CA installed in my Windows organization but for some reason users are able to request User Certificates and automatically install the certificate without an administrator first approving the request. How can I configure the existing User Certificate or all requested certificates by end users to fall in the pending folder so that an administrator first review the request and then issue the certificate if the request is valid?

Thank you,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

By default, users and computers can request certificates, and they will be automatically approved.  To change this behavior, you are going to have to modify the template.  In reality however, one does not modify a template, but creates a new one based on the original template.

Open up Certification Authority MMC on your CA
Go to Certificate Templates
Right click Certificate Templates, and then select "Manage"
Find the base template (for example User or Computer), right click and select "Duplicate Template".
When prompted for Windows Server 2003 Enterprise or Windows Server 2008 Enterprise, choose the default (2003 Enterprise).  This is just for backwards compatibility.
Give your new template a unique display name and name
Make your necessary changes, changing "Issuance Requirements" to require CA certificate manager approval (see image)
CA certificate manager approval
Once you've created your new templates, deactivate your old ones, and then add the new ones.  Do this by:

Close your Certificate Templates Console
Go back to the Certification Authority MMC
Go to Certificate Templates
Right click Computer -> Delete (assuming you are replacing this template)
Right click User -> Delete (assuming you are replacing this template)
Right click Certificate Templates, select New and Certificate Template to Issue.  Here you can add the new templates you've created.

NOTE: Deleting templates from "Certificate Templates" only deletes the templates from the available templates of the Certificate Authority.  It does not delete them permanently.  You can always re-add the original User and Computer certificate templates if you wish.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
serg2626Author Commented:
Excellent! It worked. Thank you for the clear instructions!
Glad to have been of assistance.  I find clear, concise instructions very helpful, which is why I try to do it for others :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.