Link to home
Start Free TrialLog in
Avatar of RhoSysAdmin
RhoSysAdminFlag for United States of America

asked on

How to enroll for user cert with Get-Certificate powershell cmdlet

I need help with the syntax for the Powershell Get-Certificate cmdlet to enroll for a user certificate from our Windows internal CA.  I want to use this command from an Azure AD joined Windows 11 device that's connected to our internal network via our VPN. That's why I'm prompting for my (domain) user credentials.

Based on Get-Certificate syntax, I have the following so far 

$up = Get-Credential
$request = MyUserTemplate

Get-Certificate -Template $request -Url -Credential $up -CertStoreLocation cert:\CurrentUser\My

Open in new window

I'm unsure about the url.  The Microsoft article doesn't provide specifics on this parameter.  I don't see a "services.svc" (seen in the examples) anywhere on my CA, and certainly not in any of the IIS virtual directories. 

Do I need to specify a "subjectname" or any other specifics? I'm hoping since I'm logging in to the CA with my domain credentials that I won't have to provide any additional details for the enrollment.

Any help is greatly appreciated!

Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

-Url missing means you have not installed a policy server

To enable the Certificate enrollment policy for computer certificates expand Computer Configuration > Policies > Windows Settings > Security Settings and click Public Key Policies. Double click Certificate Services Client - Certificate Enrollment Policy. In the Configuration Model menu, select Enabled. Click OK. 

Avatar of dfke


try and set the -Url to et to, as this appears to be a standard URL for the Microsoft Certificate Enrollment Protocol (MSCEP).

Avatar of RhoSysAdmin



So your suggestion is very intriguing.  To give you the complete picture, we're working on switching to an InTune Autopilot laptop deployment model for our now full time remote workforce.

We already have a working NDES + InTune Certificate Connector server that provides DEVICE certificates to these Azure AD joined (i.e. remote) devices so they can connect to our VPN.

What's missing is the ability for users to request a USER certificate so they can use the internal (802.11) wireless and (802.3) wired networks when they do need to come to the building.

In addition to enabling the policy as you suggested, we'll need to add the roles to either the CA or to the InTune Connector.  Those roles are not installed anywhere at this moment.

Is it reasonable to add the Certificate Enrollment Policy Web Service and Certificate Enrollment Web Service roles to our "InTune Connector" server?  The firewall rules are already in place to allow it to communicate with our CA.  IIS is already installed. It seems like a good fit.

Am I interpreting things correctly?

Would this be a redundant role/feature add (given we've solved the device cert riddle with SCEP+NDES)?  Is there another InTune config profile I could add to take care of our need for USER certificate enrollment?

Avatar of RhoSysAdmin
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial