If none of these keys have AEPolicy = 7, Autoenrollment is not turned on.
If previous steps above are set correctly, force Autoenrollment and look into Application log to see what happens when Autoenrollment takes place. First, set new registry key to turn on more detailed autoenrollment auditing: In HKCU\Software\Microsoft\Cryptography\Autoenrollment and HKLM\Software\Microsoft\Cryptography\Autoenrollment, create a new DWORD value named AEEventLogLevel and set its value to 0.
Open up Application Log in Event Viewer (eventvwr.exe).
Force Autoenrollment:
gpupdate /force
In the Application event log, refresh the log to see what happens during autoenrollment.
Two computer autoenrollment messages (start, stop) should occur first, followed by two user autoenrollment messages (start, stop) in 30 sec. – 2 minutes. Any issued certs should appear in the log as Event ID 18’s or 19’s. Stop and Start messages are event IDs 2 and 3.
If there are any valid autoenrollment certificates to be issued, they should issue here.
Note: If the CA administrator configured the templates to not duplicate certificates if one already exists in Active Directory, you will have to delete the user’s certificate in Active Directory in order for Autoenrollment to pull down a new certificate.
If you do see any GPO errors, you can turn on Group Policy logging on the client. Trigger Group Policy manually (gpupdate /force). Then check the policy log.
For XP:
- Set the following registry flag:
- Rename the current GPO log file, userenv.log, to userenv.old
Check the following log file for any errors: %windir%\debug\usermode\userenv.log
Man you are all over these guides Kurt (from the AD guides to this one). Nicely done!
Thanks
Mike
Thank you, Mike. I am glad to be helpful.
Quick question: How can I define autoenroll permissions of a certificate template? The option doesn't appear to be available for the default 'User' template, or in fact any other of which the minimum supported CA is Windows 2000. Only Windows Server 2003 Enterprise have the option.
I'm running a DC with ADCA on Server 2008 R2.
---------------------
Do this on the Security permissions of the Certificate Template. You need Read, Enroll, Autoenroll. However, you typically get the Read and Enroll from Authenticated users membership.
That is true. Autoenroll came about with what is known as the Version 2 or V2 templates. You will have to duplicate the templates (as I mentioned in another comment). You need at least a V2 template. technet.microsoft.com/.../cc787781.aspx
"Only a domain with the Windows Server 2003 schema will support version 2 templates, and only a Windows Server 2003, Enterprise Edition or Datacenter Edition certification authority may issue a version 2 template certificate."
I check all steps i did it already but Best Practice Analyzer still tell me Warning computer autoenrollment GP not enabled
Adambean: You do this through the Security settings on the template. There is a permission AutoEnroll in there. Your users or computers will also need the Read and Enroll permissions for this to work, but that is usually granted from being members in the Authenticated Users group. Just depends on how security is configured in your environment.
Adambean: You will have to duplicate those Windows 2000 templates.