locked
Certificate autoenrollment and Group policy Loopback RRS feed

  • Question

  • We have AD with group policy Loopback configured. We are planning for Certificate Autoenrollment for user and computers.

    How will it work for user autoenrollment having group policy loopback?

    Wednesday, July 8, 2020 10:56 AM

Answers

All replies

  • We have AD with group policy Loopback configured. We are planning for Certificate Autoenrollment for user and computers.

    How will it work for user autoenrollment having group policy loopback?

    we've had this combination for 10years across our pc/workstation fleet without issues, it works normally with no differences at all.

    all users, on all workstations, autoenroll.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, July 8, 2020 11:50 AM
  • Hi,

    Thanks for sharing here!

    There are 2 modes for the loopback policy:Replace and Merge

    "Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings normally applied to the user.

    If you select this mode, and you want the user to apply the user auto enrollment policy, you also need to configure the user settings on the computer,then when users log onto the computer, will apply the auto enrollment policy.

    "Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings.

    So if you select the Merge mode, and the users had already configured with the user auto enrollment , and there was no conflict with the policy on the computer, no additional steps needed.

    Best Regards,
    Fan

    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 9, 2020 12:00 AM
  • What is the modes for your the loopback policy???

    As we have a merge mode policy

    Thursday, July 9, 2020 7:43 AM
  • I dont have user already configured with the user auto enrollment???

    I have merge policy and we need to implement it for autoenrollment.

    Thursday, July 9, 2020 7:44 AM
  • Hi,

    Then we need deploy auto enrollment policy normally to domain users .

    For your reference:

    https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

    Best Regards,
    Fan

    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, July 9, 2020 8:04 AM
  • As i said i have merge policy GPO.

    User's are getting certificate through autoenrollment.

    But machines are not getting certificates through autoenrollment.

    I can see in rsop the machine policy has been updated.

    Sunday, July 12, 2020 8:53 AM
  • What is the modes for your the loopback policy???

    As we have a merge mode policy

    we use Loopback-Replace.

    but, Loopback processing only affects change to users, not change to machines.

    if your machines are not auto-enrolling, Loopback will not change/fix that.

    sorry if I misunderstand your question/scenario?


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Monday, July 13, 2020 12:24 AM
    Monday, July 13, 2020 12:21 AM
  • Hi,

    Thanks for your reply!

    If you also want the computers getting certificates through autoenrollment, we also need to set up a policy for the computers as for normal .

    https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/configure-server-certificate-autoenrollment

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by shardulr Wednesday, July 15, 2020 11:16 AM
    Monday, July 13, 2020 6:30 AM
  • Hi,

     

    Was your issue resolved?

     

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

     

    Best Regards,

    Fan

     


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, July 15, 2020 1:34 AM