Auto enrollemnt setting not beeing published via GPO


  • Hi!

    I am starting to verify computer by wired 802.1x authentication against RAIDUS server, which runs on win2008r2. My clients are win7 but not whole GPO are aplied to them. The first portion (run wired AutoConfig service, and appropriate setting are done fine, but I am unable to publish certificate GPO to client.

    GPO looks like:

    Policy Setting
    Automatic certificate management                                                                               = Enabled
    Option Setting
    Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates
                                                                                                                                        = Enabled
    Update and manage certificates that use certificate templates from Active Directory = Enabled

    Public Key Policies/Trusted Root Certification Authoritieshide

    Allow users to select new root certification authorities (CAs) to trust = Enabled
    Client computers can trust the following certificate stores = Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
    To perform certificate-based authentication of users and computers, CAs must meet the following criteria = Registered in Active Directory only

    • נערך על-ידי vlad669 יום חמישי 24 מאי 2018 09:29
    יום חמישי 24 מאי 2018 09:27

כל התגובות

  • Hello,

    Did you check the right you have on the template computer use for autoenrollment ?

    Best Regards,

    יום חמישי 24 מאי 2018 12:43
  • I dont clearly understand, I am a pretty new at those things. Can u be more specific? thx

    יום שישי 25 מאי 2018 06:36
  • I have modified GPO with reg key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\AutoEnrollment AEPolicy =  7 and now its working like a charm. But I am not sure, whether its 100% with these settings.
    • נערך על-ידי vlad669 יום שישי 25 מאי 2018 08:00
    יום שישי 25 מאי 2018 07:54
  • Below what you need to check

    • Launch the certificate authority mmc
    • Unfold your PKI server
    • Right click on Certificate Templates and click on Manage (This will launch the Certificate Template console)
    • Right on the certificate template your computer use for autoenrollment and go to Properties
    • Go in Security Tab and verify that you have Read, Enroll and AutoEnroll for the security principal (Based on your configuration maybe your computer which need the certificate are part of a group or maybe you are using authenticated users default or like below Domain Computers)

    Best Regards,

    יום שישי 25 מאי 2018 08:08
  • these settings are as same as mine (and its now working without modifing REG key)
    יום שישי 25 מאי 2018 08:35
  • Great,

    Please don't forget to mark it as answer to help the community :)

    Best Regards,

    יום שישי 25 מאי 2018 08:38
  • sorry, I miss typed ....Its still NOT working without modifing REG settings
    יום שישי 25 מאי 2018 08:49
  • Ok,

    Did you try to split the GPO into 2 GPOs ? One for 802.1x and another for AutoEnroll ?

    Best Regards,

    יום שישי 25 מאי 2018 08:54
  • now I tried with no effect, Auto-enrollment takes no effect, very strange
    יום שישי 25 מאי 2018 09:06
  • but reg key HKLM\Software\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy with value 7 


    Enabled, Update Certificates that user certificates templates configured, Renew expired certificates, update pending certificates, and remove revoked certificates configured

    is equal to GPO created via GUI. So I think, we can close this thread and mark as SOLVED :)

    thx for cooperation ;)
    • נערך על-ידי vlad669 יום שישי 25 מאי 2018 09:23
    יום שישי 25 מאי 2018 09:23
  • Ok,

    No problem

    Best Regards,

    יום שישי 25 מאי 2018 09:28
  • Hi Vlad,

    Looking at it: The GPO setting being correct, but not giving the right result. However, if you set the registry value the GPO was supposed to set manually, it does work. That leads me to believe the GPO was not applied correctly.

    A good way to start troubleshooting there would be to do a Resulting Set of Policy on the affected machine(s), either through rsop.msc or gpresult. Either will give you which GPO settings are applied and where they come from. So you can look up this setting and see what happens.

    Kind Regards,

    יום שישי 25 מאי 2018 13:53
  • Thx for your answer, on gpresult /r a see this output

    Applied Group Policy Objects
        disable IPv6
        dot1x client
        Global XYZ GPO
        Default Domain Policy

    dot1x contain all setting in GPO which are mentioned above.

    If i run rsop.msc i see, policy WAS pushed to affected client but when im going to check it trought gpedit.msc no setting about auto enrollment were applied.

    I checked trought these policies if there is forced NOT TO APPLY autoenroll, but I didnt find anything like that.

    • נערך על-ידי vlad669 יום רביעי 06 יוני 2018 09:39 spell correction
    יום רביעי 06 יוני 2018 09:38
  • Hi Vlad,

    This is getting more interesting. What the group policy does is apply the registry settings. What you describe should have the same result.

    Have you looked up the precise autoenrollment policy settings in your GPResult output? It should tell you the winning setting as well as which GPO was the winning one.

    Kind Regards,

    יום שלישי 12 יוני 2018 07:43