Remove From My Forums

Auto certificate enrollment for computers not happening

Question
0

Sign in to vote

Hi

In my environment the auto certificate enrollment for computers not happening through GPO.

Domain computers has permission of enroll on computer certificate template.

Please suggest.

Regards,

Deepak S

Monday, July 7, 2014 9:23 AM

Answers

1

Sign in to vote
You are mixing technologies.

The Computer certificate template is a v1 template, and is deployed using Automatic Certificate Request settings (ACRS). Permissions required are Read and Enroll permissions to a Global/Universal group containing the computer accounts. The GPO must be focused on an OU containing the computer accounts (or at the domain). The Computer certificate template must be added to the ACRS GPO definition).

If you want to deploy through AutoEnrollment, then you need to use the Workstation Authentication certificate template in combination with the Computer AutoEnrollment GPO. Permissions required are Read,Enroll, and AutoEnrollment permissions to a Global/Universal group containing the computer accounts. The GPO must be focused on an OU containing the computer accounts (or at the domain). The AutoEnroll settings must be enabled within the GPO for computer objects.

Brian
- Proposed as answer by OlaJ Monday, July 7, 2014 9:56 PM
- Marked as answer by Alex Lv Tuesday, July 29, 2014 3:10 AM
Monday, July 7, 2014 2:34 PM
0

Sign in to vote
Client computers must have Read, Enroll and Autoenroll permissions. Make sure if Autoenroll permissions are granted on certificate template.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
- Marked as answer by Alex Lv Tuesday, July 29, 2014 3:10 AM
Monday, July 7, 2014 10:22 AM
0

Sign in to vote
Hi,

Please reconfirm the Autoenrollment group policy is configured and applied to the user or machine. Verify the Group Policy settings set the proper registry settings. If Group Policy is configured correctly, the next step is to troubleshoot enrollment.

Autoenrollment requires the use of Version 2 or Version 3 Certificate Templates. Certificate Authorities must be on the appropriate OS Version and edition. The table below outlines OS Version and Edition support for Version 2 and Version 3 certificate templates.

The similar thread:

Certificate Autoenrollment for Domain Computers GPO does not work

http://social.technet.microsoft.com/Forums/windowsserver/en-US/3797dad9-6c4f-41e4-8c4f-ad37a7570aa4/certificate-autoenrollment-for-domain-computers-gpo-does-not-work?forum=winserversecurity

Hope this helps.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
- Marked as answer by Alex Lv Tuesday, July 29, 2014 3:10 AM
Wednesday, July 9, 2014 5:45 AM

All replies

0

Sign in to vote
Client computers must have Read, Enroll and Autoenroll permissions. Make sure if Autoenroll permissions are granted on certificate template.
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new: PowerShell FCIV tool.
- Marked as answer by Alex Lv Tuesday, July 29, 2014 3:10 AM
Monday, July 7, 2014 10:22 AM
1

Sign in to vote
You are mixing technologies.

The Computer certificate template is a v1 template, and is deployed using Automatic Certificate Request settings (ACRS). Permissions required are Read and Enroll permissions to a Global/Universal group containing the computer accounts. The GPO must be focused on an OU containing the computer accounts (or at the domain). The Computer certificate template must be added to the ACRS GPO definition).

If you want to deploy through AutoEnrollment, then you need to use the Workstation Authentication certificate template in combination with the Computer AutoEnrollment GPO. Permissions required are Read,Enroll, and AutoEnrollment permissions to a Global/Universal group containing the computer accounts. The GPO must be focused on an OU containing the computer accounts (or at the domain). The AutoEnroll settings must be enabled within the GPO for computer objects.

Brian
- Proposed as answer by OlaJ Monday, July 7, 2014 9:56 PM
- Marked as answer by Alex Lv Tuesday, July 29, 2014 3:10 AM
Monday, July 7, 2014 2:34 PM
0

Sign in to vote
Hi,

Please reconfirm the Autoenrollment group policy is configured and applied to the user or machine. Verify the Group Policy settings set the proper registry settings. If Group Policy is configured correctly, the next step is to troubleshoot enrollment.

Autoenrollment requires the use of Version 2 or Version 3 Certificate Templates. Certificate Authorities must be on the appropriate OS Version and edition. The table below outlines OS Version and Edition support for Version 2 and Version 3 certificate templates.

The similar thread:

Certificate Autoenrollment for Domain Computers GPO does not work

http://social.technet.microsoft.com/Forums/windowsserver/en-US/3797dad9-6c4f-41e4-8c4f-ad37a7570aa4/certificate-autoenrollment-for-domain-computers-gpo-does-not-work?forum=winserversecurity

Hope this helps.
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
- Marked as answer by Alex Lv Tuesday, July 29, 2014 3:10 AM
Wednesday, July 9, 2014 5:45 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Auto certificate enrollment for computers not happening

Question

Answers

All replies