This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Autoenrollment Group Policy not triggering User Certificate enrollment

Question
0

Sign in to vote
Hi Technet!

I'm currently working on a demo setup for the Windows always-on VPN, using a Hyper-V virtual environment using the following Microsoft guide: https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment

I'm currently struggling with the user certificate auto enrollment, my setup is as follows:

1x Windows Server 2016: Primary (and only) DC

1x Windows Server 2016: RAS & NPS Server

1x Windows 10 Professional: Test client

Steps completed so far:

Set up VPN Clients and VPN Server Security groups in AD

Set up Auto-enrollment VPN to the standards outlined in the linked guide above

Set up Certificate templates to the standards outlined in the linked guide above

Set up the NPS server to the standards outlined in the guide above

The GPO is deploying and the server certificates are where they should be, but the user certificates are not auto-enrolling, even though the policy is applying on the computer and user accounts on the test client. There's no "Certificates" folder appearing under the "Personal" tree in the certificate manager on the client.

Can anyone suggest anything? I've looked around for a few solutions but I can't find anything concrete, it's my first time setting this up so I'm rather stumped!

Many thanks!
- Edited by CStendall22 Wednesday, October 30, 2019 2:34 PM Added hyperlink
Wednesday, October 30, 2019 2:25 PM

All replies

0

Sign in to vote
Hello CStendall22,

Thank you for posting in our TechNet forum.

We can troubleshoot as below:

1. Check permission on the user certificate template. If there is Read, Write ,Enroll and Autoenroll permission for specific users or groups.

2. Check if we issue the user certificate template.

3. Check if we configure group policy settings correctly and link the GPO to OU with specific users in it.

User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment > double click it to open its properties or right-click > Properties

4. If the above three steps are OK. We can logon the client with above user.
Check if the users apply the above GPO successfully.

For user configuration:
Logon one client with domain user account.
Create a new folder in C drive named Folder.
Open CMD, type gpresult /h C:\Folder\report.html and click Enter.
Open report file to check the policies under User Configuration.

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Edited by Daisy ZhouMicrosoft contingent staff Thursday, October 31, 2019 6:41 AM
Thursday, October 31, 2019 6:41 AM
0

Sign in to vote

Hi,
If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, November 4, 2019 7:59 AM
0

Sign in to vote
Hi Daisy,

Apologies for not getting back to you sooner. Unfortunately I checked all of this and it didn't make a difference.

I did find out that I have accidentally installed two Certificate Authorities, so I'm currently re-creating the test environment to rectify this.

Thanks for your help with this so far.

Chris
- Proposed as answer by Daisy ZhouMicrosoft contingent staff Tuesday, November 5, 2019 10:09 AM
- Unproposed as answer by CStendall22 Tuesday, November 5, 2019 11:30 AM
Monday, November 4, 2019 9:17 AM
0

Sign in to vote

Hi,
You are welcome. Thank you for your update.

As always, if there is any question in future, we warmly welcome you to post in this forum again. We are happy to assist you!

Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, November 4, 2019 9:57 AM
0

Sign in to vote

Hi Daisy,

I have re-created my test environment and unfortunately I'm still getting the same results as last time. The GPO appears to be applying correctly, but the certificate is not being rolled out to the users within the security group.

This looks like it might be a Certificate specific issue, as the other sample GPOs I have created are working, can you recommend which area of the forums to post in with regards to this?

Tuesday, November 5, 2019 11:32 AM
0

Sign in to vote

Hi,
Can we see the group policy settings on the gpresut / h report?

If no, we can try to refer to the part -User certificates Auto-Enrollment in the following article to deploy the GPO.
Set Up Automatic Certificate Enrollment (Autoenroll)
https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll

Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.

Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Wednesday, November 6, 2019 11:33 AM
0

Sign in to vote

Hi Daisy, why write permissions are required? (My understanding write permissions applies to change the template and is not relate to certificate enrollment or issuance).

Thanks!

BR, Ivo

Thursday, April 9, 2020 11:57 AM
0

Sign in to vote

I'm having the same problem, any update to this thread?

Friday, July 24, 2020 9:29 AM
0

Sign in to vote

Hi,

Also trying to set up a demo for VPN always on, and this issue is caused by using a virtual lab environment that lacks TPM chip.

https://4sysops.com/archives/active-directory-group-policy-and-certificates-for-always-on-vpn/

As an FYI, was following this to the letter in my test environment but could not get the user certificate deployed. Permissions and certificate was correctly setup.

Turns out the "Microsoft Platform Crypto Provider" requires a TPM chip, as I was using a VM for the client machine (which obviously has no TPM hardware) I would see the error message "Can not find a valid CSP in the local machine" when trying to manually enroll the certificate.

Solution is to also tick "Microsoft Software Key Storage Provider" and have it second in order after "Microsoft Platform Crypto Provider"

Friday, August 7, 2020 1:44 PM