How to Configure Certificate Auto-Enrollment via Group Policy on Windows Server 2012 R2

How to Configure Certificate Auto-Enrollment via Group Policy on Windows Server 2012 R2

Certificate auto-enrollment allows domain computers and users to automatically request, receive, and renew digital certificates from an Enterprise CA without any manual intervention. This eliminates the administrative burden of manually issuing certificates to hundreds or thousands of devices and users, ensures certificates are always current, and dramatically reduces the attack surface from expired certificates in production. On Windows Server 2012 R2 with an Enterprise CA deployed, auto-enrollment is configured through Group Policy and certificate templates. This guide covers the complete configuration.

Prerequisites

– Windows Server 2012 R2 Enterprise Subordinate CA (from a two-tier PKI hierarchy)
– Active Directory domain with Group Policy Management Console access
– Enterprise Admin or CA Admin rights
– Domain computers running Windows Vista/Server 2008 or later (all support auto-enrollment)
– Network connectivity from clients to the CA on port 135 and dynamic RPC ports

Step 1: Configure Certificate Templates for Auto-Enrollment

Certificate templates must be configured with auto-enrollment permissions. Create a custom version of the standard templates to avoid modifying built-in templates:

# Connect to the CA and manage templates via MMC or PowerShell
# Templates are stored in AD under:
# CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=corp,DC=local

Import-Module ActiveDirectory

# View current auto-enrollment permissions on a template
# This is best done via the Certificate Templates MMC console (certtmpl.msc)
# But we can check via AD object ACLs

$configNC = (Get-ADRootDSE).configurationNamingContext
$templateDN = "CN=Computer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$configNC"

$acl = Get-Acl "AD:$templateDN"
$acl.Access | Where-Object { $_.IdentityReference -like "*Domain Computers*" } |
    Select-Object IdentityReference, ActiveDirectoryRights | Format-Table

# Template auto-enrollment settings required:
# 1. Version 2 template (supports auto-enrollment)
# 2. Subject Name: "Build from Active Directory" (automatic subject)
# 3. Security tab:
#    - Domain Computers or Domain Users: Read, Enroll, Autoenroll
# 4. Request Handling: "Allow private key to be exported" (optional)
# 5. Issuance Requirements: No CA manager approval (automatic)

Step 2: Duplicate and Customize Certificate Templates

# Use certutil to list templates on the CA
certutil -catemplates

# Best practice: duplicate built-in templates, don't modify originals
# In Certificate Templates MMC (certtmpl.msc):
# 1. Right-click "Computer" template > Duplicate Template
# 2. Name the new template "CorpComputer"
# 3. Set validity period (2 years)
# 4. Set renewal period (6 weeks)
# 5. On "Subject Name" tab: "Build from Active Directory information"
# 6. On "Security" tab: Add "Domain Computers" with Read, Enroll, Autoenroll

# For User certificates:
# 1. Duplicate "User" template
# 2. Name: "CorpUser"
# 3. Security tab: Add "Domain Users" with Read, Enroll, Autoenroll
# 4. Subject Name: Include UPN and email from AD

# Publish the template on the CA
Import-Module ADCSAdministration
Add-CATemplate -Name "CorpComputer" -Force
Add-CATemplate -Name "CorpUser" -Force

Write-Host "Templates published on CA:"
Get-CATemplate | Select-Object Name | Sort-Object Name | Format-Table -AutoSize

Step 3: Configure Group Policy for Auto-Enrollment

Two separate GPO settings control auto-enrollment: one for computer certificates and one for user certificates. Configure both for comprehensive certificate coverage:

Import-Module GroupPolicy

# Create a dedicated GPO for certificate auto-enrollment
$gpo = New-GPO -Name "PKI - Certificate Auto-Enrollment" `
    -Comment "Configures automatic certificate enrollment for computers and users"

# Link to the domain root to apply to all computers and users
New-GPLink -Name "PKI - Certificate Auto-Enrollment" `
    -Target "DC=corp,DC=local" `
    -LinkEnabled Yes

# COMPUTER CONFIGURATION auto-enrollment policy
# Path: Computer Configuration > Windows Settings > Security Settings > 
#       Public Key Policies > Certificate Services Client - Auto-Enrollment
# Setting: Enabled
# Check: "Renew expired certificates, update pending certificates, and remove revoked certificates"
# Check: "Update certificates that use certificate templates"

# Set via registry (the GPME configures this, but we can also use registry values directly)
$gpo | Set-GPRegistryValue `
    -Key "HKLMSOFTWAREPoliciesMicrosoftCryptographyAutoEnrollment" `
    -ValueName "AEPolicy" `
    -Type DWord `
    -Value 7  # 7 = Enroll + Update Certificates + Update Templates

# USER CONFIGURATION auto-enrollment policy
# Path: User Configuration > Windows Settings > Security Settings >
#       Public Key Policies > Certificate Services Client - Auto-Enrollment
$gpo | Set-GPRegistryValue `
    -Key "HKCUSOFTWAREPoliciesMicrosoftCryptographyAutoEnrollment" `
    -ValueName "AEPolicy" `
    -Type DWord `
    -Value 7

Write-Host "Auto-enrollment GPO configured"

Step 4: Configure Certificate Mapping in AD

For Kerberos-based smart card logon and strong certificate-to-account mapping, configure the certificate template to populate the correct AD attributes:

# The computer certificate template should populate the DNS SAN
# For computer auto-enrollment, the SubjectAltName must include the FQDN

# Verify a computer's certificate after auto-enrollment
certutil -store -user My

# Check the computer certificate store
Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.Issuer -like "*Corp-Issuing*" } |
    Select-Object Subject, NotAfter, Thumbprint | Format-Table -AutoSize

# Verify user certificate store
Get-ChildItem Cert:CurrentUserMy | 
    Where-Object { $_.Issuer -like "*Corp-Issuing*" } |
    Select-Object Subject, NotAfter, Thumbprint | Format-Table -AutoSize

# Map a certificate to an AD user account for smart card logon
$userCert = Get-ChildItem Cert:CurrentUserMy | 
    Where-Object { $_.Issuer -like "*Corp-Issuing*" } | 
    Select-Object -First 1

# The altSecurityIdentities attribute maps certificates to AD accounts
# This is configured automatically by the Kerberos certificate template
Import-Module ActiveDirectory
$user = Get-ADUser "jsmith"
# X509:issuersubject format
Set-ADUser $user -Add @{
    altSecurityIdentities = "X509:DC=local,DC=corp,CN=Corp-Issuing-CA-01CN=$($user.SamAccountName)"
}

# Force a group policy update and trigger auto-enrollment
gpupdate /force

# Manually trigger certificate auto-enrollment (normally happens automatically on GP refresh)
certutil -pulse

# Check the Application event log for auto-enrollment events
# Event IDs to watch:
# 64 - Certificate Enrollment started
# 65 - Certificate was successfully enrolled
# 66 - Certificate enrollment failed

Get-WinEvent -LogName Application -MaxEvents 100 |
    Where-Object { $_.Id -in @(64,65,66) -and $_.ProviderName -eq "Microsoft-Windows-CertificateServicesClient-AutoEnrollment" } |
    Select-Object TimeCreated, Id, Message | Format-Table -Wrap

# Verify certificates were issued
$issuedCerts = Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.Issuer -like "*Corp-Issuing*" -and $_.NotAfter -gt (Get-Date) }
Write-Host "Valid computer certificates from corp CA: $($issuedCerts.Count)"

$issuedCerts | Select-Object Subject, NotBefore, NotAfter, Thumbprint | Format-Table -AutoSize

# View issued certificates from the CA
certutil -view -restrict "Disposition=20" csv | ConvertFrom-Csv |
    Select-Object "Issued Common Name", "Certificate Template", "Certificate Expiration Date" |
    Sort-Object "Certificate Expiration Date" |
    Format-Table -AutoSize

# Count certificates by template
certutil -view -restrict "Disposition=20" csv | ConvertFrom-Csv |
    Group-Object "Certificate Template" | 
    Select-Object Name, Count | 
    Sort-Object Count -Descending | Format-Table -AutoSize

# Find certificates expiring in the next 30 days
$expiryDate = (Get-Date).AddDays(30).ToString("MM/dd/yyyy")
certutil -view -restrict "Disposition=20,CertificateExpiration<=$expiryDate" csv |
    ConvertFrom-Csv |
    Select-Object "Issued Common Name", "Certificate Expiration Date" |
    Format-Table -AutoSize

# Check for failed enrollment requests
certutil -view -restrict "Disposition!=20" csv | ConvertFrom-Csv |
    Where-Object { $_."Request Status Code" -ne "The operation completed successfully." } |
    Select-Object "Request Common Name", "Request Status Code" | Format-Table -AutoSize

# Auto-enrollment handles renewal automatically, but configure notifications
# The default renewal period is 6 weeks before expiry

# Check the CA's renewal overlap period
certutil -getreg caRenewalOverlapPeriod
certutil -getreg caRenewalOverlapPeriodUnits

# Set renewal overlap to 8 weeks (earlier renewal = more overlap)
certutil -setreg caRenewalOverlapPeriod 8
certutil -setreg caRenewalOverlapPeriodUnits 3  # 3 = Weeks

Restart-Service CertSvc

# Configure email alerts for CA events via Windows Server Backup / SCOM
# Or create a PowerShell script to alert on expiring certs:
$expiringSoon = Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { 
        $_.Issuer -like "*Corp-Issuing*" -and
        $_.NotAfter -lt (Get-Date).AddDays(45) -and
        $_.NotAfter -gt (Get-Date)
    }

if ($expiringSoon) {
    $body = $expiringSoon | Select-Object Subject, NotAfter | Out-String
    Send-MailMessage -From "[email protected]" -To "[email protected]" `
        -Subject "Certificates expiring within 45 days" `
        -Body $body `
        -SmtpServer "smtp.corp.local"
}

# Common auto-enrollment troubleshooting steps

# 1. Check if the auto-enrollment policy is applied
Get-GPResultantSetOfPolicy -ReportType Xml -Path "C:TempRSOP.xml"
# Parse RSOP for auto-enrollment settings

# 2. Check CryptoAPI trace
certutil -setreg caDebug 0xfffff3ff
Restart-Service CertSvc
# Reproduce the issue
# View trace: Get-WinEvent -LogName "Microsoft-Windows-CAPI2/Operational"

# 3. Verify the CA is reachable
certutil -ping -config "corp-issuing-ca-01.corp.localCorp-Issuing-CA-01"

# 4. Check template permissions
$configNC = (Get-ADRootDSE).configurationNamingContext
$template = Get-ADObject "CN=CorpComputer,CN=Certificate Templates,CN=Public Key Services,CN=Services,$configNC" `
    -Properties nTSecurityDescriptor
$template.nTSecurityDescriptor.Access | 
    Where-Object { $_.ActiveDirectoryRights -like "*Enroll*" } |
    Select-Object IdentityReference, ActiveDirectoryRights | Format-Table

# 5. Force auto-enrollment with verbose logging
certutil -pulse -v

# Complete auto-enrollment verification
Write-Host "=== Certificate Auto-Enrollment Status ===" -ForegroundColor Cyan

# GPO is applied
Get-GPO "PKI - Certificate Auto-Enrollment" | Select-Object DisplayName, GpoStatus

# Computer certificates exist and are valid
$compCerts = Get-ChildItem Cert:LocalMachineMy | 
    Where-Object { $_.Issuer -like "*Corp-Issuing*" -and $_.NotAfter -gt (Get-Date) }
Write-Host "Valid computer certs from Corp CA: $($compCerts.Count)" `
    -ForegroundColor $(if ($compCerts.Count -gt 0) {'Green'} else {'Red'})

# User certificates exist
$userCerts = Get-ChildItem Cert:CurrentUserMy | 
    Where-Object { $_.Issuer -like "*Corp-Issuing*" -and $_.NotAfter -gt (Get-Date) }
Write-Host "Valid user certs from Corp CA: $($userCerts.Count)" `
    -ForegroundColor $(if ($userCerts.Count -gt 0) {'Green'} else {'Yellow'})

# CA is online
try {
    certutil -ping -config "corp-issuing-ca-01.corp.localCorp-Issuing-CA-01" | Out-Null
    Write-Host "CA connectivity: OK" -ForegroundColor Green
} catch {
    Write-Host "CA connectivity: FAILED" -ForegroundColor Red
}