Introduction to Certificate Auto-Enrollment

Manual certificate distribution in a large Active Directory environment is impractical and error-prone. Certificate auto-enrollment automates the process of requesting, issuing, and renewing certificates for users and computers based on Group Policy. When configured, domain members automatically receive certificates from your internal Certificate Authority (CA) without any user interaction. This is essential for enabling features like smart card authentication, 802.1X network access control, EFS file encryption, and IPsec. This tutorial covers setting up an Enterprise CA on Windows Server 2019 and configuring auto-enrollment via Group Policy.

Prerequisites

Auto-enrollment requires an Enterprise CA (not a Standalone CA) because enterprise CAs integrate with Active Directory and can issue certificates based on AD-based certificate templates. You need at least one Windows Server 2019 server to host the CA role. The server should be a member of the domain but should NOT be a domain controller—placing a CA on a DC creates unnecessary security risk. You must be a member of Enterprise Admins to install an Enterprise CA.

Installing Active Directory Certificate Services

Install the Active Directory Certificate Services (AD CS) role and the Certification Authority sub-feature. Also install the Certificate Authority Web Enrollment and Online Responder sub-features for a complete PKI solution.

Install-WindowsFeature ADCS-Cert-Authority, ADCS-Web-Enrollment, ADCS-Online-Cert `
    -IncludeManagementTools

Configure the CA after installation. For a new root CA in a single-tier PKI:

Install-AdcsCertificationAuthority `
    -CAType EnterpriseRootCA `
    -CACommonName "YourOrg-Root-CA" `
    -CADistinguishedNameSuffix "DC=yourdomain,DC=com" `
    -CryptoProviderName "RSA#Microsoft Software Key Storage Provider" `
    -KeyLength 4096 `
    -HashAlgorithmName SHA256 `
    -ValidityPeriod Years `
    -ValidityPeriodUnits 10 `
    -Force

Understanding Certificate Templates

Certificate templates define what a certificate is for, its validity period, its cryptographic properties, and who can enroll for it. Enterprise CAs use AD-integrated certificate templates. Windows Server 2019 comes with many built-in templates. For auto-enrollment, you typically duplicate an existing template and customize it. Open the Certificate Templates console to view available templates.

certtmpl.msc

Creating a Custom Certificate Template for Computers

Duplicate the built-in Computer template to create a custom template for workstation auto-enrollment. In certtmpl.msc, right-click the Computer template and select Duplicate Template. This opens the template properties dialog where you can customize every aspect of the new template.

On the General tab, name the template “Workstation-AutoEnroll” and set the validity period to 2 years with a renewal period of 6 weeks. On the Subject Name tab, select Build from Active Directory information and choose Common name. On the Request Handling tab, check Allow private key to be exported (optional). On the Cryptography tab, set minimum key size to 2048 and hash algorithm to SHA-256. On the Extensions tab, review Application Policies (should include Client Authentication and Server Authentication for computer certs).

Configuring Auto-Enrollment Permissions on the Template

The most important step for auto-enrollment is setting the correct permissions on the certificate template. On the Security tab of the template properties, add the security principals that should auto-enroll. For computer certificates, add Domain Computers. Grant Read, Enroll, and Autoenroll permissions.

# Using certutil to check template permissions
certutil -template "Workstation-AutoEnroll"

In the Security tab: select Domain Computers, grant Allow Read, Allow Enroll, and Allow Autoenroll. Remove the Enroll permission from Domain Users if this is only for computers. Click OK to save the template.

Publishing the Template to the CA

Creating a template in certtmpl.msc adds it to Active Directory but does not automatically make it available from your CA. You must explicitly publish the template to the CA using the Certification Authority console (certsrv.msc).

certsrv.msc

In the Certification Authority console, expand your CA, right-click Certificate Templates, select New > Certificate Template to Issue, and select your Workstation-AutoEnroll template. Click OK. Alternatively, use certutil:

certutil -setCATemplates +Workstation-AutoEnroll

Configuring Auto-Enrollment via Group Policy

Auto-enrollment is triggered by Group Policy. Create a GPO and link it to an OU containing the computers or users you want to auto-enroll, or link it at the domain level for all objects. Edit the GPO and navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment.

Double-click the policy, set Configuration Model to Enabled, and check both Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates. Click OK.

gpmc.msc

For user certificate auto-enrollment, navigate to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client – Auto-Enrollment and configure the same settings.

Testing Auto-Enrollment

Force a Group Policy refresh and certificate enrollment on a test workstation. The certutil -pulse command triggers the certificate enrollment client to check for and enroll in pending certificate templates.

gpupdate /force
certutil -pulse

View certificates on the local computer to verify the auto-enrollment certificate was issued:

Get-ChildItem Cert:LocalMachineMy | 
    Select-Object Subject, Issuer, NotAfter, Thumbprint

Configuring Auto-Renewal

Auto-enrollment also handles certificate renewal automatically. By default, renewal occurs when a certificate reaches 80% of its validity period (configurable in the template). When the renewal period is reached, the client automatically requests a renewal from the CA without administrator intervention. Verify renewal settings in the certificate template on the General tab under Renewal period.

Troubleshooting Auto-Enrollment

Enable the Certificate Services Client verbose logging to diagnose auto-enrollment failures. Check the Application event log for events from source CertEnroll or AutoEnrollment.

Get-WinEvent -FilterHashtable @{
    LogName='Application'
    ProviderName='AutoEnrollment'
} | Select-Object TimeCreated, LevelDisplayName, Message | Format-List
# Check CA for pending or failed requests
certutil -view -out "RequesterName,RequestID,DispositionMessage,StatusCode" queue

Conclusion

Certificate auto-enrollment on Windows Server 2019 eliminates manual certificate management while ensuring all domain computers and users have valid certificates for authentication and encryption. Once configured, certificates are issued, renewed, and revoked automatically based on Group Policy and CA decisions. This infrastructure is a prerequisite for many security features including smartcard login, 802.1X wireless and wired access control, and Always On VPN. Invest time in designing your certificate template hierarchy before deployment to avoid having to restructure later.