cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User Certificate Template by Group Policy

Stefano Colombo
Brass Contributor

‎Dec 07 2023 02:58 AM

‎Dec 07 2023 02:58 AM

User Certificate Template by Group Policy

I'm looking for a way to specify a certificate template to be autoenrolled for a set of users.

What we did so far is :

- defined a new user specific template.

- defined the template security for the specific AD group the users belongs to with read,enroll,autoenroll.

- defined a GPO to enable the autoenroll for the specific group.

 

However the autoenroll, at login, does not work and a pop up notification appear saying that the user has to complete the enrollment.

If the autoenroll is made manually it works, the template is shown and works fine

 

Labels:
336 Views
0 Likes
1 Reply
Reply
1 Reply
LeonPavesic

‎Dec 07 2023 03:24 AM

‎Dec 07 2023 03:24 AM

Re: User Certificate Template by Group Policy

Hi @Stefano Colombo,

It appears that you've taken most of the necessary steps for autoenrollment, but there are a few additional checks you can perform:

  1. Certificate Template Schema Version:
    Verify the schema version of the certificate template. If you use the "Reenroll All Certificate Holders" option, it changes the template version. After the client updates the Group Policy, the certificate template version on the certificates should match the template's version.

  2. Group Policy Configuration:
    Double-check the Group Policy settings. In the Group Policy Management Editor, go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
    Enable "Certificate Services Client - Auto-Enrollment," set the Configuration Model to Enabled, and select both "Renew expired certificates, update pending certificates, and remove revoked certificates" and "Update certificates that use certificate templates".

  3. Force Group Policy Update:
    If the template version changes but not on the certificate, run gpupdate /force or certutil -pulse on the client to trigger an update.

  4. Refresh Certificate Store:
    Refresh the Certificate Store: Refresh the certificate store on the client.

Computer Certificate autoenrollment not working - Microsoft Q&A

Configure server certificate auto-enrollment | Microsoft Learn


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

0 Likes
Reply