Windows Gatekeeper QA

Windows Gatekeeper Q&A

Setting Up the Certificate Autoenrollment Feature in a Windows Public Key Infrastructure

Q: Does a Windows public key infrastructure (PKI) provide a mechanism to let users and machines automatically enroll (i.e., without user or administrator intervention) for X.509 certificates from a Windows Certification Authority (CA)? If there is such mechanism, can it work between different Windows Active Directory (AD) forests or can it only be used within a single forest?

A: Windows PKI has such feature. It's called certificate autoenrollment. Certificate autoenrollment can be used to automatically get user and machine certificates from domain-joined machines when a machine or user logs on to the domain. It can't be used for automatically enrolling for certificates from standalone machines. Starting with Windows Server 2008 R2, PKI autoenrollment can also be used between two different AD forests that have a two-way forest trust, which allows organizations to let their enterprise CA issue certificates to the users of another AD forest. For more details about this capability, see the Microsoft white paper "AD CS: Cross-forest Certificate Enrollment with Windows Server 2008 R2."

To set up certificate autoenrollment, you must make configuration changes in two Microsoft Management Console (MMC) snap-ins: Certificate Templates and Group Policy.

To enable autoenrollment at the certificate template level, open the Certificate Templates snap-in, open the template for which you want to enable autoenrollment, go to the Security tab, and give the appropriate users, machines, or groups the Autoenroll permission. If you want autoenrollment to occur without any user intervention, leave the default settings on the Request Handling tab unchanged. If you want to prompt the user to start the autoenrollment process, select the Prompt the user during enrollment option.

To enable autoenrollment at the Group Policy Object (GPO) level, open the Group Policy snap-in, go to Computer Configuration\Windows Settings\Security Settings\Public Key Policies (for machine certificate autoenrollment) or User Configuration\Windows Settings\Security Settings\Public Key Policies (for user certificate autoenrollment), then open the Autoenrollment Settings Properties dialog box. If you want the autoenrollment process to also take care of certificate renewal and other certificate housekeeping tasks, you must make sure that you also select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.


Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.