To automatically enroll client computer certificates and deploy them to domain workstations and servers on the network, we can use a group policy as shown below.

Before we create the group policy and deploy it to our workstations and servers in the network, we first need to configure the computer certificate template on our PKI (AD CS).

More about the Active Directory Certificate Services (AD CS) you will find in my following post.

Set up a 2-tier PKI in Active Directory Certificate Services (AD CS) – Part 1



Table Of Contents
  1. Set up the Computer Certificate Template
  2. Set up a Group Policy to autoenroll the Computer Certificate
  3. Links



Set up the Computer Certificate Template

We first need to adjust the existing default computer certificate template or better duplicate it and then adjust some settings.

On the PKI select the Certificate Templates node and right click -> select Manage to open the certificate templates console.


Select the default existing computer certificate template, right click on it and select Duplicate Template.


Here we can adjust some settings like the template name or the validity period. More about you will find in my post about how to set up a PKI https://blog.matrixpost.net/set-up-a-2-tier-pki-in-active-directory-certificate-services-ad-cs-part-1/.

In order that auto-enrollment finally will work, we need to adjust the permissions for the computer certificate template like shown below.

Within the Security tab select Domain Computers and check the permissions Read, Enroll and Autoenroll for.


Close the above certificate templates console and on the CA console add our newly created and adjusted certificate template.


Select the new computer certificate template.





Set up a Group Policy to autoenroll the Computer Certificate

We can now set up our GPO which will finally auto-enroll the computer certificates to our workstations and server.

Open the Group Policy Management console on a domain controller and create a new group policy object or adjust an existing.

Here we need to enable the Configuration Model and selecting both, Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Certificate Services Client – Auto-Enrollment


Link the GPO to all OUs you want to auto-enroll the computer certificate for.



The next time Group Policy is refreshed, the computers will apply the GPO and download the certificate.


We can force this by using the gpupdate /force command. Finally the computer certificate was auto-enrolled to the computer.





Links

Configure Group Policy to Autoenroll and Deploy Certificates
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717253(v=ws.11)

Set up a 2-tier PKI in Active Directory Certificate Services (AD CS)
https://blog.matrixpost.net/set-up-a-2-tier-pki-in-active-directory-certificate-services-ad-cs-part-1/