Windows Server 2019 – Creating an auto-enrollment policy

How to turn off IE enhanced security on Windows Server 2019

Our certification authority server is configured and running, and we can successfully issue certificates to the client machines. Great! Now let’s pretend we have a new project on our plates, and one of the requirements for this project is that all of the computers in your network need to have a copy of this new machine certificate that we have created. Uh oh, that sounds like a lot of work. Even though the process for requesting one of these certificates is very quick—only a handful of seconds on each workstation—if you had to do that individually on a couple of thousand machines, you are talking about a serious period of time needing to be spent on this process. Furthermore, in many cases, the certificates that you issue will only be valid for one year. Does this mean I am facing an extreme amount of administrative work every single year to re-issue these certificates as they expire? Certainly not!

Let’s figure out how to utilize Group Policy to create a GPO that will auto-enroll our new certificates to all of the machines in the network, and, while we are in there, also configure it so that when a certificate’s expiration date comes up, the certificate will auto-renew at the appropriate intervals.

Let’s pop into the Certification Authority management console on our CA server, and take a look inside the Issued Certificates folder. I only want to look here for a minute in order to see how many certificates we have issued so far in our network. It looks like just a handful of them, so hopefully once we are done configuring our policy, if we have done it correctly, and it takes effect automatically, we should see more certificates starting to show up in this list:

Log into a domain controller server, and then open up the Group Policy Management console. I have created a new GPO called Enable Certificate Auto-enrollment, and am now editing that GPO to find the settings I need to configure in order to make this GPO do its work:

The settings inside this GPO that we want to configure are located at Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies | Certificate Services Client  Auto-Enrollment.

Double-click on this setting in order to view its properties. All we need to do is change Configuration Model to Enabled, and make sure to check the box that says Renew expired certificates, update pending certificates, and remove revoked certificates. Also check the box for Update certificates that use certificate templates. These settings will ensure that auto-renewal happens automatically when the certificates start running into their expiration dates over the next few years:

What is the last thing we need to do on our GPO in order to make it live? Create a link so that it starts applying! For your own environment, you will probably create a more specific link to a particular OU, as we discussed in the last chapter, but, for my lab, I want these certificates to apply to every single machine that is joined to the domain, so I will link my new GPO at the root of the domain, so that it applies to all of my clients and servers.

Now that the GPO is created and configured, and we have linked it to the domain, I would think that some new certificates would be issued and there would be more names shown inside my Issued Certificates folder inside my certification authority console. But there are not. Wait a minute, in our GPO we didn’t really specify anything particular to my DirectAccess Machine cert template, did we? Could that be the problem? No, there wasn’t really an option for specifying which template I wanted to set up for auto-enrollment.

When you enable auto-enrollment in Group Policy, you are simply flipping an on/off switch and turning it on for every certificate template. So now that we have a policy that is configured to enable auto-enrollment and is linked to the domain, thus making it live, auto-enrollment has been enabled on every domain-joined computer, for every certificate template that is published on our CA server. Yet, none of them are issuing themselves to my computers. This is because we need to adjust the security settings on our new DirectAccess Machine template. Currently we have it configured so that all domain computers have Enroll permissions, but if you remember that security tab within the cert template’s properties, there was an additional security identifier called Autoenroll. Every certificate template has the autoenroll permission identifier, and it is not allowed by default. Now that the light switch has been flipped ON for auto-enrollment in our domain, we need to enable the autoenroll permission on any template that we want to start distributing itself. As soon as we enable that permission, these certificates will start flowing around our network.

Head into the certificate-management section of your CA server and open the Properties of your new template, then make your way to the Security tab and allow Autoenroll permissions for the Domain Computers group. This should tell the CA to start distributing these certificates accordingly:

And sure enough, if I let my environment sit for a little while, giving Active Directory and Group Policy a chance to update on all of my machines, I now see more certificates have been issued from my CA server:

In order to automatically issue certificates from any template you create, simply publish the template and make sure to configure the appropriate autoenroll permissions on that template. Once the auto-enrollment GPO is in place on those clients, they will reach out to your CA server and ask it for certificates from any template for which they have permissions to receive a certificate. In the future, when that certificate is about to expire and the machine needs a new copy, the auto-enrollment policy will issue a new one prior to the expiration date, based upon the timestamps you defined inside the GPO.

Certificate auto-enrollment can take what would normally be an enormous administrative burden, and turn it into a completely automated process!

Comments are closed.