Certificate Auto-enrollment Using Group Policy And Windows Server 2016 CA

In this blog post, I’ll show you how to auto-enroll and renew certificates for users and computers In Active Directory using Group Policy and Enterprise CA.

Certificate Autoenrollment

When using Enterprise CA In a Domain environment we have the choice to automate the entire process of enrolling and renew certificates using group policy.


To get this done, I’ll need to have:

  • The certificate template needs to be configured for Windows Server 2008 and above compatibility.
  • Enterprise Certificate Authority

To get started, I’ll configure my Certificate to use Windows Server 2016 compatibility level.

My recommendation Is not to change the original certificate template but to duplicate it and work on the new one.

Duplicate Certificate Template

To duplicate my certificate and change the compatibility level, I’ll open the Certificate Template MMC

I’ll locate the template, I’ll use for autoenrollment -> Right Click and Duplicate Template

From the Compatibility tab, I’ll change the Compatibility level

In my case, I’m selecting Windows Server 2016

I’ll also, change the template Display and Template name

Autoenrollment permissions

And the most important part, I’ll give my Domain users Autoenroll permissions.

From the new certificate properties ->Security tab I’ll select my Domain Users and give them Autoenroll.

Group Policy Settings

Now, I’ll configure Group Policy to enable autoenrollment, From the Group Policy Management Console I’ll edit my GPO

For users I’ll modify the settings under:

User Configuration -> Policies -> Security Settings -> Public Key Policies

For computer use the computer configuration -> Policies -> Security Settings -> Public Key Policies

In the Configuration Mode, I’ll use enabled

Configuration Mode

Next, I’ll use the settings below.


Group Policy Autoenrollment is a quick win In enterprise environments where automation Is the key to a successful management.