20,218 questions
Certificate templates are stored on DCs not CA server, please check AD replication is working fine by running repadmin /showrepl and repadmin /replsum.
Certificate Auto-Enrolment not starting
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 91%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMH%3C/text%3E%3C/svg%3E)
Michael Hathaway
21
Reputation points
Hi Folks,
I have a strange issue, I have enabled the certificate services client to auto-enrol users and machines for certificates, manual enrolment works just fine, however when I try to force auto-enrolment with gpupdate /force, I do not see anything in the event viewer to say that the CertificateServicesClient attempted to enrol, all I see is that Group Policy has been applied successfully.
Does anyone have any pointers that I can try to see what is preventing the enrolment??
I have checked permissions on the templates and enrol and autoenroll are enabled for domain user and domain computers and authenticated users have the read permission.
If I run CertReq -v -AutoEnroll -machine or CertReq -v -AutoEnroll -user I am told that there are no certificate types available, which points me back to permissions??
Any ideas??
Thanks
Mike
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 23%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
S.Sengupta 24,636 Reputation points MVP2023-06-27T00:37:41.68+00:00 -
Michael Hathaway 21 Reputation points
2023-06-27T06:15:18.9166667+00:00 Thanks, yes I am aware of the location of the templates, in this environment it is a lab and so only one domain controller so I am confident that this is not a replication issue.
the weird thing I see is that when I edit group policy and disable auto enrolment, this does trigger the certificate client to attempt an enrolment, I just cant figure out why it won’t work when it is enabled??
Sign in to comment -