Share via

Windows 10 AlwaysOn User Certificate Auto Enrollment Not Working...

CompTech0174 1 Reputation point
2020-12-03T14:05:29.297+00:00

Hi All,

I'm hoping for some guidance from the community here. I'm working through the rollout of the backend CA, GPO and Domain Configuration for an Always On Deployment. I've been able to get my laptop to autoenroll an AlwaysOn user certificate but, I'm having trouble getting the process to replicate for my POC users even though I've addressed all the issues that I encountered while getting my laptop to function.

a) The user has performed a gpupdate /force from an elevated command prompt

b) I've checked to ensure the workstation in question has received the GPO's for certificate auto enrollment.

b) I've ensured that the workstation has a current copy our Root CA cert with another GPO that also functioned correctly.

d) I've also had the user walk through the initial steps of a manual certificate request and all certificate templates show Available

e) I had the user perform a "certutil -pulse" to try and nudge the autoenrollment process along to no effect.

I'm pretty much out of ideas and many of the technotes I'm finding relating to this are 5+ years old so I have to way to determine their validity at this point.

Any assistance in resolving this individual issue and also how to get the process running smoothly for the larger enterprise community going forward would be greatly appreciated...

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-12-04T00:46:19.56+00:00

    Hi,

    Based on my experience, to Configure User Certificate Autoenrollment we have to configure the user based policy under: Default Domain Policy, User Configuration>Policies>Windows Settings>Security Settings>Public Key Policies>Certificate Services Client - Auto-Enrollment.
    So we need to make sure the users have received the Auto-Enrollment policy .

    Based on your description :b) I've checked to ensure the workstation in question has received the GPO's for certificate auto enrollment.
    The policy *Computer Configuration**>Policies>Windows Settings>Security Settings>Public Key Policies>Certificate Services Client - Auto-Enrollment is just for computer to Enroll certs automatically not for the users.

    We have to configure the Certificate Services Client - Auto-Enrollment policy both under the user configuration and computer configuration.
    If i misunderstand you , please feel free to let me know.

    Best Regards,

  2. CompTech0174 1 Reputation point
    2020-12-09T15:26:47.087+00:00

    Hi,

    Thanks for the feedback. I've ensured the the Certificate Services Client - Auto Enrollment policy is configured under user and computer policies. My certificates have started to deploy, however its happening very slowly.

    Since most of our users are connected over VPN and are working from home due to the pandemic my suspicion is that the lack of a network continuous connection is probably interfering with the gpupdate and auto-enrollment processes. Would you have any suggestions on how to deal with this behavior and get some consistency?

    Thanks!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.