Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, June 20, 2019 1:34 PM
Hello,
I have a 2012 R2 Enterprise Issuing CA on which auto enrollment of computer certificates has been enabled for a few years. The auto enrollment was enabled by using a certificate template and setting the Domain Computers group with the allow autoenroll permission. Wanting to stop the autoenrollment on computers, I have recently unchecked the allow autoenroll permissions for this template, but still certs are being autoenrolled to computers using this template. No other groups or computers have the allow autoenroll permission set on this template, so i'm stumped as to why it is still autoenrolling. Any thoughts?
Thank you,
Patrick
All replies (5)
Wednesday, June 26, 2019 7:39 AM ✅Answered
Hi,
If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, June 21, 2019 3:36 AM
Hello,
Thank you for posting in our TechNet forum.
Do we enable Certificate Auto Enrollment on computers via GPO?
- If so, we can disable the following group policy settings:
Computer Configuration -> Policies-> Windows Settings -> Security Settings -> Public Key Policies ->Certificates Services Client – Auto-Enrollment policy
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies ->Automatic Certificate Request Settings
Then run gpupdate /force on DC and on the clients to check if the GPO takes effect.
After that check if we disable Certificate Auto Enrollment on computers.
For details we can refer to the following article:
Set Up Automatic Certificate Enrollment (Autoenroll)
https://www.vkernel.ro/blog/set-up-automatic-certificate-enrollment-autoenroll
Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, June 21, 2019 1:53 PM
Thanks Daisy.
I actually misstated my goal earlier... apologies. I want to leave auto enrollment enabled for computers, which it currently is via GPO. I only want stop one particular certificate template from auto enrolling certs to computers.
I've performed the steps below and computers are still auto enrolling certs from this template
Steps:Open Template Properties > Security Tab > Highlight Groups/Users > Remove checkbox for allowing autoenroll > Save
Maybe I'm missing a configuration on the template's properties? None of the Groups/Users has the autoenroll permission
Thanks, Patrick
Monday, June 24, 2019 7:31 AM
Hi,
I understand we want to stop one particular certificate template from auto enrolling certificate.
Try the following way:
We disable the GPO for all the certificate template.
If step 1 takes effect, then unchecked the allow autoenroll permissions for this template.
Re-enable the GPO for all the certificate template.
Best Regards,
Daisy Zhou
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, June 26, 2019 12:52 PM
Hi Daisy, thanks for the follow-up.
I did not want to disable auto-enrollment completely via GPO as several other auto-enrollment certs would be affected. What I did to stop certificates from this particular template was just remove the template from being available on my CAs.
Thanks for your help!
Patrick