Configuring Auto Enrollment for ADCS - cfloquetprojects/homelab GitHub Wiki

Introduction

In parts one and two of this series, we installed an offline Standalone CA to act as our Root CA, and last time we setup our Enterprise Subordinate CA to act as our Issuing CA, using IIS to field requests from other domain-joined computers and issue certificates.

Now, we will be configuring auto-enrollment, to allow for domain-joined computers to automatically be issued computer certificates. Microsoft Docs already has a good article on this process, but for the sake of creating my own documentation for such an important function seemed worthwhile.

In short, we will just be modifying the GPO settings on our Subordinate CA to enable Auto-Enrollment, and also create a new certificate template for client to server authentication within our LAN.

Pre-Flight Check:

Again, this lab is predicated on the fact that you have completed both iterations of my articles on Deploying an Offline Root CA as well as Installing Subordinate Issuing Certificate Authority

Configuring Auto-Enrollment:

Open your Group Policy Editor for the Default Domain Policy on your ADDC server, in my case I have a headless (core) AD server that is managed by a Windows Server 2019 Desktop server, and that is what I am using to configure domain-level group policy, shown below:

1

Within Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies choose Certificate Services Client - Auto-Enrollment and right click to select Properties:

2

Make sure the policy is enabled, as well as both of the options are checked (shown below):

3

Back on our Subordinate CA, go into your CA snap-in (or Certificate Manager) and right click on Certificate Templates before choosing to Manage:

4

Our next step is to find the Workstation Authentication template, and duplicate that template, so we are able to use it for domain-level authentication for each domain-joined endpoint.

5

Under the General tab, we should choose a display name for our new template; this doesn't have any effect on the configuration itself so you can choose whatever you want. I just went with Client-Server Authentication to keep things simple. Make sure to Publish certificate in Active Directory to allow domain-joined clients to use this template.

6

Now navigate to the Extensions tab, and edit the Application Policies extension to allow for both Client Authentication, as well as Server Authentication by adding the latter using the Add... button.

7

Still within the same Properties menu of the new template, navigate to the Security tab, add the Domain Computers group to the existing security groups, and make sure it has both Enroll as well as Autoenroll permissions selected:

8

Return to the console and right click on Certificate Templates, and select New and choose Certificate Template to Issue:

9

Scroll until you find the name of the template you created earlier, like I showed earlier the name I've chosen is Client-Server Authentication, so that is the one I have found and chosen here, shown below:

10

When we return to the Certificate Templates screen, we should see our Client-Server Authentication template shown within it, or whatever you named your template earlier.

11

On your Subordinate CA open up an elevated powershell prompt and execute the well known gpupdate /force command to push through the changes we have made to our domain-level group policy.

12

After a few minutes, if we use mmc and open up the Certificates snap-in we can view both the certificate issued to our Subordinate CA from our Root CA in the earlier guides, but also the certificate that was issued to the domain joined system from that same issuing CA host.

13