Configure certificate auto-enrollment

Before you perform this procedure, you must configure a server certificate template by using the Certificate Templates Microsoft Management Console snap-in on a CA that is running AD CS. Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.

Configure server certificate auto-enrollment

On the computer where AD DS is installed, open Windows PowerShell®, type mmc, and then press ENTER. The Microsoft Management Console opens.
On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens.
In Available snap-ins, scroll down to and double-click Group Policy Management Editor. The Select Group Policy Object dialog box opens.

Important Ensure that you select Group Policy Management Editor and not Group Policy Management. If you select Group Policy Management, your configuration using these instructions will fail and a server certificate will not be autoenrolled to your NPSs.

In Configuration Model, select Enabled.
Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
Select the Update certificates that use certificate templates check box.

Configure user certificate auto-enrollment

On the computer where AD DS is installed, open Windows PowerShell®, type mmc, and then press ENTER. The Microsoft Management Console opens.
On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-ins dialog box opens.
In Available snap-ins, scroll down to and double-click Group Policy Management Editor. The Select Group Policy Object dialog box opens.

In Configuration Model, select Enabled.
Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box.
Select the Update certificates that use certificate templates check box.