deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 11:23:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
ab06f49bb33e70a5d304851b12d270189f85c3d1
windows-itpro-docs/windows/security/identity-protection/hello-for-business/includes/dc-certificate-deployment.md
Paolo Matarazzo 510419f1cb removed expandable sections
2023-01-23 05:45:38 -05:00

2.1 KiB
Raw Blame History

ms.date, ms.topic
ms.date ms.topic
12/28/2022 include

Configure automatic certificate enrollment for the domain controllers

Domain controllers automatically request a certificate from the Domain controller certificate template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. For domain controllers to automatically enroll and renew of certificates, configure a GPO for automatic certificate enrollment, and link it to the Domain Controllers OU.

  1. Open the Group Policy Management Console (gpmc.msc)
  2. Expand the domain and select the Group Policy Object node in the navigation pane
  3. Right-click Group Policy object and select New
  4. Type Domain Controller Auto Certificate Enrollment in the name box and select OK
  5. Right-click the Domain Controller Auto Certificate Enrollment Group Policy object and select Edit
  6. In the navigation pane, expand Policies under Computer Configuration
  7. Expand Windows Settings > Security Settings > Public Key Policies
  8. In the details pane, right-click Certificate Services Client - Auto-Enrollment and select Properties
  9. Select Enabled from the Configuration Model list
  10. Select the Renew expired certificates, update pending certificates, and remove revoked certificates check box
  11. Select the Update certificates that use certificate templates check box
  12. Select OK
  13. Close the Group Policy Management Editor

Deploy the domain controller auto certificate enrollment GPO

Sign in to domain controller or management workstations with Domain Administrator equivalent credentials.

  1. Start the Group Policy Management Console (gpmc.msc)
  2. In the navigation pane, expand the domain and expand the node with the Active Directory domain name. Right-click the Domain Controllers organizational unit and select Link an existing GPO…
  3. In the Select GPO dialog box, select Domain Controller Auto Certificate Enrollment or the name of the domain controller certificate enrollment Group Policy object you previously created
  4. Select OK