Jul 14, 2025
OVERVIEW: This page walks you through the process of editing a GPO for Certificate Enrollment. At the completion of this procedure, you will be able to update a GPO for Certificate Enrollment. If you are looking to create and link a new GPO in Active Directory, please refer to this guide. |
These are the settings that define the URL for the policy servers which users and computers will contact. By default (in a newly created GPO), these setting will be set to "Not Configured", and will need to be changed to "Enabled". When you enable it, it will have a default Certificate Enrollment Policy (CEP) in the list called Active Directory Enrollment Policy, and it will be set as the default.
IMPORTANT: In most Certificate Automation Manager installations, this will be removed completely from the configuration, unless the customer is using their own CA in parallel with Certificate Automation Manager, and are configuring it in the same GPO (this is unlikely though). |
These are the settings that define the Auto-Enrollment permissions and behavior. By default, it will be set to "Not Configured". When you change it to Enabled, you will see the following options:
Configuration Model - This setting determines the state of the configuration. It has 3 settings:
Renew expired certificates, update pending certificates, and remove revoked certificates. (Normally used in Certificate Automation Manager installations)
Update certificates that use certificate templates. (Normally used in Certificate Automation Manager installations)
Log expiry events and show expiry notifications when the percentage of remaining certificate life is: (Occasionally Used)
Additional stores… (Rarely used)
Display user notifications for expiring certificates in user and machine MY store (Occasionally Used)
Right-click the GPO and select Edit. Change any of the policies you want to apply in the Computer and/or User Configuration.
Depending on the type of configuration that you want to apply to the policy, navigate to Computer/User Configuration > Policies > Security Settings > Public Key Policies > Certificate Services Client - Certificate Enrollment Policy.
To remove the Default Policy, simply select it in the list, and click Remove..., then Yes when prompted.
Click the Add button in the same screen as shown in the screenshot above.
Enter the Enrollment Policy Server URI. Then click Validate Server.
IMPORTANT: The Enrollment Policy Server URI format is: https://<Insert Certificate Automation Manager servers FQDN>/XCEP/xcep.svc . You may also copy the URI from the Certificate Automation Manager Portal's main page |
Check the Default box next to the policy, then tick the
Click Apply, then click OK.
Double click Certificate Services Client Auto-Enrollment and select Enabled from the Configuration Model drop-down menu, click Apply, then click OK.
Note: Depending on the configuration that you want to achieve, you may consider selecting other options from the Auto-Enrollment properties.
Check your certificate installation for SSL issues and vulnerabilities.