Configure Group Policies
In addition to assigning template permissions, you must configure a Group Policy Object (GPO) that applies to users/computers that will use autoenrollment.
To set up necessary Group Policies, perform the following steps as a domain administrator on the domain controller.
Open Administrative Tools > Group Policy Management and navigate to the relevant Group Policy Object (GPO). Right-click the object and select Edit.
Access the relevant GPO settings by going to User Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, and open Certificate Services Client - Auto-Enrollment.
Configure these options:
Select Enabled in the drop-down next to Configuration Model.
Check the box next to Renew expired certificates, update pending certificates, and remove revoked certificates.
Check the box next to Update certificates that use certificate templates.
Repeat these GPO steps for any additional site, domain, or Organizational Unit (OU) for which you want to enable autoenrollment.
Repeat this procedure under Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies if you plan to use autoenrollment for Computer certificates, such as Private TLS Server certificates.
Note
GPOs are valid within a single domain. If you have set up a forest containing multiple domains, the GPO must be copied to all domain controllers where the GPO will apply.
Next: Install Management Tools