I am going to go over auto-enrollment in Microsoft Active Directory Certificate Services (ADCS)
Certificate Enrollment Methods in general
For a client to enroll for certificates, several ways exist in Windows Server
In this post I am going to go over auto-enrollment to explain what it is and how it works
AutoEnrollment.. What it is
Auto-enrollment is a certificate enrollment method in ADCS that allows clients to seamlessly* enroll for certificates and to perform other handy functions including deleting revoked certificates and downloading root certificates from Active Directory. For this reasons, it is a best practice to enable auto-enrollment on the Domain group policy level, rather than on specific OUs, and to manage permissions using the Certificate templates Access Control Lists. Auto-enrollment is triggered when a user logs on, when a machine is powered on, or every 8 hours when Group Policy is refreshed. It is possible to manually trigger Group policy update by running the command gpupdate /force on the client.
*The experience might not be seamless for User Certificate templates if this is explicitly specified in the template.
Auto-Enrollment.. How it works
In order to troubleshoot auto-enrollment, it is beneficial to understand how it works and the steps involved in it. Below are the autoenrollment steps on a high level
If Key Archival is enabled, the steps below will be slightly different
Auto-Enrollment.. How to configure it
To configure auto-enrollment, the following has to be done
Where can I find a comprehensive document taking me through the whole process of setting up the PKI, configuring the correct Root CA and Subordinate CA roles, options and permissions and explaining everything front to end?