I am going to go over auto-enrollment in Microsoft Active Directory Certificate Services (ADCS)
Certificate Enrollment Methods in general
For a client to enroll for certificates, several ways exist in Windows Server
In this post I am going to go over auto-enrollment to explain what it is and how it works
AutoEnrollment.. What it is
Auto-enrollment is a certificate enrollment method in ADCS that allows clients to seamlessly* enroll for certificates and to perform other handy functions including deleting revoked certificates and downloading root certificates from Active Directory. For this reasons, it is a best practice to enable auto-enrollment on the Domain group policy level, rather than on specific OUs, and to manage permissions using the Certificate templates Access Control Lists. Auto-enrollment is triggered when a user logs on, when a machine is powered on, or every 8 hours when Group Policy is refreshed. It is possible to manually trigger Group policy update by running the command gpupdate /force on the client.
*The experience might not be seamless for User Certificate templates if this is explicitly specified in the template.
Auto-Enrollment.. How it works
In order to troubleshoot auto-enrollment, it is beneficial to understand how it works and the steps involved in it. Below are the autoenrollment steps on a high level
If Key Archival is enabled, the steps below will be slightly different
Auto-Enrollment.. How to configure it
To configure auto-enrollment, the following has to be done