Hello everybody!
We're having issue with configuring autoenrollment for Windows 7.
Meanwhile, Windows XP autoenrolls successfully.
What had been done:
1) Configured an Enterprise CA with v2 certificate templates for computer, according to Technet documentation.
2) Configured group policy for computer accounts to autoenroll certificates (Certificate Services Client - Auto-Enrollment, Certificate Services Client – Certificate Enrollment Policy and Certificate Path Validation Settings policies).
3) Configured group policy System Cryptography: Force strong key protection for user keys stored on the computer - User input is not required when new keys are stored and used.
4) Checked CERTSVC_DCOM_ACCESS and Certificate Service DCOM Access group membership (Authenticated Users are included).
5) Checked certificate template for correct security permissions (Read, Autoenroll are turned on for Domain Computers).
6) On the client: checked HKLM\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment\AEPolicy registry value (= 7).
7) On the client: set AEEventLogLevel to 0 for enhanced Autoenrollment logging.
8) On the client: checked Task Scheduler for CertificateServicesClient appropriate tasks being turned on and run.
9) On the client: checked certutil -ping successfully connects to our CA.
10) On the client: checked certutil -ADTemplate shows correct templates from AD, and under local system account it shows, that our template has Autoenroll permission enabled.
What happens:
1) When we perform gpupdate, or certutil -pulse, or manually triggering SystemTask from Task Scheduler,NOTHING happens.
Certificates are not requested, nor issued.
Application event log shows only events IDs 65 and 64 from CertificateServicesClient-CertEnroll.
So, it seems that it just doesn't even try to request the certificates, but it's unknown why it doesn't happen.
2) When we open certmgr.msc for local system, right-click Personal > All tasks > Request new certificate, we see Active Directory Enrollment Policy, and there our certificate template is available to request.
If we try to request it manually, request is sent, certificate is issued and installed correctly!
3) The same thing happens when we click on Certificates > All tasks > Automatically enroll and retrieve certificates. Our template is visible, available and successfully requested/issued when we click Next.
Please help us to troubleshoot this issue!