Certificates have been an important part of securing communications for many years, but until recently, most server administrators only ever had to deal with the occasional SSL certificate to protect a website, Exchange, or SharePoint server. These SSL certificates are typically issued from a public certification authority, which meant that you did not need an on-premise public key infrastructure (PKI). In other words, I am still finding companies even today that do not have a Windows CA server in their environment, and are therefore unable to issue any certificates to their workstations, because they haven't needed to.
There are more and more technologies being released that require workstation or user certificates for one reason or another. Nobody is going to go out and purchase certificates for all of their computers from a public CA, so we build and rely upon our own CA servers in-house, and expect those CA servers to issue all of the certificates that we need on our computers. The problem then becomes, now that I have a CA server running, do I have to manually walk through the wizard on every one of my workstations in order to request a certificate? Certainly not, that would take forever!
Now, configuring a CA server or even configuring the certificate template on that CA server are outside the scope of this book, because those tasks happen on the CA server and not inside Group Policy. If you are interested in learning how to perform these tasks, as well as learning other important certificate-related activities, feel free to check out one of my other Packt Publishing books, called Windows Server 2016 Cookbook.
Where GPOs do come into the picture related to certificates is to enable something called Certificate Auto-enrollment. As the name implies, auto-enrollment is a way of automatically issuing (enrolling) certificates to your machines within the domain. It is best to think of this policy setting as a light switch that gets turned on for any of the computers to which the policy gets applied. By default, Windows workstations are not set up for auto-enrollment, so even if you configure your certificate templates with auto-enrollment permissions, those certificates will not be issued to your computers. By simply turning on the auto-enrollment light switch, you cause your machines to reach over to the CA server and automatically pull down any certificates for which they have the appropriate permissions.
There are actually a few different places inside Group Policy where you can configure Auto-enrollment, but the newest and best place to configure this policy is here:
Computer Configuration | Policies | Windows Settings | Security Settings | Public Key Policies
Inside this section, you want to double-click on Certificate Services Client - Auto-Enrollment. Inside this policy setting, change the Configuration Model to be Enabled. This single change flips the switch and causes auto-enrollment to start happening on any machines to which this GPO applies. Typically, you also want to check both boxes on this page in order to cause the autoenroll process to renew and update certificates automatically whenever those certificates expire in the future. So, in the end, most of the time, we configure the policy exactly like the following screenshot: