1 00:00:02,040 --> 00:00:05,080 So to create the certificate auto‑enrollment Group Policy Object, 2 00:00:05,080 --> 00:00:05,950 or GPO, 3 00:00:05,950 --> 00:00:09,240 we're going to jump back over to our domain controller, and once again, 4 00:00:09,240 --> 00:00:13,310 this goes without saying, if you have the remote server administration 5 00:00:13,310 --> 00:00:15,700 tools installed on a Windows 10 workstation, 6 00:00:15,700 --> 00:00:18,100 Windows 11 workstation, that works just as well. 7 00:00:18,100 --> 00:00:20,330 I'm going to do it here on the domain controller, but we're going 8 00:00:20,330 --> 00:00:24,400 to open the Group Policy Management console, and to do that I just 9 00:00:24,400 --> 00:00:27,390 have a shortcut here on my task bar, but you can always just type 10 00:00:27,390 --> 00:00:31,280 in group policy, and you'll find the Group Policy Management 11 00:00:31,280 --> 00:00:35,100 console there as well. 12 00:00:35,100 --> 00:00:37,790 The first thing I'm going to do is right‑click on Group Policy Objects and 13 00:00:37,790 --> 00:00:45,940 choose New, and then I'm going to give this a descriptive name, 14 00:00:45,940 --> 00:00:48,510 click OK. 15 00:00:48,510 --> 00:00:50,660 Then I'm going to find this Group Policy Object that I just 16 00:00:50,660 --> 00:00:57,240 created. I'm going to right‑click and choose Edit. 17 00:00:57,240 --> 00:01:00,870 The first thing I want to do is enable enrollment for computer 18 00:01:00,870 --> 00:01:04,780 certificates, and to do that, I'm going to select Policies, I'm 19 00:01:04,780 --> 00:01:13,840 going to expand Windows Settings, Security Settings, and Public Key Policies. 20 00:01:13,840 --> 00:01:17,600 So highlight Public Key Policies and double‑click on 21 00:01:17,600 --> 00:01:22,440 Certificate Services Client ‑ Auto‑Enrollment. 22 00:01:22,440 --> 00:01:26,990 The Configuration Model will be Enabled, and then I'm going to check the 23 00:01:26,990 --> 00:01:31,700 box to Renew expired certificates, update pending certificates, and 24 00:01:31,700 --> 00:01:35,510 remove revoked certificates, and I'm also going to select the option to 25 00:01:35,510 --> 00:01:38,440 Update certificates that use templates. 26 00:01:38,440 --> 00:01:41,740 So we'll click OK. 27 00:01:41,740 --> 00:01:45,840 And then I'm going to repeat the process for user certificates as well. 28 00:01:45,840 --> 00:01:50,220 So here we'll expand User Configuration, Policies, Windows Settings, 29 00:01:50,220 --> 00:01:52,540 Security Settings, 30 00:01:52,540 --> 00:01:57,300 Public Key Policies, and double‑click Certificate Services Client ‑ 31 00:01:57,300 --> 00:02:04,820 Auto‑Enrollment. So we'll select Enabled, Renew, Update, and click 32 00:02:04,820 --> 00:02:09,210 OK. So we'll close the GPO, and again, 33 00:02:09,210 --> 00:02:12,820 I recommend assigning this at the domain so it's as easy as just 34 00:02:12,820 --> 00:02:16,620 dragging and dropping on the domain, but again, 35 00:02:16,620 --> 00:02:19,180 if you are unable to do that for any reason, 36 00:02:19,180 --> 00:02:21,910 the ultimate objective is to make sure that this certificate 37 00:02:21,910 --> 00:02:25,470 auto‑enrollment policy gets to our VPN servers, our NPS servers, 38 00:02:25,470 --> 00:02:28,520 our VPN users, and our VPN devices. 39 00:02:28,520 --> 00:02:32,010 So if you need to link this GPO to a specific OU in your 40 00:02:32,010 --> 00:02:34,990 organization or do some security filtering, 41 00:02:34,990 --> 00:02:37,840 it's up to you. At the end of the day, it just needs to get 42 00:02:37,840 --> 00:02:40,540 to, again, our VPN users and devices, 43 00:02:40,540 --> 00:02:45,460 our VPN servers, and our NPS servers. And once that's done, 44 00:02:45,460 --> 00:02:49,020 your NPS servers along with your VPN users and devices will 45 00:02:49,020 --> 00:02:52,110 automatically enroll, and importantly, automatically renew 46 00:02:52,110 --> 00:02:53,920 those certificates before they expire. 47 00:02:53,920 --> 00:02:56,020 Also, your VPN servers, 48 00:02:56,020 --> 00:02:58,930 as I had mentioned before, although they can't take advantage of the 49 00:02:58,930 --> 00:03:02,240 auto‑enrollment because we have to supply the name and the request, 50 00:03:02,240 --> 00:03:11,000 they will be able to renew themselves next year when they expire, which is a huge win obviously for administrators.