PKI certificate autoenrollment fails on Windows 7

Today is a blogging double-feature!  If your network has any type of security hardening (e.g. FDCC, DISA STIG, etc.) you may end up in a situation where your Windows 7 and 2008 R2 machines are not autoenrolling for PKI certificates from your internal enterprise CA.  We found that the following two settings must be enabled in policy:

1. NETWORK SERVICE must be given the “Access this computer from network” user right.  This allows the machine to enroll certificates.
2. The “Task Scheduler” service on the target machine must not be disabled.  The Certificate Services Client uses this service to autoenroll PKI certs.



  1. Dave
    Posted August 17, 2011 at 3:33 pm | Permalink | Reply

    I’m having, I think, the same issue. Win7 clients not getting certs via wifi. If the users are wired as well when they log in they can get the cert and go wifi from there.

    Where did you make these changes? On the clients, a GPO, on the CA?

    • Posted August 24, 2011 at 10:42 pm | Permalink | Reply

      In my particular instance, the fix was done via GPO. You’ll also need to verify that the security permissions on the certificate template (in the Certification Authority Console | Manage Templates) are set so that computers can autoenroll.

      Unfortunately, I don’t have any experience in working with 802.11 networks (except for the one at my house :P), since I work at a place where wireless networks are not allowed… so I won’t be able to help you there.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: