PKI Toolbox · Microsoft ADCS Tools

Auto-Enrollment Security Review Worksheet

A practical worksheet for reviewing Microsoft ADCS auto-enrollment configuration, GPO settings, certificate template permissions, enrollment agent controls, and client certificate deployment risk.

Format: PDF / XLSXAudience: PKI Admins, Security Teams, AuditorsCategory: Microsoft ADCS Tools

Certificate auto-enrollment is one of the most powerful features in Microsoft ADCS. When configured correctly, it enables scalable certificate deployment for users, computers, domain controllers, Wi-Fi, VPN, smart cards, S/MIME, and other enterprise use cases. When configured poorly, auto-enrollment can unintentionally issue certificates to the wrong principals, expand authentication risk, create certificate sprawl, or expose template misconfigurations.

This worksheet is designed to help PKI administrators, security teams, and auditors review the full auto-enrollment path — from Group Policy through certificate template permissions and client enrollment behavior.

This worksheet is a review and documentation aid. It does not replace a full PKI security assessment. For high-risk environments, engage a qualified PKI security team to review auto-enrollment configuration, template permissions, and enrollment agent controls.
Section 1

What This Worksheet Reviews

Auto-enrollment Group Policy settings
User and computer auto-enrollment scope
Certificate template publication
Certificate template security permissions
Enroll and Autoenroll permissions
Authenticated Users, Domain Users, Domain Computers, and broad group access
Security group targeting
Enrollment agent template controls
Client authentication templates
Smart card logon templates
EAP-TLS / Wi-Fi / VPN certificate templates
Domain controller certificate templates
Exportable private key settings
Subject name and SAN configuration
Private key protection
Renewal behavior
Superseded templates
Template validity and renewal periods
Audit and monitoring controls
Section 2

Recommended Review Workflow

1

Identify all auto-enrollment GPOs

Search Group Policy Objects in the domain for GPOs that configure Certificate Services Client — Auto-Enrollment settings. Use GPMC or PowerShell to enumerate GPOs with auto-enrollment configuration.

2

Document where each GPO is linked

Record the OU, domain, or site where each auto-enrollment GPO is linked. Note whether the link is enabled and whether enforcement or block inheritance is applied.

3

Confirm whether the GPO targets users, computers, or both

Auto-enrollment can be configured separately for user certificates and computer certificates. Confirm which policy applies to which scope and whether both are intentional.

4

Review security filtering and WMI filtering

Confirm that GPO security filtering is intentional. Broad security filtering such as Authenticated Users applying auto-enrollment GPOs to all users or computers in an OU may be wider than intended.

5

Identify all certificate templates published on the issuing CA

Open the Certification Authority console, expand Certificate Templates, and list all published templates. Templates published on the CA are available for enrollment — unpublish templates that are no longer needed.

6

Identify which templates have Autoenroll permission enabled

For each published template, open the template properties in the Certificate Templates console and review the Security tab. Identify which security principals have the Autoenroll permission.

7

Review who has Enroll and Autoenroll rights

Document every security principal with Enroll or Autoenroll permission on each template. Pay particular attention to broad groups and built-in groups.

8

Look for overly broad permissions

Flag templates where any of the following have Enroll or Autoenroll permission:

  • Authenticated Users
  • Domain Users
  • Domain Computers
  • Everyone
  • Overly broad nested groups
9

Review template purpose, EKUs, subject name settings, private key settings, and issuance requirements

For each template with broad permissions, review the full template configuration — EKUs, subject name source, private key exportability, key usage, issuance requirements, and renewal settings.

10

Validate whether issued certificates match the intended business use case

Review recently issued certificates from the CA. Confirm that the subject, SAN, EKU, and issuing template match the intended business purpose. Look for unexpected issuances.

11

Test enrollment from a pilot user or computer

Move a test account or computer to a pilot OU or pilot group. Run gpupdate /force and certutil -pulse. Verify the correct certificate was issued with the expected attributes.

12

Document findings, risk level, owner, and remediation actions

Record each finding in the Findings Worksheet (Section 10). Assign a risk level, document the business impact, identify the owner, and set a target remediation date.

Section 3

Auto-Enrollment GPO Review Checklist

Review ItemExpected ConfigurationActual ConfigurationRisk LevelNotes / Remediation
Auto-enrollment GPOs identifiedAll GPOs documentedHigh
GPO link locations documentedAll link OUs recordedMedium
User auto-enrollment enabled only where neededScoped to required OUsHigh
Computer auto-enrollment enabled only where neededScoped to required OUsHigh
GPO security filtering reviewedIntentional, not overly broadHigh
WMI filtering reviewedDocumented or confirmed not in useMedium
Block inheritance checked on target OUsDocumented where appliedMedium
Enforced GPOs identifiedDocumented and intentionalMedium
Conflicting GPOs identifiedNo unintended conflictsMedium
Auto-enrollment renewal behavior reviewedRenewal configured appropriatelyLow
Expired certificate cleanup behavior reviewedCleanup enabled where appropriateLow
Certificate Services Client settings reviewedConsistent with policy intentMedium
Pilot OU or pilot group available for testingPilot group existsLow
Production rollout scope documentedScope and impact documentedMedium
Section 4

Certificate Template Permission Review

Complete one row per certificate template published on the issuing CA. Pay particular attention to templates with Autoenroll permission granted to broad groups.

Template NameIntended UseEnroll GroupsAutoenroll GroupsBroad PermissionsRisk LevelRecommended Action
Add one row per certificate template published on the issuing CA.
Key Review Points
  • Identify templates with Autoenroll permission
  • Identify templates with Enroll permission
  • Check whether Authenticated Users has Enroll or Autoenroll
  • Check whether Domain Users has Enroll or Autoenroll
  • Check whether Domain Computers has Enroll or Autoenroll
  • Check whether high-risk templates are limited to dedicated security groups
  • Confirm template ownership
  • Confirm template purpose
  • Confirm whether templates are still required
  • Confirm whether legacy templates should be retired
Section 5

High-Risk Template Settings to Review

Setting
Client Authentication EKU
Risk
Certificates may be usable for authentication to enterprise services.
Review Action
Confirm only intended users or computers can enroll.
High
Setting
Any Purpose EKU or overly broad EKUs
Risk
Certificate may be usable in unintended authentication or signing scenarios.
Review Action
Restrict or replace with specific-purpose templates.
Critical
Setting
Exportable private key
Risk
Private keys can be exported and reused outside the intended endpoint.
Review Action
Disable unless there is a documented business requirement.
High
Setting
Supply in the request subject name
Risk
Requester may be able to specify identity values.
Review Action
Review carefully for ESC-style template risk.
Critical
Setting
Enrollee supplies subject alternative name
Risk
Potential identity impersonation risk depending on permissions and CA behavior.
Review Action
Restrict template and review issuance requirements.
Critical
Setting
No manager approval or authorized signatures for sensitive templates
Risk
Sensitive certificates may be issued without human or workflow control.
Review Action
Add approval or restrict enrollment.
High
Setting
Enrollment Agent EKU
Risk
Can allow certificate requests on behalf of other users.
Review Action
Limit to dedicated, controlled groups and audit usage.
Critical
Setting
Code Signing EKU
Risk
Can allow signing of scripts or executables.
Review Action
Restrict, require approval, and protect private keys.
High
Setting
Smart Card Logon EKU
Risk
Can enable interactive authentication.
Review Action
Restrict to authorized smart card or PIV workflows.
High
Section 6

Enrollment Agent Review

Enrollment agent capability should be tightly controlled because it can allow certificate requests on behalf of other identities when configured incorrectly. Misuse of enrollment agent permissions is a known attack path in enterprise PKI environments.
Enrollment Agent Review Points
  • Identify all Enrollment Agent certificate templates published on the CA
  • Identify all users or groups with enrollment agent rights
  • Confirm the Certificate Request Agent EKU is present only on intended templates
  • Confirm whether enrollment agent restrictions are configured on the CA
  • Confirm whether enrollment on behalf of another user is actually required
  • Confirm whether issuance requires approval for enrollment agent requests
  • Confirm whether enrollment agent usage is logged and reviewed
  • Confirm whether access is limited to dedicated PKI or security personnel
  • Review CA enrollment agent restrictions — which agents can enroll for which templates and which subjects
  • Confirm enrollment agent certificates are stored securely and access is controlled
Section 7

EAP-TLS / Wi-Fi / VPN Auto-Enrollment Review

Machine certificate template used for Wi-Fi or VPN
User certificate template used for Wi-Fi or VPN
Cisco ISE or NPS trust chain requirements
Required EKUs for EAP-TLS (Client Authentication)
Subject and SAN requirements for NPS or ISE matching
Auto-enrollment group targeting for Wi-Fi / VPN scope
Revocation checking configuration
Root and issuing CA trust deployment to NPS / ISE
Renewal timing relative to certificate validity period
Client testing before production rollout
RADIUS server certificate trust on clients
Certificate chain validation from endpoint to root
Section 8

Auto-Enrollment Testing Checklist

  • Move test machine or user to pilot OU or pilot group
  • Run gpupdate /force
  • Review certificate auto-enrollment event logs
  • Run certmgr.msc for user certificate store
  • Run certlm.msc for computer certificate store
  • Confirm correct certificate template was issued
  • Confirm certificate chain builds correctly
  • Confirm CDP and AIA are reachable from the client
  • Confirm certificate includes correct EKU
  • Confirm certificate subject and SAN are correct
  • Confirm private key exists and is not exportable if required
  • Test intended use case — Wi-Fi, VPN, smart card, or application authentication
Useful commands
gpupdate /force
certutil -pulse
certutil -user -store My
certutil -store My
certutil -urlfetch -verify certificate.cer
gpresult /h gpresult.html
Section 9

Event Logs to Review

Auto-enrollment troubleshooting should include both client-side enrollment logs and CA-side issuance or denial events.

Client-Side Logs
  • Event Viewer → Applications and Services Logs → Microsoft → Windows → CertificateServicesClient-AutoEnrollment
  • CertificateServicesClient-CertEnroll
  • System log — certificate-related events
  • Application log — relevant enrollment events
CA-Side Logs
  • CA server Security log — certificate issuance and denial events
  • Certification Authority log — issued, pending, failed, and revoked certificates
  • CA server Application log — service events
  • CA server System log — relevant service events
Event ID 6 in the CertificateServicesClient-AutoEnrollment log indicates a successful auto-enrollment. Event ID 13 indicates a failure. Review both logs together to correlate client-side enrollment attempts with CA-side issuance records.
Section 10

Findings Worksheet

Document each finding below. Assign a risk level, identify the owner, and track remediation status.

Finding IDAreaIssueEvidenceRisk LevelBusiness ImpactRecommended RemediationOwnerTarget DateStatus
AE-001GPOHigh
AE-002Template PermissionsCritical
AE-003Enrollment AgentHigh
AE-004Private KeyMedium
AE-005EAP-TLSMedium
Add one row per finding. Risk levels: Critical · High · Medium · Low · Informational
Risk Level Definitions
CriticalImmediate risk of exploitation or significant security impact
HighSignificant risk requiring prompt remediation
MediumModerate risk with defined remediation path
LowMinor risk or best practice gap
InformationalObservation or improvement opportunity
Section 11

Remediation Guidance

  • Remove broad enrollment permissions from sensitive templates — replace Authenticated Users or Domain Users with dedicated security groups
  • Use dedicated security groups for auto-enrollment — not built-in groups
  • Pilot changes before production rollout — test in a pilot OU or pilot group first
  • Disable or retire unused templates — unpublish from the CA and disable in the template store
  • Disable exportable private keys where not required — document any exceptions
  • Add approval requirements for high-risk templates — manager approval or authorized signatures
  • Restrict enrollment agent permissions — limit to dedicated PKI or security personnel
  • Document template ownership — assign a named owner for each published template
  • Monitor certificate issuance — review CA logs regularly for unexpected issuances
  • Validate new certificates after template changes — test from a pilot account before broad rollout
  • Communicate changes to endpoint, identity, and network teams — auto-enrollment changes affect Wi-Fi, VPN, smart card, and application authentication
Section 12

Download the Worksheet

Download the Auto-Enrollment Security Review Worksheet

Use this worksheet to document auto-enrollment GPOs, certificate template permissions, enrollment agent settings, testing results, and remediation actions. Available in PDF and XLSX formats.

Unlock Free AccessFree PKI Toolbox subscription required · Unlock all resources with one signup

Need help reviewing Microsoft ADCS auto-enrollment?

InsecurePlanet can help assess auto-enrollment GPOs, certificate templates, enrollment permissions, client certificate behavior, and enterprise PKI risk.