A practical worksheet for reviewing Microsoft ADCS auto-enrollment configuration, GPO settings, certificate template permissions, enrollment agent controls, and client certificate deployment risk.
Certificate auto-enrollment is one of the most powerful features in Microsoft ADCS. When configured correctly, it enables scalable certificate deployment for users, computers, domain controllers, Wi-Fi, VPN, smart cards, S/MIME, and other enterprise use cases. When configured poorly, auto-enrollment can unintentionally issue certificates to the wrong principals, expand authentication risk, create certificate sprawl, or expose template misconfigurations.
This worksheet is designed to help PKI administrators, security teams, and auditors review the full auto-enrollment path — from Group Policy through certificate template permissions and client enrollment behavior.
Search Group Policy Objects in the domain for GPOs that configure Certificate Services Client — Auto-Enrollment settings. Use GPMC or PowerShell to enumerate GPOs with auto-enrollment configuration.
Record the OU, domain, or site where each auto-enrollment GPO is linked. Note whether the link is enabled and whether enforcement or block inheritance is applied.
Auto-enrollment can be configured separately for user certificates and computer certificates. Confirm which policy applies to which scope and whether both are intentional.
Confirm that GPO security filtering is intentional. Broad security filtering such as Authenticated Users applying auto-enrollment GPOs to all users or computers in an OU may be wider than intended.
Open the Certification Authority console, expand Certificate Templates, and list all published templates. Templates published on the CA are available for enrollment — unpublish templates that are no longer needed.
For each published template, open the template properties in the Certificate Templates console and review the Security tab. Identify which security principals have the Autoenroll permission.
Document every security principal with Enroll or Autoenroll permission on each template. Pay particular attention to broad groups and built-in groups.
Flag templates where any of the following have Enroll or Autoenroll permission:
For each template with broad permissions, review the full template configuration — EKUs, subject name source, private key exportability, key usage, issuance requirements, and renewal settings.
Review recently issued certificates from the CA. Confirm that the subject, SAN, EKU, and issuing template match the intended business purpose. Look for unexpected issuances.
Move a test account or computer to a pilot OU or pilot group. Run gpupdate /force and certutil -pulse. Verify the correct certificate was issued with the expected attributes.
Record each finding in the Findings Worksheet (Section 10). Assign a risk level, document the business impact, identify the owner, and set a target remediation date.
| Review Item | Expected Configuration | Actual Configuration | Risk Level | Notes / Remediation |
|---|---|---|---|---|
| Auto-enrollment GPOs identified | All GPOs documented | High | ||
| GPO link locations documented | All link OUs recorded | Medium | ||
| User auto-enrollment enabled only where needed | Scoped to required OUs | High | ||
| Computer auto-enrollment enabled only where needed | Scoped to required OUs | High | ||
| GPO security filtering reviewed | Intentional, not overly broad | High | ||
| WMI filtering reviewed | Documented or confirmed not in use | Medium | ||
| Block inheritance checked on target OUs | Documented where applied | Medium | ||
| Enforced GPOs identified | Documented and intentional | Medium | ||
| Conflicting GPOs identified | No unintended conflicts | Medium | ||
| Auto-enrollment renewal behavior reviewed | Renewal configured appropriately | Low | ||
| Expired certificate cleanup behavior reviewed | Cleanup enabled where appropriate | Low | ||
| Certificate Services Client settings reviewed | Consistent with policy intent | Medium | ||
| Pilot OU or pilot group available for testing | Pilot group exists | Low | ||
| Production rollout scope documented | Scope and impact documented | Medium |
Complete one row per certificate template published on the issuing CA. Pay particular attention to templates with Autoenroll permission granted to broad groups.
| Template Name | Intended Use | Enroll Groups | Autoenroll Groups | Broad Permissions | Risk Level | Recommended Action |
|---|---|---|---|---|---|---|
Auto-enrollment troubleshooting should include both client-side enrollment logs and CA-side issuance or denial events.
Document each finding below. Assign a risk level, identify the owner, and track remediation status.
| Finding ID | Area | Issue | Evidence | Risk Level | Business Impact | Recommended Remediation | Owner | Target Date | Status |
|---|---|---|---|---|---|---|---|---|---|
| AE-001 | GPO | High | |||||||
| AE-002 | Template Permissions | Critical | |||||||
| AE-003 | Enrollment Agent | High | |||||||
| AE-004 | Private Key | Medium | |||||||
| AE-005 | EAP-TLS | Medium |
Use this worksheet to document auto-enrollment GPOs, certificate template permissions, enrollment agent settings, testing results, and remediation actions. Available in PDF and XLSX formats.
InsecurePlanet can help assess auto-enrollment GPOs, certificate templates, enrollment permissions, client certificate behavior, and enterprise PKI risk.