Manually running the autoenrollment process

Author Uwe GradeneggerPosted on Categories Active Directory, Certificate usageTags ,

By default, all domain members automatically replicate the Public Key Services object he Active Directory forest through the autoenrollment process. The triggers for this are:

  • When the user logs in (for computers, when the computer account logs in, i.e. at system startup).
  • By timer every 8 hours.
  • When updating group policies, assuming there has been a change.

If you do not want to wait for the autoenrollment to be triggered automatically, you can start it manually. The different ways to run the autoenrollment process are described below.

Implementation

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The autoenrollment process can be started with the following command line command. It starts the process for the computer context and therefore requires elevated privileges (Run as Administrator).

certutil -pulse

For the user context, the autoenrollment process can be started with the -user argument.

certutil -pulse -user

Updating the group policy also triggers the autoenrollment process - but only if a change has occurred in the group policy. Running the gpupdate command with the /force switch causes all group policies to be reread, which is considered a change by the system.

gpupdate /force

Accordingly, an event is generated which confirms this.

Related links:

en_USEnglish
de_DEDeutsch en_USEnglish