Configure Group Policy to Auto-enroll Windows devices

What is the meaning of Group Policy auto-enrollment?

In an Active Directory environment, you can leverage Group Policy to streamline the enrollment process for your domain-joined devices, which means that you can use Group Policy to automatically enroll devices into a management system like Mobile Device Management (MDM), such as Microsoft Intune. This is beneficial for organizations that have a large number of corporate devices or Bring Your Own Device (BYOD)  and want to ensure that they are all enrolled in PKI for proper management and security. 

The purpose of Auto-enrollment

When you create a Group Policy in your local Active Directory, it essentially triggers the auto-enrollment process into Microsoft Entra ID and without any user interaction you will be able to roll out Microsoft Entra ID enrollment to thousands of devices seamlessly. Here’s the key usage of auto-enrollment: 

1. Signing In: Once a user signs in to their device with their Microsoft Entra account, the enrollment process initiates in the background. This means that users can get started with their work without any interruptions, while their devices are being securely enrolled into Microsoft. 
2. Mass Enrollment: The cause-and-effect mechanism of this setup allows for mass enrollment of numerous domain-joined devices. Rather than having to go to each device individually to enroll it, you can set this up once and let Group Policy handle the rest. Saving time and ensuring that all your devices are consistently managed under the same policies. 

Pre-requisites 

1. A two-tier PKI, along with the Domain Controller with configured Active Directory must be set up. 
2. The device must be running a version of Windows that is supported for MDM enrollment. 
3. Ensure that the Windows Server version meets the minimum requirements specified by Microsoft for hybrid join scenarios. This is crucial for proper integration and functionality with Microsoft Entra. 

How to configure the Group policy and enable the auto-enrollment 

1. Create a Group Policy Object (GPO) in Domain Controller

• Open Group Policy Management
• In the console tree, right-click Group Policy Objects under your domain (e.g.,EncryptionConsulting.com).

• Select New to create a new GPO.

  

• Name the GPO (e.g., Auto-enrollment).

  

• Right-click on the newly created GPO and select Edit.

  

2. Configure Certificate Auto-Enrollment

• In the Group Policy Management Editor, navigate to:

  Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.

• Right-click on Certificate Services Client – Auto-Enrollment and select Properties.

  

• In the Auto-Enrollment Policy Configuration window, configure as follows:

  • Configuration Model: Enabled

  • Check the boxes for:

    1. Renew expired certificates, update pending certificates, and remove revoked certificates.

    2. Update certificates that use certificate templates.

  • Set a percentage for certificate expiry notifications if needed (e.g., 10%).

    

• Click OK to save the changes.

3. Link the Group Policy Object (GPO) to Your Domain

• Go back to Group Policy Management.
• Right-click on your domain (e.g., EncryptionConsulting.com).

• Select Link an Existing GPO.

  

• In the Select GPO window, choose the Auto-enrollment GPO you just created.

  

• Click OK.

4. Ensure Group Policy is Enforced

• After linking the GPO, ensure that the Enforced column is set to Yes.

  

• If it is not enforced, do the following:

  • In Group Policy Management, under the domain level (e.g., EncryptionConsulting.com), right-click the Auto-enrollment GPO.
  • Select Enforced to ensure the policy is applied across the domain.

5. Verify Auto-Enrollment Configuration

• In the Windows 11 Client Machine Open Task Scheduler.

• Check under the EnterpriseMgmt folder for tasks created by the enrollment client, ensuring the auto-enrollment task is ready and scheduled.

  

6. Force Group Policy Update

• Open Command Prompt as an administrator.

• Run the following command to update group policies: gpupdate or gpupdate /force

  

• Ensure the update completes successfully.

7. Verify Group Policy Application

• In Command Prompt, run the following command to check the applied policies: gpresult /r

  

• Confirm that the Auto-enrollment policy is applied to the necessary computers and users.

Benefits of Auto-Enrollment

Now, let’s understand the benefits of using this auto-enrollment approach:

• Time-Efficiency: With auto-enrollment, your IT team can focus on other strategic initiatives rather than spending hours on manual enrollment processes.
• Consistency: Ensuring that every device is enrolled with the same policies helps maintain compliance and security across your organization.
• User Experience: For end-users, this means a hassle-free experience. They can start working immediately without dealing with the complexities of enrollment.

How Encryption Consulting can help

Encryption Consulting provides specialized services to identify vulnerabilities and mitigate risks by providing PKI Services. Our strategic guidance aligns PKI solutions with organizational objectives, enhancing efficiency and minimizing costs. By partnering with Encryption Consulting, organizations can unlock the full potential of PKI solutions, realizing tangible financial benefits while maintaining strong security measures. 

CertSecure Manager has a comprehensive suite of lifecycle management features. From discovery and inventory to issuance, deployment, renewal, revocation, and reporting. CertSecure provides an all-encompassing solution. Intelligent report generation, alerting, automation, automatic deployment onto servers, and certificate enrollment add layers of sophistication, making it a versatile and intelligent asset.

Conclusion

In conclusion, Group Policy auto-enrollment offers an efficient and streamlined solution for enrolling and managing domain-joined devices within an Active Directory environment. By automating the enrollment process, organizations can save time, ensure consistent application of policies across all devices, and enhance security management.

This approach not only simplifies device enrollment for IT teams but also provides a smooth, uninterrupted experience for end-users. With the benefits of time-efficiency, policy consistency, and improved user experience, auto-enrollment can play a critical role in maintaining a secure and compliant organizational environment.