By default, all domain members automatically replicate the Public Key Services object he Active Directory forest through the autoenrollment process. The triggers for this are:
- When the user logs in (for computers, when the computer account logs in, i.e. at system startup).
- By timer every 8 hours.
- When updating group policies, assuming there has been a change.
If you do not want to wait for the autoenrollment to be triggered automatically, you can start it manually. The different ways to run the autoenrollment process are described below.
The autoenrollment process can be started with the following command line command. It starts the process for the computer context and therefore requires elevated privileges (Run as Administrator).
certutil -pulse
For the user context, the autoenrollment process can be started with the -user argument.
certutil -pulse -user
Updating the group policy also triggers the autoenrollment process - but only if a change has occurred in the group policy. Running the gpupdate command with the /force switch causes all group policies to be reread, which is considered a change by the system.
gpupdate /force
Accordingly, an event is generated which confirms this.
Related links:
- Basics of manual and automatic Certificate Enrollment via Lightweight Directory Access Protocol (LDAP) and Remote Procedure Call / Distributed Common Object Model (RPC/DCOM)
- Programmatically trigger the autoenrollment process for the logged-in user
- Certificate request basics via Certificate Enrollment Web Services (CEP, CES)
5 thoughts on “Manuelles Ausführen des Autoenrollment Prozesses”
Comments are closed.