AD CS: Setting Up Computer Certificate Authentication

Last updated: Mar 10, 2025

I have shown how to set up a WPA Enterprise architecture with EAP-TLS using a user certificate. You can find the tutorial here. This works quite well, but in some situations it may not be appropriate since the network connection is only established once the user session is opened.

This causes the following problems:
- GPO scripts that run at startup will not execute
- Remote access to these computers will not be possible if the user session is closed

To remedy this, we need to use computer authentication. With this method, the computer establishes a connection at system startup, i.e., from the Lock Screen.

In this guide, I'll describe the steps involved in deploying computer certificates in an AD CS architecture, so that you can authenticate with them.

This guide assumes that AD CS is already installed and operational. For a detailed explanation of how to set it up, follow this link: Implementing WPA Enterprise (802.1X and RADIUS) with EAP-TLS on UniFi WiFi Access Points.

Adding the Authentication Template for Workstations

From the AD CS server, we'll create a certificate template for our workstations, which will enable us to generate the certificates used for computer authentication.

Open the Certification Authority management console:

Screenshot of the Windows Run dialog box with 'certsrv.msc' entered to open the Certification Authority management console.

Open the Certificate Templates Console by right-clicking on the Certificate Templates folder and selecting Manage:

Screenshot of the Certification Authority console, showing the option to manage certificate templates in the AD CS 'Certificate Templates' section.

Right-click on the Workstation Authentication template and select Duplicate Template:

Screenshot of the Certificate Templates Console, showing the option to duplicate a workstation certificate template in AD CS.

Optional, but if you have a recent architecture, set the Compatibility Settings to the most recent systems:

Screenshot of the Properties of New Template window in AD CS, showing compatibility settings for certification authority and certificate recipient.

Give the Template a name:

Screenshot of the Properties of New Template window in AD CS, showing the template name and display name set to EAP-TLS with validity and renewal periods.

Increase key size for greater security:

Screenshot of the Properties of New Template window in AD CS, showing cryptographic settings with a minimum key size of 4096 and selected cryptographic providers.

To enable automatic deployment of certificates via GPO, check the Autoenroll box for Domain Computers:

Screenshot of the Properties of New Template window in AD CS, showing security settings where Domain Computers are granted Enroll and Autoenroll permissions.

Finally, click OK to create the template.

From the Certification Authority management console, right-click on Certificate Templates and select Certificate Template to Issue:

Screenshot of the Certification Authority console in AD CS, showing the option to issue a new certificate template under 'Certificate Templates'.

Select the Workstation_Auth_EAP-TLS template created earlier:

Screenshot of the Enable Certificate Templates window in AD CS, showing the selection of the EAP-TLS certificate template for enabling.

The Workstation_Auth_EAP-TLS template should appear in the Certificate Templates folder:

Screenshot of the Certification Authority console in AD CS, showing the EAP-TLS certificate template enabled under 'Certificate Templates'.

Configure NPS

We need to configure our NPS server (which is the RADIUS server in the Microsoft ecosystem) to accept authentication for a group of computers. I will not go into the complete installation process here, because I have already explained it: here.

I'll describe below how to create a Network Policy in which we define the group of computers that can connect to the network and the protocols used.

From the Network Policy Server console, click New in the Network Policies folder:

Creating a new network policy in Windows Network Policy Server for configuring WPA Enterprise with EAP-TLS on UniFi access points.

Give Policy a name:

Specifying network policy name and connection type in NPS.

Click on Add to specify the condition:

Adding conditions to a network policy in NPS.

Select Machine Groups, then click on Add Groups…:

Screenshot of the New Network Policy configuration window in Windows Network Policy Server (NPS). The 'Machine Groups' condition is selected, and the 'Add Groups...' button is highlighted, allowing the administrator to specify a machine group for network policy enforcement.

Add an Active Directory computer group, such as Domain Computers:

Screenshot of the 'Select Group' window in Windows Network Policy Server (NPS). The 'Domain Computers' group is entered as the selected machine group for the policy, with the 'OK' button highlighted to confirm the selection.

Click on Next:

$Screenshot of the 'Specify Conditions' window in Windows Network Policy Server (NPS). The 'Machine Groups' condition is set to 'STD\Domain Computers', and the 'Next' button is highlighted to proceed with the policy configuration.$

Select Access granted:

Granting access permission for Wi-Fi EAP-TLS network policy configuration.

Choose Microsoft: Smart Card or other certificate as the EAP type and edit the configuration:

Configuring authentication methods for Wi-Fi EAP-TLS using certificates.

Select the certificate previously issued:

Screenshot of selecting the newly deployed certificate in the Ubiquiti Wi-Fi EAP-TLS setup.

Click on Next:

Configuring network policy constraints, including idle timeout, for Wi-Fi EAP-TLS setup.

Click on Next again:

Configuring RADIUS attributes and network policy settings for Wi-Fi EAP-TLS setup.

Finally, click on Finish to create the Policy:

$Screenshot of the 'Completing New Network Policy' window in Windows Network Policy Server (NPS). The newly created policy named 'UniFi' includes the 'Machine Groups' condition set to 'STD\Domain Computers'. The 'Finish' button is highlighted to finalize the policy creation.$

Deploying Certificates

Once AD CS is properly configured, we can request a Workstation certificate from any domain-joined computer.

Manually from the Certificate Management Console

From a user computer, open the Certificate Management Console for the current computer:

Screenshot of the Windows Run dialog with certlm.msc entered, ready to open the Local Machine Certificate Management Console.

Right-click on the Personal folder and select Request New Certificate…:

Screenshot of the Certificates snap-in in the Local Computer Personal store, highlighting the option to request a new certificate.

Click Next to start the certificate enrollment process:

Certificate Enrollment Wizard displaying the 'Before You Begin' screen with instructions for requesting certificates.

Select the Active Directory Enrollment Policy and click Next to continue:

Certificate Enrollment Wizard showing the 'Select Certificate Enrollment Policy' screen with 'Active Directory Enrollment Policy' selected.

Select the previously defined Workstation policy and click Enroll:

Certificate Enrollment Wizard showing the 'Request Certificates' screen with 'Workstation_Auth_EAP-TLS' selected and the 'Enroll' button highlighted.

Simply click on Finish when the enrollment process is complete:

Certificate Enrollment Wizard showing 'Certificate Installation Results' screen with the status 'Succeeded' for the NPS certificate, and the 'Finish' button highlighted.

After clicking Refresh, your computer's certificate appear:

Certificate Manager showing a successfully installed certificate in the 'Personal > Certificates' section. The certificate 'W11.std.local' issued by 'std-ADCS-CA' with expiration date '5/1/2025' is highlighted.

Automatically with a Group Policy (GPO)

To automate certificate renewal, we can create a GPO and apply it to all domain-joined computers.

Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and edit the Certificate Services Client - Auto-Enrollment policy:

Group Policy Management Editor with the selected 'Certificate Services Client - Auto-Enrollment' option in the Public Key Policies section. The context menu highlights 'Properties'.

Enable the Configuration Model and check the boxes to enable automatic certificate renewal:

Certificate Services Client - Auto-Enrollment Properties window showing configuration for automatic certificate renewal and updates.

Run gpupdate to obtain a certificate:

C:\> gpupdate