DirectAccess requires computer certificates to be installed on the DirectAccess server and DirectAccess clients. These certificates are used for IPsec, which provides a secure, encrypted communication channel between the DirectAccess client and the DirectAccess server. IPsec ensures the necessary integrity, confidentiality, and non-repudiation required for secure remote access. When using a Public Key Infrastructure (PKI) to issue computer certificates to DirectAccess clients, it can be helpful to automate this process by configuring certificate auto-enrollment using Active Directory group policy.
To begin, open the Group Policy Management Console and expand Domains. Next, expand your domain, right-click Group Policy Objects and choose New. Enter a descriptive name for the new GPO and click Ok. Right-click the GPO you just created and choose Edit. Expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies. Highlight Public Key Policies, and then double-click Certificate Services Client – Auto-Enrollment. For the Configuration Model choose Enabled. Optionally you can choose to Renew expired certificates, update pending certificates, and remove revoked certificates and Update certificates that use certificate templates.
Next, right-click Automatic Certificate Request Settings and choose New and then Automatic Certificate Request. Click Next and then choose the certificate template to be used to issue computer certificates to the DirectAccess client computers.
Close out of the Group Policy Editor and then link this computer certificate auto-enrollment GPO to your domain. If you want to target only DirectAccess clients with this GPO instead of all domain computers, you can configure Security Filtering to apply this GPO only to DirectAccess client computers.
Remember that DirectAccess servers also require computer certificates, so if you’ve chose to target the GPO specifically at DirectAccess clients, you’ll have to enroll certificates manually on your DirectAccess servers.