Hi,
If you are using windows as internal CA, you need to disable "password
challenge" to get fully automated enrollment. I wrote two parts blog on how
to do this with ASA (similar process can followed for ISE).
Here are the blogs
https://tek-board.blogspot.com/2015/01/cisco-asa-scep-proxy-enrollment-part-1.htmlhttps://tek-board.blogspot.com/2015/01/cisco-asa-scep-proxy-enrollment-part-2.htmlHere are the steps to disable password challenge.
1. On CA server, open the Group Policy Management console.
2. In the console tree, double-click Group Policy Objects in the forest
and domain containing the Default Domain Policy Group Policy object
(GPO) that you want to edit.
3. Right-click the Default Domain Policy GPO, and then click Edit.
4. In the Group Policy Management Console (GPMC), click User
Configuration, Policies, Windows Settings, Security Settings, and then
click Public Key Policies.
5. Double-click Certificate Services Client - Auto-Enrollment.
6. In Configuration Model, select Enabled to enable autoenrollment. If
you want to disable autoenrollment, select Disabled.
7. If you are enabling certificate autoenrollment, you can select the
following check boxes:
- Renew expired certificates, update pending certificates, and remove
revoked certificates
- Update certificates that use certificate templates
- Expiration notification
8. Click OK to accept your changes.
To verify that password challenge is disabled:
1. Click Start and enter regedit in the search bar.
2. Navigate to Computer > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft >
Cryptography > MSCEP > EnforcePassword.
3. Ensure that the EnforcePassword value is set to 0 (the default value
is 1).
