We have a two tier PKI (2012 R2) set up in our domain. I have duplicated the Workstation Authentication template and customized it for our needs. This template has been issued and it is working fine.

However, when any client machine is reimaged, it requests another certificate once it is back on the domain. In my template, I have specified it to store the issued certificate in Active Directory, and I have the option "Do not automatically reenroll..." selected. I figured this would be enough to stop the duplication, but it is still going on.

Help!!

Hi,

What do you mean "reimaged"? If the AD server recognizes the compter as a new client, "Do not automatically reenroll..." will not prevent the auto enrollment.

Please do not contain any certificate which will be auto enrolled in the image.

Best Regards.

Adding to Seven's reply, in addition, you need to disable the checkbox that instructs CA to store client certificate in Active Directory. This option should not be enabled for computer-targeted certificate templates.