First let me just say that yes I searched this forum for "autoenrollment" and "auto enrollment" and similar variations and found nothing relevent. Second I must admit that setting up the GPO for this is much more complicated in Windows 2008 than it needs to be, so could someone explain the following Policy settings to me please: 1. Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ Automatic Certificate Request Settings What is that yellow folder for? And how come when I run the Automatic Certificate Request Setup Wizard my custom Web Server template does not show up, instead all I see are the following four Certificate templates: Computer, Domain Controller, Enrollment Agent (Computer), and IPSec. This can't possibly mean those are the only template types my servers can automatically enroll in. [yes I set the autoenrollment permissions on my template for the Domain Computers group] 2. Certificate Services Client - Certificate Enrollment Policy This can be set to "Not configured" or "Enabled" I don't think I need to mess with this one but what in the world is this talking about? And yes I read the generic cryptic Microsoft blurb: Windows clients will use the default configuration for Certificate Enrollment Policy. To enable advanced configuration of Certificate Enrollment Policy change the option to "Enabled" in the drop-down above. [sarcasm] Really, how insightful, you mean the Not configures/Enabled pull down is like an off and on switch for this setting, wow. How about explaining where is the default configuration for Certificate Enrollment Policy and what are its settings, or is that a secret. [/sarcasm] 3. Certificate Services Client - Auto-Enrollment This can be set to "Not configured", "Enabled", or "Disabled". I set ours in the test lab to Enabled. Also checked the Renew expired certificates, update pending certificates, and remove revoked certificates check box, as well as the Update certificates that use certificate templates check box. Sorry about the long post, I like to put as much detail in as I can to help the next poor sole who may be reading this in the future going, hey this guy asked the very same question I have, he must be a genius / mind reader, LOL.

Hello G-r-e-g! Let me answer to your question. > What is that yellow folder for? And how come when I run the Automatic Certificate Request Setup Wizard my custom Web Server template does not show up, instead all I see are the following four Certificate templates: Computer, Domain Controller, Enrollment Agent (Computer), and IPSec Automatic Certificate Request node is used to configure automatic certificate distribution to domain computers. While classic autoenrollment requires V2 or V3 templates, ACR can automatically issued certificates that are based on V1 templates only. Why you don't see WebServer template? This is because you can enroll certificate based on this template only when you manually supply subject in request. As you can see, the template subject is configured as "Supply in request". Clients cannot automatically supply subject for their certificates. Therefore you see only templates where subject is constructed using information from AD. > Really, how insightful, you mean the Not configures/Enabled pull down is like an off and on switch for this setting, wow> How about explaining where is the default configuration for Certificate Enrollment Policy and what are its settings, or is that a secret. I really don't understand your sarcasm. The default value is "not enabled". While policy setting is set to 'Not configured' you can maintain individual settings on clients using registry. When you explicity enable or disable this setting, you cannot maintain individual settings on affected clients that receive this setting from a policy. > This can be set to "Not configured", "Enabled", or "Disabled". I set ours in the test lab to Enabled. Also checked the Renew expired certificates, update pending certificates, and remove revoked certificates check box, as well as the Update certificates that use certificate templates check box. You need to enable this option for both classic autoenrollment and automatic certificate request (ACR). Actually this setting is the only group policy setting required by classic autoenrollment. Of course at least one V2/V3 template should be configured for autoenrollment by enabling Autoenroll permission for any applicable security group and this template must be added at least to one Enterprise CA. For ACR you need to configure above mentioned setting. While V1 templates haven't Autoenroll permission, computer accounts must be granted Read and Enroll permissions for ACR. I would advice you to avoid sarcasm if you plan to receive any other help in this forum in future.http://www.sysadmins.lv

I really don't understand your sarcasm. I would advice you to avoid sarcasm if you plan to receive any other help in this forum in future. I guess that's why you advise against it, I was just trying to introduce humor to an otherwise very dry topic.