I'm looking at deploying my client certificates for native mode SCCM using group policy and I'm running into an issue. I want to know how I can change which CA group policy defaults to when you try to create an automatic certificate request policy. Apparently we had an old, no-longer-used CA and it is defaulting to that right now. I need to change it so that I can deploy certs based on a template I created on a different Enterprise CA. I guess I need to change the "default" CA for the domain because if I try to do a normal cert request from the certificates mmc plug-in on any workstation, it automatically looks at this old CA as well. This article: http://technet.microsoft.com/en-us/library/cc759371%28WS.10%29.aspx says that a Windows 2000 box will ask which CA to use, but XP and 2003 do not. I actually want to choose the CA in this case. Thanks

Actually there is no "default" or "non-default" CAs. Whent autonerollment trigger starts it downloads all certificate templates from AD and checks for Read, Enroll and Autoenroll permissions. After this client enumerates all enterprise CAs (that are registered in Enrollment Service container). Using DCOM request client retrieve all available templates from each CA. Then client filters all available templates on each enterprise CA where client has Read, Enroll and Autoenroll permissions and performs automatic enrollment requests.To use autoenrollment option, you MUST have at least one CA running Windows Server 2003/2008 Enterprise/Datacenter or 2008 R2 Standard/Enterprise/Datacenter (except Itanium-editions) and custom V2 templates. and clients at least Windows XP.There is another way how to goal this — Automatic Certificate Requests. This option is supported for all clients starting with Windows 2000. Using ACR you can deploy certificates for computers and using V1 templates only. You cannot use ACR to deploy certificates based on V2/V3 templates and|or for users.regarding your second question. If you want to limit clients to enroll certificates from particular CA ther is only one way — remove V1 (for computers only) templates from other CAs, because template permissions are set in forest-wide context and cannot be limited for particular CA.http://technet.microsoft.com/en-us/library/bb456981.aspxhttp://technet.microsoft.com/en-us/library/cc778954(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc776310(WS.10).aspx http://www.sysadmins.lv

So there is no way to set up an Automatic Certificate Request group policy to have clients request a V2-based client authentication certificate?

no. certificates based on V2/V3 templates can be automatically deployed via autoenrollment only.http://www.sysadmins.lv

What if I wanted to deploy the V1 "Computer" certificate from the other CA though? Why doesn't it show up when I go to create the Automatic Certificate Request group policy? I only see templates from the old CA... Are you saying I'd have to go into the old CA and remove the V1 "Computer" template to get the V1 "Computer" template to show up from the new CA?

you must see certificates from all available enterprise CAs in the forest. Make sure if other CAs can issue these templates and you (your computer account) has read and enroll permissions on them. Also make sure if Computer template is not superseded by any V2/V3 template. http://www.sysadmins.lv

When I go to create the automatic request policy, I only see one "Computer" template and when that policy is applied to a test group, the certificate is issued by the old CA. The security options are the same on both CA's for the V1 "computer" template: Authenticated Users - Read Domain Admins - Read/Write/Enroll Domain Computers - Enroll Enterprise Admins - Read/Write/Enroll What would I do to have the new CA deploy these V1 certs instead of the old one?

you need to remove this template from old CA and add this template to issue on new CA.http://www.sysadmins.lv

So I would go into the certificate authority on the old CA, drill down to Certificate Templates, then right-click on Computer in the right pane and click Delete. Then, since Computer is already available on the new one, all future Computer certs should be issued by the new CA? Thanks for your help, by the way.

exactly! Do not forget to add this template to issue on another CA :)http://www.sysadmins.lv

One last question - if you don't mind... If I do this, and then I set up an Autoenrollment setting with the "Renew expired certificates, update pending certificates, and remove revoked certificates" box checked, will this Computer cert renew itself automatically? It seems you can't change the validity period for those V1 certs...

yes if you configure autoenrollment setting then expired certificates will be automatically renewed. However they will not deleted (after expiration). This is because Purpose of private key usage includes Encryption. There is no way to automatically delete expired/revoked certificates that includes Encryption in Key Purpose field (see Request Handling tab).http://www.sysadmins.lv