We have recently renewed Subordinate CA certificate which was about expire in another 20 days. Machine certificates for XP clients in our environment is issued by this subordinate CA server and auto enroll in place. I recently observed espeially remote users who connect using Cisco VPN client, getting warning message that "your machine certificate <asset number>.<domainname>.com will expire in 10 days. For one of the client I tried to renew certificate while connected to VPN, I was able renew manually. And verified few machine certificates for PCs in corporate network and found renewed automatically. Is machine certificate will not get renewed automatically while connected to VPN? Mahesh

the VPN connection is probably too short in duration to let the autoenrollment trigger. Autoenrollment runs periodically at system startup and then every 8 hours recurrently. If you do not have the VPN connected at that time, autoenrollment goes void. Note that autoenrollment does not run at regular Group Policy update cycles, which are every 120 minutes. Autoenrollment schedule is independent of that of GP updates. Test this: once on a VPN client, connect the VPN to intranet and instead of enrolling manually, try pulsing autoenrollment from an elevated command prompt: gpupdate certutil -pulse and see what happens. ondrej.

You need to make sure that Auto-Enrollment is configured properly to renew expiring certificates on the target computers and the related certificate templates. Read more on how to enable certificate autoenrollment http://technet.microsoft.com/en-us/library/dd379529 /Hasain

Hi , Whatever you explained makes sense, group policy updated successfully. When I tried certutil -pulse, got the reply saying pulse commansd completed successfully. Could you please let me know the exact funtion of this command. Mahesh

Auto-Enrollment is already in place and its issuing the certificates for clients which are in network. Its only few machines which connect to corporate network using VPN, the certificate is not updatedMahesh

sure, it just triggers the Autoenrollment client to do its autoenrollment cycle. Autoenrollment is the technology behing automatic enrollment of the computer certificates. It runs after every restart and the periodically every 8 hours. It tries to find online enterprise CAs and sends enrollment requests for certificate templates that are available but don't have a local certificate yet, it also pulls already issued certificates that are pending download, it also archives already expired or revoked certificates. autoenrollment on Vista/2008+ is done by a scheduled task which resides in the Task Scheduler, Microsoft, CertificateServicesClient. The tasks are configured to run with the period mentioned aforehead. CERTUTIL -pulse just triggers the system task manually. o.

sure, it just triggers the Autoenrollment client to do its autoenrollment cycle. Autoenrollment is the technology behing automatic enrollment of the computer certificates. It runs after every restart and the periodically every 8 hours. It tries to find online enterprise CAs and sends enrollment requests for certificate templates that are available but don't have a local certificate yet, it also pulls already issued certificates that are pending download, it also archives already expired or revoked certificates. autoenrollment on Vista/2008+ is done by a scheduled task which resides in the Task Scheduler, Microsoft, CertificateServicesClient. The tasks are configured to run with the period mentioned aforehead. CERTUTIL -pulse just triggers the system task manually. o.

Thank you for the explanation. But after successful execution of this command also I find the XP client's machine certificate is not updated. But, for sure, autoenrollment is enabled in the environment. How do I validate everything is autoenrollment is working fine in the enviroment. I hope you answer to my one more query. We have 2 Enterprise root CA servers in our Domain. we have winxp and win 7 clients in the environment. We have different domain group policy in place for Win 7 and Win XP clients. What I have observed is, machine certificates are issued by different CA servers for both Win 7 and Winxp clients. Can we configure two CA servers to issue machine certificates to different clients? if yes how do make this happen? Please explain, awaiting your reply.Mahesh

Hi, We could have different certificate templates published on the different CA's for the different clients. Enable autoenrollment on clients. Make different client groups have enroll permissions on the different templates. For more details: http://technet.microsoft.com/en-us/library/cc947849 http://technet.microsoft.com/en-us/library/cc778954 Regards, Yan LiYan Li TechNet Community Support

Hi, We could have different certificate templates published on the different CA's for the different clients. Enable autoenrollment on clients. Make different client groups have enroll permissions on the different templates. For more details: http://technet.microsoft.com/en-us/library/cc947849 http://technet.microsoft.com/en-us/library/cc778954 Regards, Yan LiYan Li TechNet Community Support

Thanks for your reply. Mahesh