We have recently renewed Subordinate CA certificate which was about expire in another 20 days. Machine certificates for XP clients in our environment is issued by this subordinate CA server and auto enroll in place. I recently observed espeially remote users who connect using Cisco VPN client, getting warning message that "your machine certificate <asset number>.<domainname>.com will expire in 10 days. For one of the client I tried to renew certificate while connected to VPN, I was able renew manually. And verified few machine certificates for PCs in corporate network and found renewed automatically. Is machine certificate will not get renewed automatically while connected to VPN? Mahesh

the VPN connection is probably too short in duration to let the autoenrollment trigger. Autoenrollment runs periodically at system startup and then every 8 hours recurrently. If you do not have the VPN connected at that time, autoenrollment goes void. Note that autoenrollment does not run at regular Group Policy update cycles, which are every 120 minutes. Autoenrollment schedule is independent of that of GP updates. Test this: once on a VPN client, connect the VPN to intranet and instead of enrolling manually, try pulsing autoenrollment from an elevated command prompt: gpupdate certutil -pulse and see what happens. ondrej.

You need to make sure that Auto-Enrollment is configured properly to renew expiring certificates on the target computers and the related certificate templates. Read more on how to enable certificate autoenrollment http://technet.microsoft.com/en-us/library/dd379529 /Hasain

Hi , Whatever you explained makes sense, group policy updated successfully. When I tried certutil -pulse, got the reply saying pulse commansd completed successfully. Could you please let me know the exact funtion of this command. Mahesh

Auto-Enrollment is already in place and its issuing the certificates for clients which are in network. Its only few machines which connect to corporate network using VPN, the certificate is not updatedMahesh

Thank you for the explanation. But after successful execution of this command also I find the XP client's machine certificate is not updated. But, for sure, autoenrollment is enabled in the environment. How do I validate everything is autoenrollment is working fine in the enviroment. I hope you answer to my one more query. We have 2 Enterprise root CA servers in our Domain. we have winxp and win 7 clients in the environment. We have different domain group policy in place for Win 7 and Win XP clients. What I have observed is, machine certificates are issued by different CA servers for both Win 7 and Winxp clients. Can we configure two CA servers to issue machine certificates to different clients? if yes how do make this happen? Please explain, awaiting your reply.Mahesh

Thanks for your reply. Mahesh