I have a Windows 2008 R2 Enterprise Certificate Server and am using a GPO to automatically push certs to users in an OU. The GPO settings enabled are Computer Configuration/Policies/Windows Settings/Security Settings/Public Key Policies then enabling Certificate Services Client - Auto Enrollment, Certificate Path Validation Settings, Certificate Services Client - Certificate Enrollment Policy. If I disable and remove the GPO that is pushing the certs from my certificate server, will the certs be removed from the users? Or will they just expire after the 3 years I have them set too? In otherwords, removing the GPO should have no effect on the already pushed certificates??

True, removing the GPO will just remove the autoenrollment settings, the certificates are not affected and will continue to be valid until they expire /Hasain

Hi, If I disable and remove the GPO that is pushing the certs from my certificate server, will the certs be removed from the users >> Configure Public Key Group Policy is used to Use automatic enrollment for computer certificates. Add trusted root certificates for groups of computers. Create CTLs for computers and users. Designate EFS recovery agent accounts. For details: Configure Public Key Group Policy (http://technet.microsoft.com/en-us/library/cc962057.aspx) Hope this helps! Best Regards Elytis Cheng TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Elytis Cheng TechNet Community Support