A few questions about certificate autoenrollment and auto-renewal: 1. if automatic enrollment is enabled in GPO (with both options ticked), but the certificate template does not support autoenrollment (not allowed), will this certificate get automatic renewed? 2. if a certificate template supports autoenrollment (allowed) and a security group has the autoenrollment rights granted (in the template settings), will the members of this group automatically get the certificate without having to set "auto-request" in the GPO? thanks

1) no 2) no. For successfull autoenrollment 2 things must be configured: 1) certificate template permissions 2) appropriate GPO setting (under User Configuration and/or Computer Configuration). My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks Vadims for the response. I can understand the first "no". For the second, my quest is whether or not to set ACR - automatic certificate request. I forgot to mention in the GPO the autoenrollment is enabled with both options ticked. Let me rewrite the second question: if a certificate template supports autoenrollment and a security group has the autoenrollment rights granted (in the template settings). In the GPO autoenrollment is enabled with both two options ticked. In this case, do I need to set automatic certificate request in the GPO for members of the group mentioned above to automatically get the certificate? Thanks.

Automatic Certificate Request (ACR) was used in Windows 2000 (and if CA runs on Windows Server 2003/2008 Standard edition) for *computer* certificate autoenrollment based only on V1 templates. Mentioned CA versions do not support V2/V3 templates (as well as autoenrollment). In other words, ACR is used only: 1) to distribute certificates to domain computers only. 2) based on V1 templates only. Autoenrollment policy is not necessary for ACR (because ACR has a very little relation to autoenrollment).My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

Thanks agin. Does it mean "computer" certificate can not be renewed automatically as it is based on a V1 template and not supports autoenrollment?

thanks! can you detail how to automatically renew "computer" certificates that distributed to computers such as in "domain computers" group? (this was my first question, as the computer certificate template is of V1 that does not support autoenrollment)

Thanks. I'll look at the ACR settings in the GPO tomorrow.

Hi Vadims, the ACR settings in the GPO has only the certificate template name. How can it get auto-renew work? In fact we found in our environment quite many clients had "computer" certificate expired and not got renewed.