MicrosoftHi Rob,
thanks, great article but I've one question: Under "Certificate Template creation and changes" Point 9 you write that Autoenroll isn't needed. But Vadim (https://www.sysadmins.lv/blog-en/certificate-autoenrollment-in-windows-server-2016-part-2.aspx) writes the opposite and I'm not able to help myself with google... Can you please try to clarify this one? Thanks in advance. :)
Fared
MicrosoftHey Fared
So you have to configure the autoenrollment group policy object, and more specifically the setting "Renew expired certificates, update pending, and remove revoked certificates". This is the magic sauce to get an existing certificate to renew. the actual autoenrollment security setting on the template is only for the first issuance of the certificate. Autoenrollment DOES NOT renew an existing certificate, that specific setting in the autoenrollment policy is what causes that, and that's why you have to set the security permission for Enroll and Autoenroll on the certificate template security setting for any template that you want autoenrollment AND renewals to happen.
the forcing re-enrollment section of the article you are pointing out happens ONLY if the autoenrollment group policy object setting "Update certificates that use certificate templates" is checked. if that is not checked you setting the template to re-enroll all certificate holders will never actually do anything.
Basically, if you never check the two boxes below but have autoenrollment policy configured, then the computer would autoenroll for a certificate the first time and never do a renewal and then you would find an expired certificate sitting in the computer or user certificate Personal store.
I am out of the office for this week, but let me know if you have more questions and I can check back and answer them further.
Have a great week.
Hi Savannah_Greene ,
cool, thanks a lot for clarification!
Have a great weekend.
