Hi All
This is my first time on this forum, so please let me know if the topic is incorrect. And, apologize for my English as well.
I have a problem with Certificate Autoenrollment policy that I have implemented for the company. The problem is that when users get new laptops then join them to the domain, the existing User certificate are not re-issued. For the old laptops, if the user and computer certificates are accidentally deleted, the existing ones are not re-issued either.
However, If I try to revoke the certificates via the CA console, the new one can be issued to the client.
A bit of background for ADCS environment. AD Certifcate services is installed on a Windows 2008 R2 Enterprise domain controller.
The user certificate is duplicated from existing one, and I enable "Publish certificate in Active Directory" and check "Do not automatically reenroll if a duplicate certificate exists in Active Directory" option as well.
As for GPO, I create a GPO and link it to at the domain level in GPMC. The "Automatic certificate management" under User Configuration is set to Enabled, and the following options are also Enabled.
- Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates
- Update and manager certificates that use certificate templates from Active Directory
Hopefully, anyone has encountered this before and can help me with solutions.
Thank you,
Ake