What is group certificate
First let me just say that yes I searched this forum for "autoenrollment" and "auto enrollment" and similar variations and found nothing relevent. Second I must admit that setting up the GPO for this is much more complicated in Windows 2008 than it needs to be, so could someone explain the following Policy settings to me please:
1. Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Public Key Policies \ Automatic Certificate Request Settings
What is that yellow folder for? And how come when I run the Automatic Certificate Request Setup Wizard my custom Web Server template does not show up, instead all I see are the following four Certificate templates: Computer, Domain Controller, Enrollment Agent (Computer), and IPSec.
This can't possibly mean those are the only template types my servers can automatically enroll in.
[yes I set the autoenrollment permissions on my template for the Domain Computers group]
2. Certificate Services Client - Certificate Enrollment Policy
This can be set to "Not configured" or "Enabled" I don't think I need to mess with this one but what in the world
is this talking about? And yes I read the generic cryptic Microsoft blurb: Windows clients will use the default configuration for Certificate Enrollment Policy. To enable advanced configuration of Certificate Enrollment Policy change the option to "Enabled" in the drop-down above. [sarcasm] Really, how insightful, you mean the Not configures/Enabled pull down is like an off and on switch for this setting, wow. How about explaining where is the default configuration for Certificate Enrollment Policy and what are its settings, or is that a secret. [/sarcasm]
3. Certificate Services Client - Auto-Enrollment
This can be set to "Not configured", "Enabled", or "Disabled". I set ours in the test lab to Enabled. Also checked the Renew expired certificates, update pending certificates, and remove revoked certificates check box, as well as the Update certificates that use certificate templates check box.
Sorry about the long post, I like to put as much detail in as I can to help the next poor sole who may be reading this in the future going, hey this guy asked the very same question I have, he must be a genius / mind reader, LOL.Source: social.technet.microsoft.com