Hi all,
I'm currently having a issue with certificate autoenrollment.
I enable autoenrollment for Computer certificates via GPO. I configured a certificate template and assigned read, enroll and auto-enroll permission to a security group. My Computer is member of this Group. After I have rebooted my machine and performed a gpresult /r /scope Computer and a RSOP.msc I can see that the Computer is member of the Group and the GPO is applied.
But no certificate is enrolled. I can enroll them manually via MMC. Therefore I guess permissions are correct.
If checked the registry key /HKLM/SOFTWARE/Policies/Microsoft/Cryptography/AutoEnrollment/AEPolicy and it should have the value 7 but in our Environment it has value 6. If I Change the value manually and perform a certutil -pulse it works fine and a certificate is manually enrolled. After a gpupdate /force the key is 6 again.
I wasn't able to find out the reason for this and I wasn't able to find out what AEPolicy=6 means.
Can anybody help me with this please?
Thanks
Chris