Hallo,
we have a Windows 2008 R2 Domain and on one server I have installed an AD integrated certificate authority (CA). I have duplicated the User certificate template and granted the auto enroll permission for my domain users. Furthermore I have created a group policy, that auto enrolls the user certificate at logon.
What works now is: When a user, that has not yet a user certificate, logs in at a computer, some seconds after the login, a user certificate is automatically enrolled via GPO and saved on the computer (local certificate store, my certificates). The cert is also stored in the user object in active directory.
I set the option, not to request a new certificate if there is already one valid registered and available in active directory.
I now realized, that when the user logs in on another computer, a new certificate is not requested and enrolled (this is ok), but the already available certificate of this user is not automatically installed on the computer itself. (local store). It seems, that the certificate is only installed on the computer, on which the user is logged on, when the certificate is originally requested.
Is there a possibility to configure, that users automatically get their certificates installed on the computers local certificate store, when the user already has a valid cert in active directory?
Greetings
Flo