I've recently implemented a PKI in a new domain where some of the desktops are stateless. Part of the PKI configuration is to enable auto enrollment for all computers in the domain. This is working well but I've noticed every time a stateless desktops reboots and reverts back to it's base image it requests a new certificate and one is supplied by the CA.
The problem with this is that these desktops could reboot daily and thus obtain a certificate daily, as you can imagine this is growing the amount of certificates that have been issued at an alarming rate and in the Issued Certificates there are multiples for a single computer account.
On the template the option 'Publish certificate in Active Directory' and 'Do not automatically reenroll if a duplicate certificate exists in Active Directory' is checked and the Domain Computers group has Read, Enroll and Autoenroll rights. My understanding is that this will store the certificate for the computer in AD and if a new certificate request is made for the computer this will negate the need for a new certificate.
The Validity period is 1 year and the Renewal period is 6 weeks, I know I could reduce the validity period but then I impact dedicated desktops and servers.
The PKI is 2008 R2.
When a stateless desktop reverts to it's base image the SID of the computer account does not change.