I have CA template for user certificate with Autoenrolemt setting.
I have setup separate GPO object, to activate Credential roaming.
Both GPO object are linked to specific OU.
In AD I see attribute ms-PKI-AccountCredentials and msPKIDPAPIMasterKeys. What I do not understand is, that users still get new certificate enrolled from CA. I thought that when user is under Credential Roaming policy, he or she will not get new certificate, until that certificate expire.
Do I understand wrong, how credential roaming with Auto enrolment work.
Folowup : I add :
The Do not automatically re-enroll if a duplicate certificate exists in Active Directory option is applied when the subject attempts to enroll for a certificate based on this template from a computer running Windows XP or later. With this option, certificate autoenrollment will not submit a re-enrollment request if a duplicate certificate exists in Active Directory Domain Services (AD DS). This allows certificates to be renewed but prevents multiple duplicate certificates from being issued.