I have just configured Credential Roaming and Autoenrollment on the Windows Server 2008 - Enterprise CA – for every user in the Domain
Indeed when a user logs in for the first time certificates are generated, as can be seen in their AD account.
However, I see 2 entries in the user’s ms-PKI-DPAPIMasterKeys and ms-PKI-AccountCredentials AD attributes. Please can anyone explain why this is?