Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Misleading Autoenrollment Settings in Group Policy Management Console and Gpedit Tool

Misleading Autoenrollment Settings in Group Policy Management Console and Gpedit Tool

Symptoms

You open the Default Domain Policy with GPEDIT.MSC on a Windows Server 2003 computer with the Group Policy Management Console (GPMC) and review the default settings for Autoenrollment under one of the following locations:

Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Autoenrollment Settings

User Configuration/Windows Settings/Security Settings/Public Key Policies/Autoenrollment Settings

As a default, the setting "Enroll certificates automatically" setting is shown as "Enabled" and the two options "Renew expired certificates, update pending certificates, and remove revoked certificates" and "Update certificates that use certificate templates" are shown as "Disabled".

The Default Domain Policy HTML Settings report in GPMC shows the same settings.

Even if the autoenrollment option is shown as "Enabled", it is not present on the domain clients. You will not find the registry key in computer or user portion of the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Autoenrollment
Value Name: AEPolicy
Value Type: REG_DWORD
Value Data: 0

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Cryptography\Autoenrollment
Value Name: AEPolicy
Value Type: REG_DWORD
Value Data: 0

Also, a Group Policy Results HTML RSOP report from GPMC does not show the setting on a target computer either.

↑ Back to the top

Cause

The HTML Settings Report from GPMC as well as the GPEDIT.MSC UI in Windows Server 2003 is misleading. It shows the Autoenrollment setting as "Enabled" in the Default Domain Policy, even if it is not set. At this time, the registry.pol file of the Default Domain Policy does not contain the AEPolicy Registry value.

If you open the setting in GPEDIT.MSC and do not click "OK" to close the UI dialog, the setting will not be written into the registry.pol file of the Default Domain Policy.

↑ Back to the top

Resolution

There are two possible workarounds:

  1. Open the Default Domain Policy, navigate to the relevant location below:

    Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Autoenrollment Settings

    User Configuration/Windows Settings/Security Settings/Public Key Policies/Autoenrollment Settings

    Now you can define the settings you want to apply (e.g. “Enroll certificates automatically”) and click “OK” instead of clicking “Cancel”. This will result in a change of the registry.pol file and the autoenrollment settings will apply.

    This is the recommended workaround since it results in a consistent behavior on the client, in the GPMC report and in the Gpedit.msc UI.

  2. Alternatively you can create another GPO with the necessary autoenrollment settings and link it to the domain or organizational unit where you want it to apply. You have to set the GPO priority higher than the Default Domain Policy in order for it to apply. If the Default Domain Policy is set to be enforced, you have to enforce the new GPO also.

↑ Back to the top

More Information

This issue is fixed beginning with Windows Server 2008 GPMC and GPEDIT.MSC.

↑ Back to the top

Keywords: vkball, kb

↑ Back to the top

Article Info
Article ID : 2018984
Revision : 1
Created on : 1/8/2017
Published on : 3/18/2010
Exists online : False
Views : 141