Misleading Autoenrollment Settings in Group Policy Management Console and Gpedit Tool


Symptoms


You open the Default Domain Policy with GPEDIT.MSC on a Windows Server 2003 computer with the Group Policy Management Console (GPMC) and review the default settings for Autoenrollment under one of the following locations:

Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Autoenrollment Settings

User Configuration/Windows Settings/Security Settings/Public Key Policies/Autoenrollment Settings

As a default, the setting "Enroll certificates automatically" setting is shown as "Enabled" and the two options "Renew expired certificates, update pending certificates, and remove revoked certificates" and "Update certificates that use certificate templates" are shown as "Disabled".

The Default Domain Policy HTML Settings report in GPMC shows the same settings.

Even if the autoenrollment option is shown as "Enabled", it is not present on the domain clients. You will not find the registry key in computer or user portion of the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Autoenrollment
Value Name: AEPolicy
Value Type: REG_DWORD
Value Data: 0

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Cryptography\Autoenrollment
Value Name: AEPolicy
Value Type: REG_DWORD
Value Data: 0

Also, a Group Policy Results HTML RSOP report from GPMC does not show the setting on a target computer either.

Cause


The HTML Settings Report from GPMC as well as the GPEDIT.MSC UI in Windows Server 2003 is misleading. It shows the Autoenrollment setting as "Enabled" in the Default Domain Policy, even if it is not set. At this time, the registry.pol file of the Default Domain Policy does not contain the AEPolicy Registry value.

If you open the setting in GPEDIT.MSC and do not click "OK" to close the UI dialog, the setting will not be written into the registry.pol file of the Default Domain Policy.

Resolution


There are two possible workarounds:

  1. Open the Default Domain Policy, navigate to the relevant location below:

    Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Autoenrollment Settings

    User Configuration/Windows Settings/Security Settings/Public Key Policies/Autoenrollment Settings

    Now you can define the settings you want to apply (e.g. “Enroll certificates automatically”) and click “OK” instead of clicking “Cancel”. This will result in a change of the registry.pol file and the autoenrollment settings will apply.

    This is the recommended workaround since it results in a consistent behavior on the client, in the GPMC report and in the Gpedit.msc UI.

  2. Alternatively you can create another GPO with the necessary autoenrollment settings and link it to the domain or organizational unit where you want it to apply. You have to set the GPO priority higher than the Default Domain Policy in order for it to apply. If the Default Domain Policy is set to be enforced, you have to enforce the new GPO also.

More Information


This issue is fixed beginning with Windows Server 2008 GPMC and GPEDIT.MSC.