CEP policy is displayed incorrectly in GPO reporting in Windows

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 EssentialsWindows Server 2012 R2 Standard More


In Group Policy Object (GPO) reporting, Certificate Enrollment Policy (CEP) is incorrectly displayed under Extra Registry Settings.


To enable client-side Certificate Enrollment Policy / Certificate Enrollment Service (CEP/CES), you must set CEP policies in a GPO. The settings are located in the following paths:

  • Computer Configuration > Windows Settings > Security Settings > Public Key Policies
  • User Configuration > Windows Settings > Security Settings > Public Key Policies

In both locations, the Policy Name value is displayed as Certificate Services Client - Certificate Enrollment Policy.

More information

When you use the gpresult or gpmc command to view GPO reporting, you notice that the settings are displayed under Extra Registry Settings instead of in the Certificate Services Client - Certificate Enrollment Policy area.

See the following screen shots for details.

  • The CEP/CES policy as it is configured in a GPO.

How and where CEP/CES GPO is configured in GPO


  • The GPReporting screen when the issue occurs. This screen displays output from the gpresult command. The settings are displayed in different places than the one in which they are initially configured in a GPO.

GPReporting from the gpresult command


  • Group Policy Management Console (GPMC) when you use the gpmc command to display the settings.

Gpmc Settings