Issue with certificate renewal via autoenrollment

Shaan 41 Reputation points

Hi All,

We have configured Autoenrollment of certificates via GPO to issue the email encryption certificates. But recently we have started observing the issues with renewal of the certificate. When the previously issued certificate is in renewal window we are seeing the certificate getting renewed in CA, but it's not installing on the user machine. Hence, we have to recover the new certificate from CA db and hand over to the users. Since the old certificate reaches renewal window, as part of Microsoft default behavior the old certificate is marked as "archived" and users are not able to send new encrypted email until we provide the PFX file manually.

Could you please help me to identify why the renewed certificate is not installing on the user machines automatically?


Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
9,493 questions
Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,141 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,426 questions
0 comments No comments
{count} votes

Accepted answer
  1. cthivierge 3,981 Reputation points

    Look in the Applications and Services Logs / Microsoft / Windows / CertificateServicesClient-Licecycle-User on the client computer. You may have more informations

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Limitless Technology 37,771 Reputation points

    Hello @Shaan ,

    Before you perform this procedure, you must configure a server certificate template by using the Certificate Templates Microsoft Management Console snap-in on a CA that is running AD CS.

    Membership in both the Enterprise Admins and the root domain's Domain Admins group is the minimum required to complete this procedure.

    Please do check the CertificateServicesClient-Licecycle-User under Service logs for more information and a better understanding

    Do have a look at the below link for ideas about Configuring certificate auto-enrollment


    Hope this answers all your queries, if not please do repost back.
    If an Answer is helpful, please click "Accept Answer" and upvote it : )

    0 comments No comments