![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 43%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMC%3C/text%3E%3C/svg%3E)
what is differet between auto-enrollment(template auto-enroll), automatic certificate request in GPO? their result almost the same
automatic certificate request (ACR) is a first implementation of autoenrollment which was added in Windows 2000. ACR limits to V1 certificate templates (which you cannot modify) and machine subject. You cannot use ACR to deploy user certificates, for example.
Autoenrollment is a 2nd generation of Microsoft automatic certificate enrollment engine (which is current) and supports newer certificate templates.
but move the object to OU will make it works, is it a must to make a computer object into OU? for making group policy works?
yes. GPOs apply to DS containers and end entity objects inside the container (OU), i.e. users and computers. GPO doesn't apply to groups inside container, because they are not entities. Thus, you need to carefully plan your DS structure and GPO management keeping in mind how GPO is applied.