These are the enrollment policy reg keys taken from a reference machine. You basically set up a reference computer using the Manage Enrollment Policies (in mmc, Add certificates, Computer account. And then…Personal, Certificates, All Tasks, Advanced Operations—set up the enrollment policy), export those reg keys, and then automate the import on your client machines.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\PolicyServers]
@=””
“Flags”=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\PolicyServers\54317f2ebe81a09c15eeb976a6cead1b98353dff]
“URL”=”https://server.external.com/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP”
“PolicyID”=”{2BEEB86C-F2C8-8C63-796C-0B593C1F6BA5}”
“FriendlyName”=”DOMAIN.COM”
“Flags”=dword:00000020
“AuthFlags”=dword:00000004
“Cost”=dword:7ffffffd
Notes
Enable auto enrollment renewal
“Flags”=dword:00000032
Delete existing enrollment server URL
certutil –config “{CA Config String}” –enrollmentServerURL https://server.external.com/CA1_CES_UsernamePassword/service.svc/CES delete
To add the enrollment service URI to the CA Enrollment Services in AD
certutil –config “{cahostname.domain.com}\{caname}” –enrollmentServerURL https://server.external.com/Domain-CA_CES_UsernamePassword/service.svc/CES
To display CA Enrollment Services object attributes (including the enrollment service URI)
certutil –adca
To display enrollment policy data including general certificate enrollment web service configuration details
certutil –policy
Display existing enrollment server URI’s
certutil –config “{CA Config String}” –enrollmentServerURL