When using PKI certificates, Microsoft recommends using the Auto-enrollment method to enroll the client authentication certificate yet they also state Group Policy is disabled while the Task Sequence is running so obviously the system will not enroll the cert the first time the computer reboots after joining the domain or any other restart steps since that occurs during the TS while GP processing is disabled. That also means the cert will still not be enrolled when the client is installed during the "Setup Windows and ConfigMgr" step therefore the client doesn't really become fully operational until the Task Sequence actually completes and Group Policy processing is enabled which will occur within 90 minutes (GP refresh) after the TS completes. Can someone confirm this is true that auto cert enrollment will not occur until after the TS completes?
↧