Autoenrollment is a process where you can use group policy to automatically enroll users, computers, and devices in certificates.
Certificate autoenrollment has been around since Server 2003, but is one of those features that not everyone is aware of. The basics are that you configure a certificate template to enable it for autoenrollment, and then you configure group policy to autoenroll specific certificates.
Beyond simplifying the process of deploying certificates, another advantage of the process is that you can use it to automatically upgrade and renew certificates. Once you’ve upgraded your CA’s from Server 2003 to Server 2012 R2, you can also upgrade your certificate templates. Windows Server 2012 R2 CAs can issue certificates that use a template designed for Server 2003, but if you upgrade the certificate template to one that is only compatible with Server 2012 R2 CAs, you can leverage more advanced certificate features.
You can only automatically upgrade and renew certificates that you’ve deployed via autoenrollment. It’s certainly worth doing this because it allows you to quickly alter certificate properties should that become necessary rather than revoking certificates and going through the renewal process manually. For example, you could configure the CA with updated CDP properties and then trigger a set of certificate renewals that would ensure that all the new certificates were checking the new CDP location rather than the old one – making CDP migration quite a lot simpler.