Hello RogerHendrikse-7977,
Thank you for posting here.
When on the VPN, we can check whether the certificate auto enroll will occur.
1.Configure the computer certificate autoenroll GPO as above and link the GPO to an OU with test machines.
2.Take one test machine out of the LAN network, connect this domain-joined machine to VPN.
3.Run gpupdate /force or wait for 90 minutes-120 minutes to see if the certificate auto enroll will occur.
4.If it does not work, we can run gpresult /h to check if we can see the computer certificate autoenroll GPO.
(1)Logon this test machine on the VPN with domain administrator.
(2)Open CMD (run as Administrator).
(3)Type gpresult /h C:\enroll.html and click Enter.
(4)Open enroll.html to check if we can see certificate autoenroll GPO settings under "Computer Details".
Tips:
1.Check the Schema version of the test certificate template (we can use 2).
2.Ensure we have check the Read Enroll and AutoEnroll permissions on the test certificate template.
Meanwhile, for the begaining of the certificate renewal, we can see:
Renewal. This is the most misunderstood part of the auto-enroll process. Every certificate issued has a renewal period as part of the template. This does not necessarily mean that the certificate will renew at the exact beginning of that period. For renewal of auto-enrolled certificates, two time frames exist before the action is taken.
First the certificate has to have completed 80% of its validity period and be within the renewal period. So as an example, a certificate that is valid for 1 year reaches the 80% mark at around 41.5 weeks and if the cert has a 6 week renewal period, then the renewal would happen at the 46 week period. SO this would happen during the renewal period.
If the validity period is 6 months, the 80% mark would be week 21, but the renewal period would begin week 20.
Reference:
Tips for Certificate Auto-Enrollment Issuance
https://blog.keyfactor.com/certificate-auto-enrollment-issuance
Best Regards,
Daisy Zhou