none
How to chnage the Windows 7 AutoRenewal Intravl Default of 8 hours RRS feed

  • Question

  • I have AD CS configured for workstation Auto Enrollment. In our Lab scenario we have set the Certificate life time of a workstation certificate to 4 hours renewal period of 3 hours. I noticed that the certificate is only renewed at a fixed period of 8 hours leaves us with a "blank" spot of 4 hours. 

    I cannot find any setting that changes this behavior Tried GPO refresh Interval, changed MaxNoGPOListChangesInterval. Changed “Process even if the Group Policy objects have not changed” to “Enabled”. Nothing seems to work. 

    We Are implementing a 802.1x strategy and we noticed that if a portable PC leaves the office before renewal and comes back with a expired certificate it takes a very long time before the certificate is automatically renewed, leaving the user a unacceptable amount of time in the "guest" VLAN. 

    I think the 2 problems are related. 

    How can I change this 8 hour default and is this standard behavior?

    Thursday, May 24, 2012 2:57 PM

Answers

  • Autoenrollment client on Vista+ is hosted in task host. You can modify triggers and intervals using task scheduler. Do the following [on Win7]:

    Start mmc
    Add Task Scheduler for local machine
    Expand: Task Scheduler(Local) -> Task Scheduler Library -> Microsoft -> Windows -> CertificateServicesClient
    Three tasks appear on the right. 2 are for autoenrollment [user and machine]. One is for roaming.
    You can right click on a task and goto properties.
    On the Triggers tab, you can edit a trigger and change the repeat time.

    I know the test team tests with the default settings so I'm not sure if this will actually work. I have not tried it either; but I think it is ok.

    Good Luck,

    Andrew

    • Marked as answer by rudy devries Friday, May 25, 2012 6:53 AM
    Thursday, May 24, 2012 5:36 PM

All replies

  • Autoenrollment client on Vista+ is hosted in task host. You can modify triggers and intervals using task scheduler. Do the following [on Win7]:

    Start mmc
    Add Task Scheduler for local machine
    Expand: Task Scheduler(Local) -> Task Scheduler Library -> Microsoft -> Windows -> CertificateServicesClient
    Three tasks appear on the right. 2 are for autoenrollment [user and machine]. One is for roaming.
    You can right click on a task and goto properties.
    On the Triggers tab, you can edit a trigger and change the repeat time.

    I know the test team tests with the default settings so I'm not sure if this will actually work. I have not tried it either; but I think it is ok.

    Good Luck,

    Andrew

    • Marked as answer by rudy devries Friday, May 25, 2012 6:53 AM
    Thursday, May 24, 2012 5:36 PM
  • Thanks a Lot, I 'll let you know how this works out.
    Friday, May 25, 2012 6:58 AM
  • I changed the 8:00h to 5 min. also changed the delayed start after boot from 10 sec to 1 min. Things are running a lot smoother now.

    The certificate Lifetime is still 4 hours and the renewal period is 3 hours. Apparently the certificate is always renewed one hour before expiring. Why is there not every hour a new certifcate request?

    Tuesday, May 29, 2012 1:58 PM