2.1.2.2.1 Certificate Enrollment Methods
There are two methods for certificate enrollment: DCOM-based certificate enrollment (Direct enrollment) and Web services-based certificate enrollment (WSTEP enrollment).
DCOM-based certificate enrollment
DCOM-based certificate enrollment uses WCCE for certificate requests. When a CA is operating in enterprise CA mode, it uses the LDAP profile specified in [MS-ADTS] section 3.1.1.3 to obtain a CEP from a domain controller (DC). The CEP is expressed via certificate templates that are data structures specified in [MS-CRTD] and Certificate Authority (CA) information.

Figure 7: DCOM-based certificate enrollment
A client computer starts by discovering a policy server. In case of DCOM-based enrollment, the policy server is always a domain controller, discovered as specified in [MS-ADTS] section 6.3.
Web services-based certificate enrollment
Web services-based certificate enrollment, as shown in the following diagram, uses the WSTEP protocol for certificate requests. It uses XCEP to retrieve the CEP.
For the use of XCEP/WSTEP, the Web service address has to be configured out-of-band, for example, manually or by Group Policy.
Certificate enrollment clients can use Group Policy, specifically the GPREG protocol, to obtain policy server endpoints that were configured by the administrator in the enterprise environment. Clients can also use a local configuration store that contains policy server endpoints specific to a particular client. The following diagram shows the certificate enrollment process.

Figure 8: Web services-based certificate enrollment
Based on an organization's security policies, it is possible for the client to use both methods to enroll for certificates. The following diagram shows an example of one such possible deployment.

Figure 9: Deployment of certificate enrollment
In this case, the client computer is a member of a domain where a PKI administrator has configured a CEP by defining some templates and installing an enterprise CA, XCEP server, and WSTEP server. The client computer discovers available CEP servers through Group Policy. Also, the administrator of the client computer itself has to obtain a certificate for this computer from a third party so that the computer can be configured with the policy server endpoint of the third-party server. The client computer can now request certificates based on both policies.
Considering that any client can be configured to work with multiple CEPs that have multiple policy server endpoints, can define multiple certificate templates, and are used by multiple issuers, it is clear that enrolling for certificates manually can be a difficult task. The job of autoenrollment is to traverse all of the CEPs and enroll them for certificates as required.