Hi Izael,
Did some more digging with the product group, and here is a solution for
you.
The following will do the trick:
certutil -setreg policy\RequestDisposition +REQDISP_PENDINGFIRST net
stop certsvc net start certsvc
The certutil command will turn on the REQDISP_PENDINGFIRST but (0x100)
in the following REG_DWORD registry value:
SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<CAName>
\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy
\RequestDisposition
Use a minus sign instead of a plus sign to turn off the bit.
The U/I disables this setting for Enterprise because the template can
typically be used to control this behavior, and because some enrollment
clients may not be able to handle a pending response to an enrollment
request. Making this configuration change makes sense for an Enterprise
Root CA when there are one or more other Enterprise CAs available. You
should also configure the CA to not be able to issue certs for most
templates, so autoenroll clients don’t unnecessarily produce pending
requests.
We don't typically expect a Root CA to be installed as an Enterprise CA,
when a hierarchy of CAs are available in the forest. In such a case, we
would expect the root CA to be installed as an offline Standalone CA in
a physically secure environment with no network access, unless security
was not a major concern.
For more information on why we recommend the offline root, see
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/
operate/ws3pkibp.asp
Brian
