The Certificate Enrollment Policy Web Service allows enrollment clients to retrieve certificate enrollment policies from a Certificate Authority (CA) when the clients are not permitted to access the Domain Controller. After receiving policy information from the Certificate Enrollment Policy Web Service, enrollment clients can then request a certificate from a certificate enrollment service.

The Windows server hosting the Certificate Enrollment Policy Web Service can be the Domain Controller or any other server in the domain. It is recommended that you install and configure the Certificate Enrollment Policy Web Service on a different server than the Domain Controller. The Certificate Enrollment Policy Web Service must be in same forest as the Domain Controller hosting the certificate templates and enrollment services.