Determine the URI for client access to the CEP service

Connect to the IIS Management Service using the Remote Manager.

Expand the Default Web Site and select the ADPolicyProvider_CEP_* application. This guide assumes that we selected Windows Integrated Authentication as the authentication type, so the application should be named ADPolicyProvider_CEP_Kerberos.
Select Application Settings.

Supply a Friendly Name. Make note of this name in the future.
Record the URI displayed. This is the location clients use to reach the CEP server. You will need this value to configure Group Policy.

Configure Group Policy to direct clients to the new CEP server

Use the Group Policy Management Console (GPMC) to edit or create a Group Policy Object that will direct clients to use the new CEP server.

Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
Select Certificate Services Client – Certificate Enrollment Policy

Enable the policy.
The policy will contain the default LDAP configuration to direct clients to a Domain Controller. Remove the existing policy.

Select Add to add a new policy.
Enter the URI you recorded from the previous step. For Authentication Type, select the authentication type you selected during installation. This guide used Windows Integrated.
Select Validate Server.

Select Add.
Repeat this process for any additional CEP servers that are utilized for high availability.

Select OK.

Clients will need to refresh policy before using the new CEP servers for policy retrieval. The CEP servers refresh policy from Active Directory every 30 minutes by default, and clients retain a local cache for even longer; so be aware that Certificate Template changes may not be reflected immediately when polled by clients.

The CEP servers can forced to refresh their cache from Active Directory by issuing the iisreset command.

The client caches are located in the following paths and can be cleared to force a refresh

• Computer: %ProgramData%\Microsoft\Windows\X509Enrollment
• User:%USERPROFILE%\AppData\Local\Microsoft\Windows\X509Enrollment

References

• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831625(v=ws.11)
• https://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx#Policy_Server_Configuration_and_Selection