Article ID: 117814, created on Oct 9, 2013, last review on May 11, 2014

  • Applies to:
  • Virtuozzo containers for Windows


Certificate auto-enrollment does not work for containers, joined to domain.


This behavior is recognized as a product bug PCWIN-15926.

The problem lies in the scheduled task Microsoft->Windows>CertificateServiceClient->SystemTask, which is responsible for applying AutoEnrollment policy from Domain Controller to Domain Client. In containers the task does not start and certificates are not enrolled on Computer.


There's a workaround available - change UseUnifiedSchedulingEngine task property to false.

The following Powershell script will do it for all currently running containers :

$vzroot = Get-ItemProperty HKLM:\software\swsoft\virtuozzo | select -ExpandProperty VZROOT
$tasktofix = "\Microsoft\Windows\CertificateServicesClient\SystemTask"
$tempxmlfile = "\Windows\Temp\tasktofix.xml"
$ctids = (vzlist -Ho veid) -replace " ",""
foreach ($ctid in $ctids) {$cttempxmlfile="$vzroot\root\$ctid\c$tempxmlfile"; if(ls $cttempxmlfile 2>$null){"$cttempxmlfile already exists"}else{(vzctl exec $ctid schtasks /query /tn $tasktofix /xml) -replace "<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>","<UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine>" > $cttempxmlfile; vzctl exec $ctid schtasks /delete /tn $tasktofix /f; vzctl exec $ctid schtasks /create /tn $tasktofix /xml $tempxmlfile;remove-item -force $cttempxmlfile}}}

Search Words



active directory


certificate auto-enrollment

965b49118115a610e93635d21c5694a8 2897d76d56d2010f4e3a28f864d69223 d02f9caf3e11b191a38179103495106f

Email subscription for changes to this article
Save as PDF