Your network contains an Active Directory domain named contoso.com. Contoso.com contains three servers.
The servers are configured as shown in the following table.

You need to ensure that users can manually enroll and renew their certificates by using the Certificate
Enrollment Web Service.
Which two actions should you perform? (Each correctanswer presents part of the solution. Choose two.)

A.
Configure the policy module settings.

B.
Configure the issuance requirements for the certificate templates.

C.
Configure the Certificate Services Client – Certificate Enrollment Policy Group Policy setting.

D.
Configure the delegation settings for the Certificate Enrollment Web Service application pool account.

Explanation:
All credit for correcting this one and providing the explanation goes to Luffy!
Reference 1:
http://technet.microsoft.com/en-us/library/dd759245.aspx
The Certificate Enrollment Web Service can process enrollment requests for new certificates and for certificate
renewal. In both cases, the client computer submitsthe request to the Web service and the Web service
submits the request to the certification authority (CA) on behalf of the client computer. For this reason, the Web
service account must be trusted for delegation in order to present the client identity to the CA.
Reference 2:
http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-web-services-in-active-directory-certificate-services.aspx
Delegation is required for the Certificate Enrollment Web Service account when all of the following are true:
the CA is not on the same computer as the Certificate Enrollment Web Service
Certificate Enrollment Web Service needs to be ableto process initial enrollment requests, as opposedto
only processing certificate renewal requests
the authentication type is set to Windows Integrated Authentication or Client certificate authentication