Is anyone using AD Certificate Services CA for ZCM?

With the SHA-1 deprecation and because we need to change our internal CA we're considering moving to our AD CS CA, which has recently been updated to use the SHA256 algorithm.

It looks a bit simpler with the new ZCM 11.4 Configuration->Certificates tab...
I guess one of the main issues will be timing, as we have a large number of remote users, connecting infrequently. However all machines are in the AD and hence have the CA cert...

As regards using the AD CS CA has anyone got any neat tricks for handling the CSR's, etc.? With over 30 satellites dealing with the certificate request handling/import looks like a possible pain...

I was thinking of making a specific AD CS template for ZCM and increasing the validity period (e.g. to 5 years, equiv to CA)
Is there anyway of utilising auto enrolment? All our primary and satellites are domain members...

Any suggestions and experiences to share?

Many thanks

David