CEP Certificate Template Permissions

Michael Hathaway 21 Reputation points
2023-03-10T09:52:29.6866667+00:00

Hi Folks,

I have managed to get CEP and CES installed, it is running on a separate host to my Enterprise CA and I have delegation setup and this appears to be working fine, my Windows 11 client can see the default certificate templates.

MicrosoftTeams-image (7)

The issue I have, is that any additional templates I add at the CA never appear for this user, I have seen that there is a known issue with versions of templates and windows in this article:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/cannot-select-windows-server-2016-ca-compatible-certificate-templates

But even if I set 2003 compatibility the templates never appear for the end user, has anyone else seen this??

If I attempt enrolment via WCCE the user can see and enrol for all of the new templates I have created

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,444 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,090 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,747 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,718 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,110 questions
{count} votes

Accepted answer
  1. Vadims Podāns 8,866 Reputation points MVP
    2023-03-10T11:24:12.4366667+00:00

    Sorry, I misread your question, I thought it is about CEPEncryption and NDES.

    Speaking about your problem it is by design. CEP template list is cached and agent re-fetch it every 8 hours by default. This means that template changes detection on agent can take up to 8hrs. You can try to delete enrollment policy cache on client by deleting the following folders depending on a context:

    • user templates
    %userprofile%\AppData\Local\Microsoft\Windows\X509Enrollment
    
    • machine templates
    %programdata%\Microsoft\Windows\X509Enrollment
    

    then retry enrollment.

    Update: you cannot change cache lifetime interval using GPO, because it is CEP server setting. Do the following in order to change cache lifetime interval:

    1. Log on to CEP server
      1. Launch IIS manager
    2. Expand "Default Web Site" and select CEP application
      1. in middle pane, press Application Settings button. You will see several settings there.
    3. Add (if doesn't exist yet) a new setting with name nextUpdateHours and specify your value in hours. Keep in mind that you cannot set it to less than 1 hour.

1 additional answer

Sort by: Most helpful
  1. Vadims Podāns 8,866 Reputation points MVP
    2023-03-10T10:17:07.0533333+00:00

    this is deleted