NDES automatic renewal of client certificates via SCEP is working even for Revoked certificates

Question

Hi there,

My setup is the following:
*An offline root CA.
*An online SubCA.
*A server with the CRL.
*A domain controller.
*Domain-joined Windows client machines that are able to receive certificates and renew them only if their current certificate is valid (not expired and not revoked), if the cert is revoked, the renewal fails.
*A server configured with the NDES role.
*Realm-joined Linux client machines that are able to receive and automatically renew their certificates via the NDES server.

The first certificate enrollment by the linux client machine requires the use of the one-time password retrieved at http://<FQDN of NDES server>/certsrv/mscep_admin using the NDES service account credentials. Then, the certificates are renewed automatically if their currently installed certificate is valid (no new password retrieval needed and no manager approval needed).

My problem: If from the SubCA I revoke the linux client certificate and manually publish the CRL to make sure that the revocation appears in it immediately, then the automatic renewal still succeeds.. and the renewed certificate is not in the CRL so the client machine ends up having a truly valid cert.

I have tried clearing the CRL cache at the NDES server and redownloading the CRL: the serial number of the revoked certificate is in it but still it gets renewed.
I have tried playing around with the values at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MSCEP with the registry editor, hoping to enforce CRL checking via a CRLFlags value but did not succeed.

I've tried many things, read through all the content that I could find on NDES but I am running out of ideas of things to try.

Any help would be greatly appreciated.

Best regards,
Marguerite