Hello @Blitz ,
Thank you for your update.
If AD replication is working fine and the certificate template we mentioned is on all DCs. It seems it does not matter with AD replication.
We can check:
1.What is the Schema Version of the certificate template we mentioned?
2.In my lab, I find if I click "Reenroll All Certificate Holders", the "Version" of certificate template (or "Major Version" of certificate template) will be changed, and after the client update GPO, the "Version" of certificate template on the corresponding certificates (or "Major Version" of certificate template) will be the same as on certificate template.
For example,
121.0 => Major Version Number=121, Minor Version Number=0
So we can check whether the "Version" of certificate template (or "Major Version" of certificate template) is changed after we click "Reenroll All Certificate Holders".
Whether the "Version" of certificate template (or "Major Version" of certificate template) on certificate template is changed.
3.If the version on certificate template is changed but on certificate is not changed, we can run gpupdate /force or certutil -pulse on client to see if it helps.
4.Refresh the certificate Store on client.
Best Regards,
Daisy Zhou