Computer Certificate autoenrollment not working

Blitz 21 Reputation points

Hi, everyone! I have a problem with computer certificate autoenrollment and I've done a lot of search and troubleshooting and seems I'm stuck.

I'm in an AD environment with internal PKI infrastructure, root ca is offline and there are two intermediate CAs (one old, one new) issuing certificate for my domain clients.

I'm using CA template to automatically push certificate to clients which is working well, but I did one change to one of my cert template and i need all clients to re-enroll certificate, I had discovered there is an option to Reenroll all Certificate Holders using the template - so I tried this in the lab and everything works like a charm. The template number has incremented and clients were re-enrolling certificates on the next GPO cycle.

So i've moved to the production, did the same, and nothing, no errors in event log, just some warnings but didn't look interesting.
From Wireshark traffic capture I could see there are no request from client to CA, just talking with DCs and end the communication after. The curious thing is that in capture i can see that the certificate template number is incremented in the traffic from DC than is the certificate template number on my client but there are no attempts to enroll new one...

Can anyone please advise?


Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,299 questions
No comments
{count} votes

Accepted answer
  1. Daisy Zhou 12,916 Reputation points Microsoft Employee

    Hello @Blitz ,

    Thank you for your update.

    If AD replication is working fine and the certificate template we mentioned is on all DCs. It seems it does not matter with AD replication.

    We can check:

    1.What is the Schema Version of the certificate template we mentioned?

    2.In my lab, I find if I click "Reenroll All Certificate Holders", the "Version" of certificate template (or "Major Version" of certificate template) will be changed, and after the client update GPO, the "Version" of certificate template on the corresponding certificates (or "Major Version" of certificate template) will be the same as on certificate template.

    For example,

    121.0 => Major Version Number=121, Minor Version Number=0



    So we can check whether the "Version" of certificate template (or "Major Version" of certificate template) is changed after we click "Reenroll All Certificate Holders".

    Whether the "Version" of certificate template (or "Major Version" of certificate template) on certificate template is changed.

    3.If the version on certificate template is changed but on certificate is not changed, we can run gpupdate /force or certutil -pulse on client to see if it helps.

    4.Refresh the certificate Store on client.

    Best Regards,
    Daisy Zhou

    No comments

3 additional answers

Sort by: Most helpful
  1. Daisy Zhou 12,916 Reputation points Microsoft Employee

    Hello @Blitz ,

    Thank you for posting here.

    I did a test in my ab and it works fine.

    We can check the information below in your production environment:

    1. Check whether this machine has configured certificate auto enrollment GPO.
    2. Check whether the certificate template is issued on CA server.
    3. Check whether the machine has read, enroll and autoenroll permissions for this certificate template.
    4. Check whether all machines or only one machine has such issue.

    If it does not work above, because certificate templates are stored on DCs not CA server, please check AD replication is working fine by running repadmin /showrepl and repadmin /replsum.

    I mean if the machine we mentioned is pulled certificate template from one DC, but maybe the certificate template is not on this DC due to AD replication issue.

    Hope the information above is helpful, if anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    No comments

  2. Blitz 21 Reputation points

    Hello Daisy, thanks for your reply.

    1. Yes, I got a Automatic certificate management enabled, with Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates and Update and manage certificates that use certificate templates from Active Directory enabled too.
    2. Yes, seems good.
    3. Authenticated users have read. Domain computers have read, enroll and auto-enroll on the template so should be fine.
    4. Its all of them

    Sorry, but how to find out where they are stored? I see an entry for the template in adsi -> configuration -> Services -> PKI -> Certification templates.
    Anyway, repadmin shows all good, we are all in single site domain so I'm not suspecting replications to be the problem. All DCs showing the same template (even version) so probably it's stored on DCs.

    No comments

  3. Blitz 21 Reputation points

    Hi there, wow I can't believe I did such a mistake!

    In the lab, I clicked the button, and the major version incremented to 102, and the minor was 0.
    But in the production, I had major template number 100 and minor was 2, I did some changes and minor incremented to 3, right after the change clicked to "Reenroll All Certificate Holders" - but it seems that I didn't really click because the template version stayed 100.3 and it confused me enough to change major with minor believing everything is good on CA a problem is somewhere on clients side. So major template number wasn't really incremented therefore clients weren't re-enrolling.

    Now once I've gone through it again by your pictures and realized my mistake! Thanks, @Daisy Zhou so much for your help! Before asking there I was digging deeper into the certificate enrollment process looking for a potential problem and I've seen the template number numerous times during the process always believing its correct and never noticing my mistake.

    Now once I really clicked to reenroll and the major template number has incremented it works smoothly.

    Thanks again!