AD: Certification Authority Web Enrollment Configuration Failed 0x80070057 (WIN32: 87)

Error

If you run into the following error when trying to install CA Web Enrollment after migrating or restoring a CA:

Certification Authority Web Enrollment: Configuration Failed
Active Directory Certificate Services setup failed with the following error: The parameter is incorrect. 0x80070057 (WIN32: 87)

Cause

The likely issue is that the value of SetupStatus at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration is configured to hexidecimal 6003, but should be configured to hexidecimal 6001. This is because 6003 indicates that CA Web Enrollment is already installed and 6001 indicates that it is not yet installed.

Resolution

Modify the registry SetupStatus to read 6001 and then install CA Web Enrollment. You can modify that registry setting with the following certutil command from Windows PowerShell or a command prompt run as Administrator:
certutil -setreg config\setupstatus 0x6001
**
**Alternatively, you can use the following command to achieve the same result:
certutil -setreg config\setupstatus -SETUP_CLIENT_FLAG