Hello, I am having issues with certificate auto enrollment for clients. My CA is on Windows Server 2008 R2 and is a domain controller also. Clients are Windows 7. The Certificate Authority is an Enterprise CA and has been migrated from another server (windows 2000 or 2003) in the past. 1. Group Policy configured and is applying OK. 2. CAs are listed in AD OK. 3. Security Permissions are OK on the certificate templates and set to auto enrol. 4. DCom Communication tests from the client to server work OK. 5. No errors are logged in the client when a auto enrolment is run. Ie certutil –pulse So here’s what I have to go on: 1. If I run “automatically enrol and retrieve certificates” from the certificates mmc on the client, it comes back that “certificate types are not available” if I tick the show all templates I can see all the templates but their status is unavailable. The Auto enrol templates also have: “The requested template is not supported by this CA” “A valid certificate authority (CA) configured to issue the certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.” 2. If I run the certutil –template I can see I have security to read, enrol and autoenrol. 3. If I run the certutil –adtemplate I get for example “User: User –Auto-Enroll: Access is denied” 4. All the certificate templates that appear as “certificate unavailable” from the certificate mmc are version 2 certificates. All the certificate templates that appear OK are version 1 templates. However I cannot create a new version 1 template by duplicating an existing one. This issue looks similar to this but not windows vista and not the same error messages: http://support.microsoft.com/kb/947237

Have you added/published the template to your CA? Do you see the template if you run: certutil -catemplates What OS version and edition is your CA? v2 templates are only supported if the OS of your CA is 2003-2008 Ent Edition or 2008 R2 Std Ed /Hasain

Thanks and yes I think you are right. There were a couple of warning messages in the Server Manager Console on my CA regarding certificate services. This lead me to this MS Document: http://technet.microsoft.com/en-us/library/dd379539(WS.10).aspx The part I was missing was this: To assign certificate templates to an enterprise CA On the taskbar, click Start, and then click Run. In the Run dialog box, type certsrv.msc, and then click OK to open the Certification Authority snap-in. In the console tree, click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. Select the certificate template that you enabled for autoenrollment, and click OK. To assign certificate templates to an enterprise CA On the taskbar, click Start, and then click Run. In the Run dialog box, type certsrv.msc, and then click OK to open the Certification Authority snap-in. In the console tree, click Certificate Templates. On the Action menu, point to New, and then click Certificate Template to Issue. Select the certificate template that you enabled for autoenrollment, and click OK. After doing this the autoenrol for users worked OK.