Hello, I am attempting to supersede a version 1 template with a custom version 2 template (smartcard user template with custom template) in an attempt to renew the existing certificates using the version 1 template. My preliminary testing doesn't seem to be working. Is there a way to force those who currently hold certificates based off of the version 1 template to re-enroll and receive certificates based off of the custom template? I tried to re-enroll all certificate holders, however the option is not available on a version 1 template. Forcing the option on the custom template appears to do nothing. Any help is greatly appreciated. Thank you!

a coupe of possibilities: 1) Did you enable autoenrollment for users in a GPO linked to the domain/OU where the user accounts exist 2) Did you assign a global or universal group containing the user accounts Read, Enroll, and Autoenroll permissions? 3) Is the new CA available at an enterpris CA for enrollment. 4) Since you are working with smart cards, did you enable user interaction in the certificate template. You need to enable user interaction to allow the user to input their PIN. 5) Did you designate the specific smart card CSP in the certificate template. You are correct in that you cannot force reenrollment for V1 certificates. Only V2 certificate templates and above support autoenrollment for users HTH, Brian

Thank you so much for the reply Brian! I didn't set up the GPO yet. I'll give it a try when I get in to the office in the morning. Another quick question for you: seeing as how we cannot force the V1 certificates to reenroll; will they attempt to reenroll automatically? (This is confusing as I did not think that V1 certs were eligible for reenrollment.) Or will we need to reissue the certs by hand? Thanks again!

Have to reissue by hand. There is no mechanism for automated re-enrollment for V1 scripts in the OS. You could consider scripting a solution, but this is not autoenrollment per se Brian

The group policy was the problem. Thanks for your help!