Hi, We have had some issues with our Windows 7 clients retrieving a certificate from our Windows 2003 CA for a while now and I don't seem to know what is causing it. We have a custom certificate which is issued to computers for access to our corporate wireless network. Autoenrollement is set on the certificate and there is a security group applied to it that contains the computers who we would like access. When we want to grant users access to the wireless network we simply add their PC account to an AD group which then applies a group policy which enables autoenrollment! This group has Read, Enroll and Autoenroll permissions for the certificate. The system works well and Windows XP clients have no problems getting a certificate, however Windows 7 clients do not seem to be able to do it. When I try to obtain a certificate manually via the Certificates MMC on the Windows 7 clients I get the following error; Logon failure: the user has not been granted the requested logon type at this computer. There are some Application logs on the client as well which dhow the following information; Event ID: 67 Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Detail: I am aware there is a problem with using the web cert enroll process from Windows 7 to a Windows 2003 CA as detailed in http://support.microsoft.com/kb/922706 but was not sure if this would affect Autoenrollment or enrollment via the MMC? Has anyone encountered this problem or know of a possible fix? We are in the process of evaulating W7 for rollout and have this problem on all our test machines. Thanks in advance Brian. Certificate enrollment for Local system failed to load policy from policy servers with ID {44E84A61-3DA1-4C54-985C-8F7E6CACC65E} (Logon failure: the user has not been granted the requested logon type at this computer. 0x80070569 (WIN32: 1385)) Event ID: 70 Source: Microsoft-Windows-CertificateServicesClient-CertEnroll Detail: Certificate enrollment for Local system failed because no valid policy can be obtained from policy servers with ID

It is important to separate autoenrollment and enrollment. Are the errors you have given related to the autoenrollment process on the client? If not try enabling the registry key given below, and reboot the client to see if any errors related to autoenrollment pops up. Also check the GPO's applied on the W7 client and confirm that the setting for automatic enrollment is processed (Enroll certificates automatically, Renew expired and Update certificates are applied on the client). In my experience it's usually either of the two; GPO not applied or a security issue where autoenroll right has not been set for the given client. Also if there are issues with autoenrollment you can set a registry key to get more information on the client. See http://technet.microsoft.com/en-us/library/cc755801(WS.10).aspx User Autoenrollment HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named AEEventLogLevel"; set value to 0. Machine Autoenrollment HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel", set value to 0.

Hi, Do you configure any other Certificate Enrollment Policy for the Windows 7 computer? Certificate Enrollment Policy Servers http://technet.microsoft.com/en-us/library/dd851661.aspx The default Certificate Enrollment Policy is Active Directory Enrollment Policy (Server URI is ldap: ). Please ensure that you logon the computer with a domain account and select that enrollment policy when you request certificate via MMC. If the issue continues, please enable CAPI2 log, reproduce the issue and let us know the events in the Event Viewer. For the steps to enable the CAPI2 log, please refer to the "Enable and save the CAPI2 log from Event Viewer" section at http://technet.microsoft.com/en-us/library/cc749296(WS.10).aspx. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.