Consider either of the following scenarios:
- You configure a Windows Server 2016-based certificate enrollment policy (CEP) server or certificate enrollment server (CES).
- You install a new Windows Server 2016 Certification Authority (CA).
- You configure the compatibility settings of a certificate template by setting Certification Authority to Windows Server 2016 and Certificate recipient to Windows 10 / Windows Server 2016.
When Windows 10 users try to request certificates by using the CA Web enrollment page (the CEP URL), the certificate template that you configured as described here is not listed as an available template.
This is a known issue in Windows Server 2016 and later versions. The CEP or CES server provides certificate templates only to clients that have the following compatibility settings:
- Certification Authority: Windows Server 2012 R2 or an earlier version
- Certificate recipient: Windows 8.1 (or an earlier version) and Windows Server 2012 R2 (or an earlier version)
To work around this issue, follow these steps:
- Configure the compatibility settings of the certificate template as follows:
- Certificate Authority: Windows Server 2012 R2
- Certificate recipient: Windows 8.1 / Windows Server 2012 R2
- Wait 30 minutes for the CEP server to receive the updated template information (or use the IISReset tool to restart the server).
- On the client computer, clear the client-side Enrollment Policy Cache by using the following command in a Command Prompt window:
certutil -f -policyserver * -policycache delete
- On the client computer, try to enroll the certificate again. The template should now be available.