P2 · PKI & Certificate Management

Active Directory Certificate Services — Certificate Enrollment Failing for Users or Machines

Q: What causes Active Directory Certificate Services — Certificate Enrollment Failing for Users or Machines?

CA server RPC/DCOM ports (TCP 49152+) blocked by firewall • Certificate template missing Enroll ACE for the target user or computer group • Template not published to the CA or CA not reachable in AD • CA certificate chain not present in NTAuth store • Auto-enrollment GPO not configured or not applying to target OUs

Q: How do I resolve Active Directory Certificate Services — Certificate Enrollment Failing for Users or Machines?

Confirm RPC connectivity between clients and CA server • Grant Enroll permission to the correct group on the certificate template • Publish the template to the CA if missing • Repair auto-enrollment GPO and force policy refresh on clients

Users or computers cannot enrol for certificates from the internal CA via manual enrollment, the web enrolment interface, or auto-enrollment. Commonly caused by firewall blocking RPC to the CA, missing Enroll ACE on the certificate template, or auto-enrollment GPO not applying.

Indicators

Certificate enrollment wizard shows 'The RPC server is unavailable' or 'Denied by policy'
Auto-enrollment fails silently — Event ID 13 in CertificateServicesClient-AutoEnrollment log
Machine certificates not issued — 802.1X NAC authentication failing for domain devices
Certificate templates missing from certmgr.msc enrollment UI

Likely causes

CA server RPC/DCOM ports (TCP 49152+) blocked by firewall
Certificate template missing Enroll ACE for the target user or computer group
Template not published to the CA or CA not reachable in AD
CA certificate chain not present in NTAuth store
Auto-enrollment GPO not configured or not applying to target OUs

Diagnostic steps

Test CA connectivity: certutil -ping <CA-Name>; if fails, verify firewall allows RPC (TCP 135 + dynamic 49152-65535) between clients and CA
Check template ACL: certtmpl.msc > right-click template > Properties > Security — target computer or user group must have Read and Enroll permissions
Verify template published: certsrv.msc (CA MMC) > Certificate Templates — template must appear; if not, right-click > New > Certificate Template to Issue
Validate NTAuth store: certutil -viewstore -enterprise NTAuth — CA signing certificate must be present
Review auto-enrollment GPO: Computer Config > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client — Auto-Enrollment
Force enrollment: gpupdate /force on client, then: certutil -pulse; restart 'Certificate Propagation' service (certprop)

Resolution path

Confirm RPC connectivity between clients and CA server
Grant Enroll permission to the correct group on the certificate template
Publish the template to the CA if missing
Repair auto-enrollment GPO and force policy refresh on clients

Prevention

Monitor CA health with certutil -getreg and review CA server event logs weekly
Document all certificate templates, their enrollment groups and intended use
Use NDES/SCEP with Intune for device certificate enrollment on non-domain or mobile devices
Test auto-enrollment after any GPO or CA configuration change

Tools

certsrv.msc (Certification Authority console)
certtmpl.msc (Certificate Templates)
certutil
certmgr.msc / certlm.msc
Event Viewer — CertificateServicesClient-AutoEnrollment
GPMC (Group Policy Management Console)

adcscertificate-authoritypkienrollmentauto-enrollmentactive-directory802.1xrpc