Certificate Templates Not Available for Windows 7 and Windows Server 2008 R2 Certificate Recipients using Certificate Enrollment Web Services

Applies to

 Windows 7, Windows Server 2008 R2, Windows Server 2012 

Symptoms

You may notice some unexpected behavior when trying to deploy certificates to Windows 7 or Windows Server 2008 R2 client computers using Certificate Enrollment Web Services. 

Note

Certificate Enrollment Web Services is an option for deploying certificates starting with Windows Server 2008 R2 and Windows 7. For more information, see Certificate Enrollment Web Services in Active Directory Certificate Services.

 

For example, if you have configured a certificate template that you expect to be available to Windows 7 or Windows Server 2008 R2 certificate recipients, but the certificate template Compatibility tab's Certification Authority setting is Windows Server 2012, the Windows 7 and Windows Server 2008 R2 certificate clients will not see the template as available.

For more information about the Compatibility tab, see Windows Server 2012: Certificate Template Versions and Options.

Instead, the Windows 7 or Windows Server 2008 R2 certificate client computers will only have the option to enroll for certificate templates that do not have do not have the Certification Authority set to Windows Server 2012, such as the Version 1 (V1) template Web Server.

Workaround

To work around this issue, set the certificate template's Compatibility tab, Certification Authority setting to Windows Server 2008 R2 (even if the CA is actually running Windows Server 2012). Doing so will be of no consequence (no loss of functionality) in a situation where you are trying to support Windows 7 or Windows Server 2008 certificate recipients.

Then the Windows 7 and Windows Server 2008 R2 certificate client computers can select the template as available during enrollment using Certificate Enrollment Web Services.

---