RDP SSL Failed "A revocation check could not be performed on this certificate"

Been searching all morning for a resolution to this with no luck.

Topology:

• Offline Root CA (Windows 2012)
• Enterprise Subordinate CA (Windows 2012)

Current Issue:

• Deployed certificate template and setup for Windows 7 / Windows 2012 to secure RDP sessions with SSL (used this http://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html)
• RDP Security set to Negotiate (since there is a certificate present, it defaults to SSL)
• When connecting from Windows 7/8 client that is NOT domain joined to Windows 7/2012 via RDP, am presented with a warning/failure that "A revocation check could not be performed on this certificate"

Troubleshooting steps already taken:

• Verified that the CDP and AIA settings for all certificates (server and subCA) are pointed to http://certificates.domain.com/pki
• Verified that the URL has the allowDoubleEscaping=Trueflag set within IIS
• Verified permissions to write to the directory and share
• Verified IIS authentication set to Anonymous
• Verified non-domain joined client computers can successfully read published CRLs
• Verified all proper CRLs and delta CRLs are being published
• From a domain-joined computer, this does not happen
• Verified that computer which is impacted by this does have all root and sub certs installed in correct stores on the local computer
• Tried to save .rdp connection file and update the setting for credSSP with no luck
• Verified all certificates visually check out, nothing expired, all certificates present
• ran certutil -url against one of my rdpAuth certificates, all URLs check out
• ran certutil -verify -fetchurl against the same rdpAuth certificate, I get the following output (bolding mine):

PS C:\> certutil –verify –urlfetch sfxxxxad01.cer
Issuer:
    CN=domainSubCA
    DC=domain
    DC=com
  Name Hash(sha1): 1d446a6b39e7014d113319d1a22f74523a10a597
  Name Hash(md5): 16d7a89801f784479045ce3c8c5693fb
Subject:
    CN=sfxxxxad01.domain.com
  Name Hash(sha1): fd94f9031c4082755c836f3c28fb6d7597efcccc
  Name Hash(md5): ac2a34cdb755bf174dd92869cda9cb6c
Cert Serial Number: 6d0000019999ee0fc78f46427d000000000199

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=domainSubCA, DC=domain, DC=com
  NotBefore: 6/13/2013 11:56 AM
  NotAfter: 6/13/2015 11:56 AM
  Subject: CN=sfxxxxad01.domain.com
  Serial: 6d0000019999ee0fc78f46427d000000000199
  SubjectAltName: DNS Name=sfxxxxad01.domain.com
  Template: domainRemoteDesktopServerAuth
  cb c6 fd 8f 3a cf 0e 0e 75 79 4e 8e 7f d7 d4 e8 28 55 3f ca
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  Verified "Certificate (0)" Time: 0
    [0.0] http://certificates.domain.com/pki/sfxxxxpki02.domain.com_domainSubCA.crt

  ----------------  Certificate CDP  ----------------
  Expected Base CRL "Delta CRL (26)" Time: 0
    [0.0] http://certificates.domain.com/pki/domainSubCA.crl

  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Application[0] = 1.3.6.1.4.1.311.54.1.2 Remote Desktop Authentication

	CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
	  Issuer: CN=domainRootCA
	  NotBefore: 5/29/2013 11:31 PM
	  NotAfter: 5/29/2023 11:41 PM
	  Subject: CN=domainSubCA, DC=domain, DC=com
	  Serial: 3000000002216518440a315c0b000000000002
	  Template: SubCA
	  cb f7 3c 87 7c 29 a4 95 e9 7d ad 74 60 63 0b f0 fe 78 c5 12
	  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
	  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
	  ----------------  Certificate AIA  ----------------
	  Verified "Certificate (0)" Time: 0
		[0.0] http://certificates.domain.com/pki/sfxxxxpki01_domainRootCA.crt

	  ----------------  Certificate CDP  ----------------
	  Verified "Base CRL (02)" Time: 0
		[0.0] http://certificates.domain.com/pki/domainRootCA.crl

	  ----------------  Base CRL CDP  ----------------
	  No URLs "None" Time: 0
	  ----------------  Certificate OCSP  ----------------
	  No URLs "None" Time: 0
	  --------------------------------
		CRL 02:
		Issuer: CN=domainRootCA
		ThisUpdate: 5/29/2013 9:26 PM
		NextUpdate: 11/28/2013 9:46 AM
		a7 e4 d2 ec b7 56 ee 6a 55 df 20 f2 8e 31 ca 2e f4 4d d2 a9
	  Issuance[0] = 1.2.3.4.1455.67.89.5

CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=domainRootCA
  NotBefore: 5/29/2013 9:08 PM
  NotAfter: 5/29/2033 9:18 PM
  Subject: CN=domainRootCA
  Serial: 1bda28d10cdb878345810344527c3c5e
  b1 74 73 fd 92 3c df 84 ee 2e 04 d9 c1 42 85 97 f9 f0 56 c8
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate OCSP  ----------------
  No URLs "None" Time: 0
  --------------------------------
  Issuance[0] = 1.2.3.4.1455.67.89.5

Exclude leaf cert:
  4a ac 1a b3 f6 95 f6 3c 11 fc 2d a9 a7 83 c6 9a 01 79 cb 2f
Full chain:
  9e 09 5d fe 89 2c 20 d3 77 79 cd 39 cd 40 0f 63 ca a8 3b f4
  Issuer: CN=domainSubCA, DC=domain, DC=com
  NotBefore: 6/13/2013 11:56 AM
  NotAfter: 6/13/2015 11:56 AM
  Subject: CN=sfxxxxad01.domain.com
  Serial: 6d0000019999ee0fc78f46427d000000000199
  SubjectAltName: DNS Name=sfxxxxad01.domain.com
  Template: domainRemoteDesktopServerAuth
  cb c6 fd 8f 3a cf 0e 0e 75 79 4e 8e 7f d7 d4 e8 28 55 3f ca
The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-214688561
3)
------------------------------------Revocation check skipped -- server offlineERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation beca
use the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.

So, to me, everything checks out, but still seeing this issue with non-domain computers, even though the URL for the distribution point is fully accessible and all the certificates are there.  This PKI was planned appropriately, even the offline rootCA is publishing correctly to the same distribution point.

Any guidance would be appreciated!