We are upgrading the clients to Windows 8.1 with SCCM 2012 and are experience a strange issue with users and computers certificates, the clients both consist of laptops, desktops and hybrids (Lenovo Tablet) and the only client that experiences this problems is the laptop.
There active directory is running windows server 2003 as does the certificate authority with a two tier.
When the client first deploys and goes through the task sequence they both get the certificates installed, user certificate and computer certificate. However during and redeployment of the client were, I suspect, when an certificated already have been issued it can't reenroll once more, except when enforcing it with certutil –pulse in which the certificates gets installed.
As the auto enrollment have worked fine with Windows XP clients, but also works with the desktops and hybrid I have no idée to fix this. I have looked through the certificate authority and controlled all the settings, but I don’t suspect the CA is the issue here since it can reenroll, just on other clients when they are redeployed.
In the CA I can read this error in the event viewer; but the error doesn’t get any more specific.
"The permissions on the certificate template do not allow the current user to enroll for this type of certificate. You do not have permission to request this type of certificate"
Why this does only happened to laptops and not the desktops/hybrids? There is no difference between them either in AD or in CA, not in the task sequence either if someone interested in that, just different standard applications and drivers.
Why does the command certutil -pulse work on the contrary to GPO?
Is this issue even a problem that related to the certificate authority?