In a test environment I have a two-tier ADCS PKI hierarchy (offline root and Enterprise subordinate). I successfully configured computer auto-enrollement for a single Windows 7 client by configuring proper security settings on a template I copied in conjunction with establishing Group Policy for 'Certificate Services Client - Auto Enrollment Properties.' The template is a copy of Computer saved as v2 (2003) and the client workstation has read, enroll, and auto-enroll rights. This worked fine - the first time.
Then I decided I wanted to simulate certificate expiry and automatic re-enroll. Because my template was set for a year initially, this is obviously too long to wait for a test. I updated my template to have the certificate expire in only 2 hours. I revoked the old certificate on the CA and deleted it from the local certificate store on the client. However, I can no longer automatically enroll for the cert despite the fact it worked the first time. Certutil -pulse has no effect; rebooting the machine has no effect either. I am completely stuck unable to re-enroll despite having the same Group Policy and security template settings.
What should I do next to resolve?
Thanks for reading this and any/all feedback.