I have come across a deployment where Windows Server 2012 R2 based two-tier CA is deployed (offline root CA, enterprise sub CA). Both Root CA and Sub CA installed on dedicated physical servers (non-domain controller machine). Windows Server 2012/R2 standard machines are enrolling into certificate via MMC fine. Machine running NPS service also working. But when Windows 7 Pro workstations try to enroll via MMC console, it shows "RPC server unavailable".
I tried duplicating both Computer and Workstation templates and tried different compatibility modes (Win2k3/XP, Win2012/Win7, etc.). I double checked Security settings for templates and ensured Domain Computers haveREAD, ENROLL, AUTOENROLL enabled.
I ran a Wireshark capture to ensure all connections are ok. The capture shows, DCERPC response server with Status:nca_s_fault_access_denied.
All servers and workstation are joined under same AD domain. I am totally lost on how to identify the root cause of why Win7 failing to enroll but Windows 2012 machines enrolling successfully.