🟑 Medium   ⏱ 5–30 min  Last verified: 30 May 2026
Affected versions: Windows Server 2019

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution β€” Primary Fix
  7. Solution β€” Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Servers do not receive required certificates, breaking TLS services and internal authentication flows.

Environment & Reproduction

AD CS with Windows Server 2019 clients after template or delegation updates.

certutil -pulse
Get-WinEvent -LogName Application -MaxEvents 80 | Where-Object ProviderName -match 'CertificateServicesClient'

Root Cause Analysis

Template permissions or enrollment rights are missing for computer groups targeted by autoenrollment GPO.

Quick Triage

Validate GPO autoenrollment settings and template security descriptors.

gpresult /h C:Temppki-gpo.html
certutil -template

Step-by-Step Diagnosis

Confirm template ACL includes Read and Enroll for intended security principals.

Get-CATemplate
certutil -v -template
Illustrative mockup for windows-server-2019 β€” terminal_or_powershell
Autoenrollment and template ACL diagnostics β€” Illustrative mockup β€” Progressive Robot

Solution β€” Primary Fix

Grant required Enroll/Autoenroll rights and trigger policy refresh.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

gpupdate /force
certutil -pulse
Illustrative mockup for windows-server-2019 β€” event_or_log_viewer
CertificateServicesClient events β€” Illustrative mockup β€” Progressive Robot

Solution β€” Alternative Approaches

Use manual enrollment for critical servers while template ACL updates propagate.

certreq -enroll -machine

Verification & Acceptance Criteria

Expected certificate appears in LocalMachine store with valid chain and private key.

Get-ChildItem Cert:LocalMachineMy | Select Subject,Thumbprint,NotAfter

Rollback Plan

Restore previous template ACL backup if enrollment scope becomes too broad.

certutil -dstemplate

Prevention & Hardening

Implement template change review and periodic enrollment audits.

certutil -template > C:Temptemplate-inventory.txt

Often coincides with expired enrollment agent certs and CRL distribution issues.

Related tutorial: View the step-by-step tutorial for Windows Server 2019.

View all Windows Server 2019 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: AD CS autoenrollment and certificate template permissions.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.