Unexpected behavior of certificate enrollment

Certificate enrollment may not behave as expected when the Windows certificate template includes unsupported settings.

Issue resolution: Verify the certificate template matches the configuration described in Creating and configuring certificate templates. Specifically, the configuration must not include any of the following unsupported settings.

Tab	Unsupported setting
Extensions	Any key usage combination containing the following key usages: CRL Sign Decipher Only, Encipher Only, Key Agreement, Key Cert Sign
General	Publish certificate in Active Directory
Issuance requirements	CA certificate manager approval
Key Attestation	Required
Request Handling	Archive subject's encryption private key
Server	Do not include revocation information in issued certificates
	Do not store certificates and requests in the CA Database