While testing the Microsoft PKI project in my organisation, i've encountered strange issue: user's certificate have been revoked, CRL published, but client computer was not requesting new certificate for user.
pki (en) - B-blog.info
In case if you re broken default Extensions settings in Microsoft Enterprise Certificate Authority, you can check the default settings here. I was needed this information when I deleted LDAP distribution points.
When you have your Active Directory Certification Services (ADCS), your domain users can have certificates used to encrypt\decrypt emails. Your security department may want to get access to those encrypted emails, so you must provide private key of this user, so security-people can decrypt messages.
How can you do that?
In some cases you may want to revoke certificate and then check on client computer that the certificate is invalid.
Because of caching of CRLs and OCSP in Windows operating systems, this will not be available until you clear CRL and OCSP cache.
If you still have client computers with Windows XP, you might encounter the following error while enrolling certificate from Active Directory Certification Services (ADCS), which working under Windows Server 2012 R2:
The permissions on this certification authority do not allow the current user to enroll for certificates (this error you will find in Application Event Log on client computer).