0X80094011

CERTSRV_E_ENROLL_DENIED (0X80094011) — CA permissions blocking cert enrollment

Cybersecurity & Malware Intermediate 👁 0 views 📅 May 26, 2026

Your user account doesn't have enroll permission on the CA. Fix it by checking your cert template or CA security, usually via the Certification Authority console.

Quick Fix (30 seconds) — Check If You're Even Allowed to Enroll

Before digging into CA settings, rule out the dumb stuff. Open a command prompt as admin and run:

certutil -pulse

If that fails with something like "Access denied" or shows no CA listed, you may not have auto-enrollment configured or your machine isn't domain-joined properly. But the real 0x80094011 error usually shows up when you're manually requesting a certificate via the Certificates snap-in or an app.

Also try this from an elevated PowerShell prompt:

Get-Certificate -Template WebServer -DnsName "test.internal" -CertStoreLocation Cert:\LocalMachine\My

Replace WebServer with whatever template you're using. If you get 0x80094011, move to the moderate fix.

Moderate Fix (5 minutes) — Check the Certificate Template Permissions

What's actually happening here is: the CA itself may allow enrollment, but the specific certificate template you're requesting doesn't have your user or group listed in its security. Templates inherit a default deny, so if your account isn't explicitly granted "Enroll" or "Autoenroll", you'll get this error.

You need Certificate Manager rights on the CA server or ask your PKI admin to do this:

  1. Open Certification Authority MMC (certsrv.msc).
  2. Right-click Certificate Templates (under your CA name) -> Manage.
  3. Find the template you're using (e.g., WebServer, User, Computer). Right-click it -> Properties.
  4. Go to the Security tab.
  5. Check if your user account or a group you're in (like Domain Users, Domain Computers) has at least Enroll permission checked.
  6. If not, add your user/group and grant Read and Enroll. Don't check Autoenroll unless you need it — that's separate.

Click Apply, wait 15 minutes for AD replication, or restart the CA service: net stop certsvc && net start certsvc. Try your request again.

Advanced Fix (15+ minutes) — Check CA Security and Certificate Manager Restrictions

If the template permissions look fine and you're still locked out, the CA itself has restrictions. This is common in hardened environments where the PKI admin restricted who can even request certificates from the CA.

  1. In the Certification Authority MMC, right-click your CA name -> Properties.
  2. Go to the Security tab.
  3. Look for your user or group in the top list. If it's not there, click Add.
  4. For your user/group, check at minimum Read and Enroll permissions. Issue and Manage is for CA managers only — don't grant that unless you're the admin.
  5. Also check if there's a Deny entry for your user/group or Authenticated Users — that overrides everything else. Remove it.

Another gotcha: the Certificate Manager role itself can be delegated per-user or per-group via the CA security. If you're not listed at all, you can't even see the CA. Run this command to verify your access:

certutil -config "CA-SERVER\CA-NAME" -ping

If it returns "Access denied", the CA security is blocking you. You must get added by a CA admin.

Real-World Scenario

I've seen this error most often in two situations:

  • Windows Server 2019/2022 ADCS: An admin created a new template but forgot to add Domain Computers to its security. Every machine that tried to auto-enroll for a computer certificate got 0x80094011.
  • Third-party apps using custom OIDs: A web app requested a certificate with an OID that wasn't in any template. The CA tried to fall back to default template permissions but didn't have them, so it denied the request with this error.

In both cases, the fix was checking the template security, not the CA itself.

Still Stuck? Check Event Logs

The CA logs exactly why it denied enrollment. On the CA server, open Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> CertificateServices -> Operational.

Look for Event ID 4886 (certificate request denied). The description will say something like "The permissions on this CA do not allow the current user to enroll for certificates" or "The user does not have permission to enroll for this template." That tells you exactly where the block is — CA security or template security.

One more thing: if your CA is running in restricted enrollment agent mode (rare but possible), even with correct permissions, the CA may reject requests if you're not listed as an enrollment agent. Check the Enrollment Agents tab in CA properties.

Was this solution helpful?

0x80094011 CERTSRV_E_ENROLL_DENIED certificate enrollment denied CA permissions cert template permissions cannot enroll for certificate Windows Server CA ADCS enrollment certificate request failed permissions on this CA