Adding template information to a non-Windows CSR

If you’ve ever tried to issue a certificate from a Windows CA using a CSR that was generated on a non-Windows system, you’ve probably come across the following error: –

The request contains no certificate template information.

0x80094801 (-2146875391)

Denied by Policy Module 0x80094801, The request does not contain a certificate template extension of the CertificateTemplate request attribute.

This is because the Windows CA is expecting some additional information (the CertificateTemplate attribute) in the CSR, which non-Windows systems do not include.

Fortunately, you can add this information to an existing CSR file using the certreq.exe tool, by running the following command on your CA: –

certreq -submit -attrib “CertificateTemplate:WebServer” “mycsr.txt” “mycert.txt”

The parameter substitutions in the above command should be obviously, but to clarify, the “CertificateTemplate” should specify an existing certificate template that your CA is aware of (in many cases, this would just be “WebServer”) and the mycsr.txt and mycert.txt are your input CSR file and output certificate file, respectively.

It’s also important to note that you need the appropriate permissions to issue certificates from your chosen certificate template. This includes running the command as an administrator if you have UAC enabled.

Troubleshooting MBAM 2.0 deployment

If you’ve deployed the MBAM 2.0 agent to a workstation, but it’s not prompting the logged in user to encrypt their drive, there are a couple of things to note.

  • Check the “Reports” node in the MBAM web console – this will give you information as to the cause of the problem (under the “Compliance Status Details” column)
  • If the “Reports” node in the MBAM web console isn’t displaying the machine you’re looking for, you can lower the reporting threshold on the client and rebuild the database cache using the following steps: –
  1. Set HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\ClientWakeupFrequency and HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\StatusReportingFrequency both to “1” (this cannot be set lower than “90” via Group Policy)
  2. Set HKLM\Software\Microsoft\MBAM\NoStartupDelay to “0” (this key will probably not exist unless you’ve manually created it before – it should be a DWORD)
  3. Restart the MBAMAgent service on the client
  4. On the MBAM server, open SQL Management Studio, expand the “SQL Server Agent” node, expand “Jobs” and run the “CreateCache” job
  5. Refresh the MBAM web console and check out the “Reports” node to check the status of the machine
  • If the “Compliance Status Details” column contains “System Partition not available or large enough”, you will need to run the BitLocker drive preparation utility as follows: –

    • %windir%\System32\bdehdcfg.exe -target default -size 350
  • Be sure to restart the machine after running this utility and then follow the above steps again to force the client to report in and rebuild the database cache