Hello Ryan
Thanks for posting, I have set up but have very odd behaviour when it comes to choosing a template to enrol from. I have been using AD and AD CS for years so I am very familiar with this, but never set up CES/CEP before (hence found your post).
On the Windows 10 client brand new installation of Windows (standalone e.g. workgroup computer) I set up the 'Enrollment Policy' using an AD user name ABCUSER
I duplicated the 'computer' template on the CA and gave ABCUSER 'read' and 'enrol' rights to the template, I then published the template on the CA
When I run through the 'Request a Certificates' wizard using the certlm.msc utility it display the 'IPSec (offline request)' template as being available for enrollment. The thing is the user ABCUSER has no rights to the template (authenticated users have no rights to the template) and ABCUSER is not listed at all. The only rights to the template are for Domain Admins.
Therefore I am at a complete loss (cleared the cache and rebooted several times), as to why the 'IPSec (offline request) template is showing up at all and why the duplicated computer template I created it now showing at all, even though ABCUSER has read, enroll and auto-enrol rights to this template.
Any advice most welcome please 🙂