Originally, I set up an ADCS server as an Enterprise Root CA. Automatic certificate enrollment was enabled via a GPO and computers were automatically assigned certificates. The more I learned about ADCS this year, the more uncomfortable I became with this configuration from a security perspective.

I added an intermediate SubCA recently which was configured to use the Computer template. I removed the Computer template (and all other templates except for the SubCA template) from the Enterprise Root. Then I revoked all of the computer certificates on the Enterprise Root CA. I figured they would all just re-enroll automatically on the SubCA (I'm using a GPO to enable this) but that is not what happened. They are not re-enrolling. 

I confirmed that I am able to issue Computer certificates from the SubCA manually using MMC and the Certificates snap-in. I discovered how to remove the old, revoked certificates from the clients with PowerShell but the Get-Certificate applet is simply not working so I cannot issue new certificates from the SubCA. If I have to, I can manually assign new Computer certificates but there has got to be an easier way to do this (I was counting on the automatic certificate enrollment option). 

Ideally, I just want the computers to automatically obtain new certificates from the new SubCA. My hypothesis that the computers would simply re-enroll on the SubCA after their certificates were revoked proved to be incorrect but I cannot understand why. I've been researching this for about a week now and cannot figure out what I am missing so am hoping one of you may be able to offer some insight.