I was working on SCEP deployment that day ,and I didn’t want to use the default certificate templates , so I created my own certificate templates for signing and encrypting operations needed for the SCEP server in order to support Device Enrollment .
I created my new template , I published it on the CA , I went to the SCEP server , requesting a certificate from that template and guess what ! I got this error (The requested certificate template is not supported by this CA Error 0x80094800)
Well , after some research , I found out that the CA server will cache templates it supports and will update the cache every 10-15 min depending if the CA is installed on the DC or not .
Microsoft Support article “This behavior may occur if the certificate enrollment request is using a recently-created certificate template. When a new template is added to the CA, the HKEY_CURRENT_USER cache is immediately updated but the HKEY_LOCAL_MACHINE cache is not immediately updated. The HKEY_LOCAL_ MACHINE cache is updated in the next 15 minutes if the CA or the domain controller are on the same computer, and in the next 10 minutes if the CA or the domain controller are in a distributed configuration.”
If you want to clear the cache , some registry modifications are needed . More details on Microsoft KB 281260
Another very common reason to this issue is that the CA is not able to read the content of the template; this is often because the authenticated users group has been removed from the ACL list of the template. To solve this without reusing the authenticated users group you can give the computer account of your CA read permissions to the specific template.
If the above is not true, make sure the templates is listen in the templates to issue for your CA and that the template is available throughout your Active Directory.