Issue
Using the Skype for Business Server Deployment Wizard, when requesting a new certificate based on a custom template, the task fails with “Command execution failed: Denied by Policy Module”.
I am specifying a custom template called SfB_Template, this template was created to provide 5 year validity certificates to Skype for Business Servers.
Investigation
Using the Certification Authority MMC, under Failed Requests, there is an entry that corresponds with the “Denied by Policy Module” error:
Request ID: 148
Request Status Code: The permissions on the certificate template do not allow the current user to enroll for this type of certificate. 0x80094012 (-2146877422 CERTSRV_E_TEMPLATE_DENIED).
Request Disposition Message: Denied by Policy Module
Resolution
Back to the Certificate Authority MMC, edit the permissions on the Certificate Template (SfB_Template) to give the account requesting the certificate the permissions required to do so.
Here I have given the CsAdministrator full permissions to perform this task:
The certificate can now be successfully requested and issued.