ADCS: Autoenroll working for users, not computers (RPC unavailable)

Hello

I have a working enterprise CA setup in my domain. I am trying to get auto enrollment working, which I have for users, but not for workstations.

I have a test workstation in a test OU, which has the following GPO settings applied

Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client - Auto-Enrollment

In the same GPO, under Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings, this is empty.

On my issuing CA, I have a 'Workstation Authentication' template with security set for 'Domain Computers' for Read, Enroll & Autoenroll

When my test GPO hits my test workstation (I can confirm with gpresult that the policy has applied) then run "gpupdate /force" I see in Event Viewer

There are lots of similar discussions online about RPC unavailable and I have read most.  Below is what I have double-checked

1. AD group "Certificate Service DCOM Access" has 'authenticated users' in it
2. certutil -ping <IssuingCaName> works when run in user context
3. certutil -ping <IssuingCaName> returns RPC error when run in workstation context
4. nltest /sc_verify:domain completes successfully on the workstation
5. dcomcnfg has the correct permissions according to https://social.technet.microsoft.com/Forums/windowsserver/en-US/f3de8600-cf4e-4a39-a42e-7f929e1b8d6d/certificate-enrollment-the-rpc-server-is-unavailable?forum=windowsserver2008r2general

This appears to be a permissions issue for workstation accounts contacting the Issuing CA. The issue affects both Win 10 and win 7 workstations, although Win 7 does get a little further in that Event Viewer shows (in chronological order)...

Event 65: Certificate Enrollment for Local system is successfully authenticated by policy server
Event 64: Certificate Enrollment for Local system successfully load policy from policy server
Event 13: (same as Windows 10 workstation screenshot above)
Event 6: (same as Windows 10 workstation screenshot above)

I feel I'm missing something obvious, but can someone point me to what it is??

Thanks in advance.