We have Certificate Services deployed in our 2008 R2 AD infrastructure. We have a GPO set up in limited production that allows workstations and servers to request certs via a custom template. All servers and most workstations have only requested one cert, but I have a few workstations that have requested multiple certs and I can't figure out why. Many of the workstations with multiple certs have only two, but I have one that currently has 12. All workstations are subject to the same GPO and cert template, the name and display name for the template are identical, certs are published in AD, and the "do not automatically reenroll" option is selected in the template. GPO settings are listed below. What am I missing?
Automatic cert management: Enabled
Enroll new, renew expired, etc.: Enabled
Update and manage certs that use templates from AD: Enabled