I would suspect that there is TLS protocol mismatch on client and server. Make sure if TLS 1.2 is enabled on your Windows Server 2012 R2 box.

why you would renew expired CA? BTW, you cannot renew expired CA, you will have to rebuild the CA from scratch.

Does custom template build the subject from AD? In addition, I would configure autoenrollment debug logging:

 certutil -setreg enroll\AEEventLogLevel 0

then call certutil -pulse and look for events in Application eventlog. When logging is not required anymore, delete the entry:

 certutil -delreg enroll\AEEventLogLevel

We should have users decrypt files before we revoke the EFS certificates.

they aren't required to decrypt files. Decryption process doesn't involve certificate checking for validity/revocation.

Right, if you renew CAs with new key pair, then you have to renew client certificates in order to use the new CA certificate. However, it is ok to use existing client certificates while CA certs are still valid.

Thanks, I'm satisfied with this response and confirmation that there is a problem in Microsoft implementation of [MS-WCCE].

does this means, Receiver need to buy a public CA cert for someone send encrypted mail to self? but Sender does not need to buy any public CA cert?

in general, this is correct.

Any update?

Are you primarily waiting for confirmation on the behavior and whether the document needs updating

yes, a confirmation on the behavior and indication whether the problem is in docs or in Microsoft products that implement the protocol.

Now, you need to renew your CA certificate, preferably with new key pair, so the problem is more evident:

 certutil -renewCert

then you can execute PowerShell commands from my listings (and changing configuration string with your one).

I've emailed to you (and to doc help alias) with details on how to setup a repro environment.

Are these domains part of same AD forest or not?

Is it possible for SCCM in Domain A to issue a cert to a client

SCCM does not issue certificates to clients.

I think, it would be easier to deploy a subordinate CA in Domain B. However, it may be not very practical either depending if Domain B clients can reach CDP/AIA (CRLs) endpoints. If they can't, then it would be more reasonable for Domain B to have their own CA tree.

Can't the SCCM team just add the Domain B's current CA and Sub CA to the SCCM server certificate store?

no, because they most likely need to issue SCCM client authentication certificates for non-domain machines. As I said, SCCM does not issue certificates, they need to have a CA.

Either way, you both (you and SCCM team) need to have a clear understanding what you need and then depending on your exact needs you will have to evaluate your existing CA configurations (especially, CDP and AIA endpoints), AD forest trusts and only then you can define an acceptable solution. Currently, the description is vague and too many unknown inputs.

Thanks for confirmation. I will accept this response as answer when docs are updated.

I can't understand why you want to remove previous CA certificate. It is not officially supported.