Currently, we are using a Gemalto IDPrime .NET card at pre-boot and we are moving to a Gemalto IDPrime MD830B card.

For each new user, I add them to a PAR, enable UDP, and then run the DE and LDAP server tasks.  Generally, it is working well.  I do, though, have two issues.

Issue 1:

I am having a problem with two users.  No matter what I do, they continue to get the "Not a Suitable Card" error at PBA.  I have validated multiple times they are in the PAR, their account is not disabled, they can log into Windows, their certificate is published in AD, and that non-standard UBP is enforced.  We've replaced the card for one user and the problem remains.  What am I missing?

Issue 2:

We are going to be moving a lot of users to the new card in the next couple of months.  We are getting their certificates auto-published into AD so that minimizes user interaction.  I still have the problem of having to set their UBP to non-standard.  Is there a way to automate this or script it or something?  It will become quite cumbersome to have to do this by hand for 300+ users.  Any advice you can provide would be greatly appreciated.