We have a Windows 2008 R2 running a standalone CA (certificate authority) and the web enrollment, so the users access http://[server-name]/certsrv websote for request certificates. The Advanced Certificate Request form (/certsrv/certrqma.asp) allows request a certificate with "Mark keys as exportable" (checkbox).
See picture: https://dl.dropboxusercontent.com/u/3724852/web-enroll.png
I'm wondering if there is a way from the CA to determine if the user checked off the "Mark keys as exportable" option? - For example from CA Pending Requests list:
See picture: https://dl.dropboxusercontent.com/u/3724852/ca_pending_requests.png
Our goal is Deny the "Mark keys as exportable" requests, so the user do not export the certificate and install it into another computer.
Why don't you just disable the "Allow Private Key to be Exported" option on this specific template? Then, no one can even select that option. Seems like doing that would solve your larger issue.
Like MDMarra said - it's none of the CA's business how the client handles their keys, so the fix is going to have to be at the stage where the user generates their key.