Corrected AD CS certificate template guidance

This document addresses a specific correction made to a how-to document to prevent unintended AD CS certificate enrollment due to broad permissions.

Severity : Moderate
Corrected document : AD CS guidance document
Correction date: December 05, 2025
Reported by: Martin Sohn Christensen from SpecterOps

What is this correction about?

This advisory corrects earlier steps provided in the AD CS guidance document. It had suggested duplicating the default user certificate template in Active Directory Certificate Services. We recognized it to be a misconfiguration that could grant enrollment permissions to broad groups and may allow unintended users to request certificates. Therefore, the guidance document has been updated with the correct configurations.

What is required of me?

If you had implemented certificate templates based on earlier versions of the AD CS guidance document, please review all certificates and ensure enrollment permissions are restricted only to the required users and groups. Refer here for more.

For any further questions or concerns about this, please write to our support team.