CA Certificate Template: Restrict Enrollment
N/A (CA configuration) DefaultVaries by template RecommendedRequire manager approval on sensitive templates CA certificate templates should require manager approval for sensitive templates. Prevents unauthorized issuance (ESC1/ESC4 attacks).
- Policy path
- Computer Configuration > Windows Settings > Security Settings > Public Key Policies
- Supported on
- Windows 10, Windows 11, Windows Server 2016 and later
N/A (CA configuration) DefaultVaries by template RecommendedRequire manager approval on sensitive templates CA certificate templates should require manager approval for sensitive templates. Prevents unauthorized issuance (ESC1/ESC4 attacks).
Description
CA Certificate Template: Restrict Enrollment is a Windows Group Policy setting located under Computer Configuration > Windows Settings > Security Settings > Public Key Policies. It applies to the Computer Configuration branch and is classified as a Critical-level policy in the Certificate Services & PKI category.
N/A (CA configuration) DefaultVaries by template RecommendedRequire manager approval on sensitive templates CA certificate templates should require manager approval for sensitive templates. Prevents unauthorized issuance (ESC1/ESC4 attacks).
In-depth explanation
This is a critical security control. Misconfiguration creates an exploitable attack path that adversaries actively scan for, and a single overlooked endpoint can compromise the entire fleet. Treat it as a hard baseline requirement rather than an optional tuning knob.
The policy is grouped under Certificate Services & PKI, which means it is typically applied through a domain-wide GPO linked at the OU level. In a multi-tenant MSP context, scope it through WMI filters or security group filtering rather than linking at the domain root, so that you can roll out progressively (pilot OU → wider rings → all production).
The setting takes effect after the next Group Policy refresh (gpupdate /force for immediate testing, or by default within ~90 minutes for workstations and ~5 minutes on domain controllers). For computer-side policies a reboot may be required; for user-side policies, a sign-off/sign-on cycle is enough.
Use cases
- Apply organization-wide hardening of certificate services & pki on all domain-joined Windows endpoints.
- Roll out a CIS Benchmark-aligned baseline targeting 'CA Certificate Template: Restrict Enrollment' via a dedicated GPO.
- Reduce attack surface for accounts that handle privileged credentials or sensitive data.
- Standardize the configuration across multiple customer tenants for an MSP-managed fleet.
Security implications
Failing to enforce this policy creates a documented attack path that adversaries actively probe – think Pass-the-Hash, Kerberoasting, NTLM relay, RDP brute-force, LSASS dumping, or token impersonation, depending on the specific control. A single misconfigured endpoint can be enough to pivot to a Domain Admin compromise.
If this policy must remain at default for a legitimate compatibility reason, compensate with a strong detection rule in your EDR/SIEM, isolate the endpoint in its own VLAN, and document the exception with a target remediation date.
How to configure
- Open Group Policy Management Console (
gpmc.msc) on a domain controller or a workstation with RSAT installed. - Create or edit a GPO linked to the OU containing the target computer configurations. We recommend a dedicated baseline GPO (e.g. SEC – Certificate Services & PKI) instead of editing Default Domain Policy.
- Navigate to
Computer Configuration > Windows Settings > Security Settings > Public Key Policies. - Open CA Certificate Template: Restrict Enrollment and set it to
the value recommended by the latest CIS Benchmark for your Windows version. - Click OK and close the editor.
- On the target endpoint, run
gpupdate /force(or wait for the next refresh cycle), then verify withrsop.mscorgpresult /h report.html.