Windows Certificate Authority Server runaway issuing certs

In our environment, we have a Windows Certificate Authority server. We've distributed our CA to our folks, and generated some certificates with CSRs for internal websites. That works great. We tried to configure a GPO for our VMs to install the CA and also request and install an RDP certificate. I've followed some guides online, and I'm finding after about a month the server has just been nonstop issuing certificates. Every few minutes it seems. I now have well over 30,000 certificates issues when our environment only has 200 VMs. Has anyone seen this before? Is there anything I can check? I included some screenshots of the GPO we've configured. enter image description here

enter image description here

Solution 1:

Just for the sake of posting the confirmed solution (I was suspecting on).

If you deploy RDS/RDP certificates using new dedicated RDS certificate deployment GPO, then you *MUST NOT* enable Autoenroll permissions on certificate template. GPO mechanism implements its own renewal process and goes into a conflict with Windows Certificate Autoenrollment mechanism.

How to stop app engine instance with API?

veth does not respond to other veth ping requests on same bridge

Error with GCP's KMS with gcloud command line: cryptography.hazmat.primitives.keywrap has no aes_key_wrap_with_padding attribute

The "least bad" settings for Chrony as the NTP server on a virtual machine

Domain is reporting incorrect Name Server information

Show full hostname in bash?

Are managed databases (e.g. Amazon RDS) slower to access than database in the same machine (EC2) as web server

Why most services use non-root account could create logfile in /var/log?

Delete old windows print jobs

Debian - Postfix rejecting user (User unknown in local recipient table (in reply to RCPT TO command))

Is there a keyboard shortcut to start a screensaver?

How to disable blinking caret when editing text in OS X?