Windows Certificate Authority Server runaway issuing certs
In our environment, we have a Windows Certificate Authority server. We've distributed our CA to our folks, and generated some certificates with CSRs for internal websites. That works great. We tried to configure a GPO for our VMs to install the CA and also request and install an RDP certificate. I've followed some guides online, and I'm finding after about a month the server has just been nonstop issuing certificates. Every few minutes it seems. I now have well over 30,000 certificates issues when our environment only has 200 VMs. Has anyone seen this before? Is there anything I can check? I included some screenshots of the GPO we've configured.
Solution 1:
Just for the sake of posting the confirmed solution (I was suspecting on).
If you deploy RDS/RDP certificates using new dedicated RDS certificate deployment GPO, then you *MUST NOT* enable Autoenroll
permissions on certificate template. GPO mechanism implements its own renewal process and goes into a conflict with Windows Certificate Autoenrollment mechanism.