My company is reviewing security vulnerabilities, and this certificate (specifically, the IIS certificate), comes back as vulnerable because the subject name is supplied in the request. I'm wondering if this option can be replaced with using the option to build the subject name from AD, as long as it includes the fully distinguished name DNS name for the SAN.
Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1) - Microsoft Defender for Identity | Microsoft Learn
I understand that it may cause issues if you're doing IBCM, but we have DirectAccess and clients are encouraged to use FQDN wherever possible (to enforce Kerberos), so I'm just curious if I can have the certificate configured as I described, or should I just enable manager approval?
