Updated February 2, 2024: We have updated the rollout timeline below. Thank you for your patience.
We’re updating Microsoft Secure Score improvement actions to ensure a more accurate representation of security posture.
The improvement actions listed below will be added to Microsoft Secure Score. Your score will be updated accordingly.
When this will happen:
This will begin rollout in mid-November 2023 and is expected to be complete by early March 2024 (previously late January).
How this will affect your organization:
The following new Microsoft Defender for Identity recommendations will be added as Microsoft Secure Score improvement actions:
- Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)
- Edit overly permissive Certificate Template with privileged EKU (Any purpose EKU or No EKU) (ESC2)
- Edit misconfigured enrollment agent certificate template (ESC3)
- Edit misconfigured certificate templates ACL (ESC4)
- Edit misconfigured certificate templates owner (ESC4)
- Edit vulnerable Certificate Authority setting (ESC6)
- Edit misconfigured Certificate Authority ACL (ESC7)
- Enforce encryption for RPC certificate enrollment interface (ESC8)
These are new security posture reports related to Active Directory Certificate Services (AD CS) that analyze the configurations of different AD CS components and guide remediation, if necessary.
What you need to do to prepare:
There's no action needed to prepare for this change, your score will be updated accordingly. Microsoft recommends reviewing the improvement actions listed in Microsoft Secure Score. We will continue to add suggested security improvement actions on an ongoing basis.