Detecting ESC11 - IF_ENFORCEENCRYPTICERTREQUEST Flag Disabled when it is enabled?

[funkyd00]

So I am not sure if this is a bug, but when I run Locksmith it reports:

ESC11 - IF_ENFORCEENCRYPTICERTREQUEST Flag Disabled
but the flag is enabled per below.

certutil -getreg CA\InterfaceFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\Runners-CA\InterfaceFlags:

InterfaceFlags REG_DWORD = 241 (577)
IF_LOCKICERTREQUEST -- 1
IF_NOREMOTEICERTADMINBACKUP -- 40 (64)
IF_ENFORCEENCRYPTICERTREQUEST -- 200 (512)
CertUtil: -getreg command completed successfully.

[jakehildreth]

Do you have multiple issuing CAs in your forest?

[jakehildreth]

Hey @funkyd00! Just checking in. Do you have multiple issuing CAs in your environment or just one?

[jakehildreth]

@funkyd00 - last check-in. Do you have multiple issues CAs in your forest?