Encryption Reading Time: 3 minutes

Fixing “Denied by Policy Module” Error

This blog post covers how to resolve a common misconfiguration of a Template that causes a Denied by Policy Module error when issuing certificates. The error may range from

  • Permission denied in MMC console.
  • The Template does not appear on the web Enrollment page.
  • While issuing certificates from cmd, it throws an error of permission denied.

This blog will cover two phases, Problem Diagnosis and Problem Resolution.

Problem Diagnosis

Perform the following steps to troubleshoot the error, just ensure you have enterprise admin rights for these steps.

  1. Run the certutil command to get the config value.

    Run command to get config file
  2. Replace the config value obtained in the following command

    certutil -config “{config}” -cainfo templates

    present you with all the templates available on this CA

    This will present you with all the templates available on this Certification Authority. This data is pulled from the domain controller, and so is the data that is displayed to the users.

    Note: If you don’t see your template, navigate to “certsrv.msc” and issue a new template.

  3. To check the permissions on the concerned template, run the following command-

    certutil -v -template {Template Name}

    Check the permissions on the concerned template

    If you can’t find the concerned user here with the required enroll permissions, the concerned user needs to be granted enroll permission by following the steps in the Resolution part.

    Note: If you just made the change, please wait a couple of minutes for the domain controllers to sync.


Step-by-step process to resolve the issue found in the diagnosis phase, please follow the steps:

  1. Open Certificate Authority and right-click on Certificate Templates, and choose Manage.

    Open CA and choose manage
  2. Find the concerned Certificate Template, right-click, and choose Properties

    find the concerned Certificate Template
  3. Navigate to the Security tab, and click Add

    Navigate to the Security tab and click add
  4. Provide appropriate permissions to the user. Click Apply and exit.

  5. This should add the user with appropriate permissions. Run diagnostic steps again to ensure no errors are encountered.


“Denied by Policy” errors often stem from elusive misconfigurations in system settings and policies. It needs a thorough grasp of authorization, authentication, and access control systems to identify these problems. The difficulty comes from the intricacy of dynamic rules and procedures as well as the possibility of human error. Maintaining a good security posture requires regular audits, automated configuration tools, and thorough administrator training to mitigate such failures.

Encryption consulting can help organizations to remain safe from such misconfigurations. With a strong focus on Encryption Advisory services and decades of consulting expertise, Encryption Consulting offers a range of cryptographic solutions. Among these, PKI as a Service (PKIaaS) stands out, providing round-the-clock support to clients for any issues related to their PKI environment. This comprehensive approach enhances security, ensuring organizations remain resilient against potential misconfigurations in their encryption setups.


Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.


About the Author

Akashdeep Kashyap is a cybersecurity enthusiast who views the field not just as a profession, but as a pathway to unlocking the true essence of technology. His journey in cybersecurity is driven by a profound belief that understanding and securing digital systems illuminates our understanding of the broader tech landscape. Akashdeep approaches cybersecurity as a means of enlightenment, constantly seeking to unravel the complexities of digital security while embracing the ever-evolving world of technology.

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo