We are operating a Windows 2012 Server PKI with an Enterprise Subordinate Certificate Authority that is issuing Certificates through an AD Certificate Template, however there are certain certificate extensions that need to be excluded.
We are following the procedure defined in ;
http: //blogs.technet.com/b/pki/archive/2007/01/03/how-to-exclude-the-certificate-template-name-from-certificates-to-be-issued.aspx
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.20.2
certutil -setreg policy\DisableExtensionList +1.3.6.1.4.1.311.21.7
net stop certsvc
net start certsvc
This does not have any effect as issued certificates continue to have the extensions in them after the change.