• Citrix FAS; anyone lock down their MS CA to restrict the Citrix_SmartcardLogn and Citrix_RegistrationAuthority templates like this: • Citrix_RegistrationAuthority / Citrix_RegistrationAuthority_ManualAuthorization: ◦ Grant Read and Enroll permissions only to the specific computer accounts of your FAS servers (or a dedicated AD security group containing only FAS servers). ◦ Grant Read permission to Authenticated Users. ◦ Restrict Write permissions to only necessary administrators (e.g., Enterprise Admins). • Citrix_SmartcardLogon: ◦ Grant Read and Enroll permissions to the FAS servers (or their security group). ◦ Grant Read permission to Authenticated Users. This allows users to read the template's properties but not directly enroll for certificates using it. Enrollment is delegated to FAS. ◦ Do not enable auto-enrollment for users on this template. This would be after FAS has been live for a year.

Thats how i have mine set up. I don't think a group will work for the RA certificate security you need the fas server $ accounts I think. I assume you have seen this https://docs.citrix.com/en-us/federated-authentication-service/2212/config-manage/security.html

Thanks @Rob Zylowski