Mitigate PetitPotam in Active Directory Certificate Services

Uninstall ADCS web enrollment

A quick method is to uninstall the ADCS web enrollment (reboot required). After this, you can’t use https://yourserver.domain.com/certsrv

Uninstall-WindowsFeature ADCS-WebEnrollment

Then disable the web server IIS (check before if any websites/services rely on):

Uninstall-WindowsFeature Web-Server

Official mitigations by Microsoft

• ADV210003 – Security Update Guide – Microsoft – Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS)
• KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) (microsoft.com)