Windows "Manage Private Keys Permissions" Missing

There’s a fairly in-depth example script posted here: Post Request Script examples - #4 by andresr

This is beyond the simple scripts we have built-in (which are here: certify-plugins/src/DeploymentTasks/Core/Providers/Assets at development · webprofusion/certify-plugins · GitHub) but I note that it has a script block to set the ACL, in this case it takes the last key written and sets the permission on that:

                        $FilePath = "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"
                        $File = Get-ChildItem $FilePath | Sort-Object LastWriteTime -Descending | Select-Object -First 1
                        # Specify account
                        $Account = "NT AUTHORITY\NETWORK SERVICE"
                        # Get current ACL on the private key
                        $ACL = Get-Acl -Path $File.FullName
                        # Set new rule
                        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$Account", "Read", "Allow")
                        # Add rule to the ACL
                        $ACL.AddAccessRule($rule)
                        # Set new ACL to the private key
                        Set-Acl -Path $File.FullName -AclObject $ACL