Yes, I am an MS employee, and this makes me mad...
Despite being very simple to delegate out the proper configuration partition rights to you PKI team, MIM CM and FIM CM check to make sure you are a domain admin on installs and upgrades.
Checking ACLs in AD is not hard. Checking group membership for something that should be delegated makes me sad and angry.
Every time I grant my PKI team DA rights, I lose a little piece of my soul.