diff --git a/internal/server/web/static/js/capabilities.js b/internal/server/web/static/js/capabilities.js
index f186ef52ddd743182417d89c16afc05091b6bca2..3ffb641a35305de2159299524251d2cc538c7872 100644
--- a/internal/server/web/static/js/capabilities.js
+++ b/internal/server/web/static/js/capabilities.js
@@ -61,6 +61,18 @@ function subtokenCapabilities(prefix = "") {
     return $('#' + prefix + 'subtokenCapabilities');
 }
 
+function enableCapability(cap, prefix = "") {
+    // This function should be called after initCapabilities to preselect / check capabilities
+    // We do it with a click instead of prop("checked", true) because click handles sub-/parent- capabilities correctly.
+    // We first set checked to false ensuring that it was not previously selected
+    let $c = $(prefixId(cap, prefix));
+    let disabled = $c.prop('disabled');
+    $c.prop('disabled', false);
+    $c.prop("checked", false);
+    $c.click();
+    $c.prop('disabled', disabled);
+}
+
 
 const rPrefix = "read@";
 
@@ -304,7 +316,7 @@ function checkCapability(cap, typePrefix, prefix = "") {
     if (rCap) {
         cap = cap.substring(rPrefix.length);
     }
-    $('#' + prefix + typePrefix + '-' + escapeSelector(cap)).prop("checked", true);
+    enableCapability(typePrefix + '-' + cap, prefix);
     let $mode = $('#' + prefix + typePrefix + '-' + escapeSelector(rPrefix + cap) + '-mode');
     let disabled = $mode.prop('disabled');
     $mode.prop('disabled', false);
diff --git a/internal/server/web/static/js/consent.js b/internal/server/web/static/js/consent.js
index dd41b5466ba5ab15f4de43195b4dba69fcbd059e..25c043ee2f590660bb53279fcc314d5becdae5e0 100644
--- a/internal/server/web/static/js/consent.js
+++ b/internal/server/web/static/js/consent.js
@@ -9,13 +9,13 @@ $(document).ready(function () {
         rotationAutoRevoke().prop("disabled", !rot_onAT && !rot_onOther);
     }
     updateRotationIcon();
+    initCapabilities();
     checkedCapabilities.forEach(function (value) {
         checkCapability(value, 'cp');
     })
     checkedSubtokenCapabilities.forEach(function (value) {
         checkCapability(value, 'sub-cp');
     })
-    initCapabilities();
     chainFunctions(
         discovery,
         function (...next) {
diff --git a/internal/server/web/static/js/create-mt.js b/internal/server/web/static/js/create-mt.js
index 8127fc67d0341e312396dbb96d51c201ee2e74fa..bf0a090269977bc30ed07b289036e23f63dd9ab5 100644
--- a/internal/server/web/static/js/create-mt.js
+++ b/internal/server/web/static/js/create-mt.js
@@ -15,9 +15,9 @@ const $mtInstructions = $('#mt-instructions');
 const mtPrefix = "createMT-";
 
 function initCreateMT(...next) {
-    capabilityAT(mtPrefix).prop('checked', true);
-    $('#' + mtPrefix + 'cp-tokeninfo').prop('checked', true);
     initCapabilities(mtPrefix);
+    checkCapability("tokeninfo", "cp", mtPrefix);
+    checkCapability("AT", "cp", mtPrefix);
     updateRotationIcon(mtPrefix);
     initRestr(mtPrefix);
     doNext(...next);
diff --git a/internal/server/web/static/js/ssh.js b/internal/server/web/static/js/ssh.js
index dfba0dd79d817b9cbba17ca3159dab6c680c1bfa..9e26b7908ee0222c2c0d0f871a52f8393c1ced06 100644
--- a/internal/server/web/static/js/ssh.js
+++ b/internal/server/web/static/js/ssh.js
@@ -41,6 +41,8 @@ disableGrantCallbacks['ssh'] = function disableSSHCallback() {
 function initSSH(...next) {
     initRestr();
     initCapabilities();
+    checkCapability("tokeninfo", "cp", mtPrefix);
+    checkCapability("AT", "cp", mtPrefix);
     clearSSHKeyTable();
     useSettingsToken(function (token) {
         $.ajax({
diff --git a/internal/server/web/static/js/tokeninfo.js b/internal/server/web/static/js/tokeninfo.js
index c4a9a1030ec4d5ab0023bc158593cadac5cfc023..c9e4f0ac071bdc6c2454ec0555d7b8c76bc6d414 100644
--- a/internal/server/web/static/js/tokeninfo.js
+++ b/internal/server/web/static/js/tokeninfo.js
@@ -50,6 +50,7 @@ function fillTokenInfo(tokenPayload) {
     copy.removeClass('d-none');
 
     // capabilities
+    initCapabilities(tokeninfoPrefix);
     capabilityChecks(tokeninfoPrefix).prop("checked", false);
     subtokenCapabilityChecks(tokeninfoPrefix).prop("checked", false);
     for (let c of tokenPayload['capabilities']) {
@@ -60,11 +61,10 @@ function fillTokenInfo(tokenPayload) {
             checkCapability(c, 'sub-cp', tokeninfoPrefix);
         }
     }
-    initCapabilities(tokeninfoPrefix);
     capabilityChecks(tokeninfoPrefix).not(":checked").closest('.capability').hideB();
     subtokenCapabilityChecks(tokeninfoPrefix).not(":checked").closest('.capability').hideB();
-    capabilityChecks(tokeninfoPrefix).filter(":checked").closest('.capability').showB();
-    subtokenCapabilityChecks(tokeninfoPrefix).filter(":checked").closest('.capability').showB();
+    capabilityChecks(tokeninfoPrefix).filter(":checked").parents('.capability').showB();
+    subtokenCapabilityChecks(tokeninfoPrefix).filter(":checked").parents('.capability').showB();
 
     // rotation
     let rot = tokenPayload['rotation'] || {};