Export (0) Print
Expand All
1 out of 2 rated this helpful - Rate this topic

What's New in Certificate Services in Windows Server 2012 R2

Published: October 1, 2012

Updated: January 1, 2014

Applies To: Windows Server 2012 R2

Active Directory Certificate Services (AD CS) in Windows Server 2012 R2 provides new features and capabilities from previous versions. This document describes new deployment, manageability, and capabilities added to the AD CS role in Windows Server 2012 R2.

Active Directory Certificate Services (AD CS) provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems that employ public key technologies.

New functionality in AD CS for Windows Server 2012 R2 includes the following.


Feature/functionality New or improved Description

Policy Module support for the Network Device Enrollment Service


Using a policy module with the Network Device Enrollment Service provides enhanced security so that users and devices can request certificates from the Internet.

TPM key attestation


TPM key attestation lets the certification authority (CA) verify that the private key is protected by a hardware-based TPM.

Windows PowerShell for Certificate Services


New Windows PowerShell cmdlets are available for backup and restore.

The AD CS role service, Network Device Enrollment Service, is designed for secured networks and trusted administrators. Because of this design, enrollment can use a single password, or even no password, to request multiple certificates. In addition, there is no authentication for the subject name value supplied. However, Windows Server 2012 R2 supports a policy module for the Network Device Enrollment Service, which provides additional authentication that makes it practical to run this role service in a perimeter network. This configuration supports the Bring Your Own Device (BYOD) scenario, where mobile devices such as those that run iOS and Android, and computers that are not domain members, can now use the Network Device Enrollment Service to request user and computer certificates from the Internet. This is sometimes referred to as over-the-air enrollment.

Windows Server 2012 R2 does not come with a policy module. You must install this separately, from a software vendor that provides a policy module, or write your own policy module. If you install a policy module from a software vendor, typically, this will be from a company that provides management for mobile devices. For example, System Center 2012 R2 Configuration Manager provides a policy module that is required for when you deploy certificate profiles.

For more information, see the following resources:

TPM key attestation lets the certification authority (CA) verify that the private key is protected by a hardware-based TPM and that the TPM is one that the CA trusts. This functionality prevents the certificate from being exported to an unauthorized device, and can bind the user identity to the device.

All TPMs have an endorsement key that is unique to each TPM. In some cases, TPMs have an endorsement key certificate that chains to the manufacturer’s issuing CA. Not all TPMs support attestation but when they do, you can optionally choose to validate the key attestation by using the endorsement key, or by using an endorsement key certificate.

To use TPM key attestation, the client operating system must be Windows 8.1 or Windows Server 2012 R2. To configure TPM key attestation, use a version 4 certificate template with an enterprise CA, and configure the settings on the Key Attestation tab. Do not select Do not store certificate and requests in the CA database on the Server tab of the certificate template properties, because this configuration is not supported with TPM key attestation. In addition, standalone CAs and web enrollment do not support TPM key attestation.

When you configure TPM key attestation, you can choose increasing levels of assurance by specifying how to validate the endorsement key that is burned into the TPM by the manufacturer:

  • User credentials. No additional configuration is required on the CA.

  • Endorsement certificate. You must add the root and issuing CA certificates for the TPMs to new certificate stores on the CA. The new certificate stores are EKCA for the intermediate store, and EKRROT for the root store.

  • Endorsement key. You must add each endorsement key for the TPMs to an approved list (EKPUB list).

If the settings on the Key Attestation tab are not available, verify the following settings:

  • On the Compatibility tab: The Certification Authority is set to Windows Server 2012 R2, and the Certificate recipient is set to Windows 8.1 / Windows Server 2012 R2.

  • On the Request Handling tab: The Allow private key to be exported checkbox and the Archive subject's encryption private key checkbox must not be selected.

  • On the Cryptography tab: The Provider Category is set to Key Storage Provider and the Algorithm name is set to RSA. In addition, the Request must use one of the following providers must be set to Microsoft Platform Crypto Provider.

For more information, see the following resources:

New Windows PowerShell cmdlets are available in Windows Server 2012 R2. You can use these cmdlets to back up and restore a certification authority (CA) database.


Cmdlet name New or improved Description



Back up the CA database.



Restore the CA database.

For more information about these cmdlets, see Backup-CARoleService and Restore-CARoleservice.

To use these cmdlets in a migration scenario, see the following sections from Active Directory Certificate Services Migration Guide for Windows Server 2012 R2:

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

© 2014 Microsoft. All rights reserved.