Disclaimer: All postings are provided "AS IS" with no warranties, and confer no rights. This weblog does not represent the thoughts, intentions, plans or strategies of Microsoft. Because a weblog is intended to provide a semi-permanent point-in-time snapshot, you should not consider out of date posts to reflect current thoughts and opinions.
When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT flag, as described in MSDN article Authentication-Level Constants (http://msdn.microsoft.com/library/aa373553.aspx).
On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA.
On a Windows Server “8” Beta CA, this enhanced security setting is enabled by default.
This means that Windows XP clients will by default not be able to enroll for certificates from a Windows "8" Beta CA - unless RPC packet-level encryption is turned off for the certificate requests.
What's new in AD CS [in Windows "8" beta]?