When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT flag, as described in MSDN article Authentication-Level
Constants
(http://msdn.microsoft.com/library/aa373553.aspx).

On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA.

On a Windows Server “8” Beta CA, this enhanced security setting is enabled by default.

This means that Windows XP clients will by default not be able to enroll for certificates from a Windows "8" Beta CA - unless RPC packet-level encryption is turned off for the certificate requests.


Further details:

What's new in AD CS [in Windows "8" beta]?

http://technet.microsoft.com/library/hh831373.aspx