PKI Insights: ADCS Changes in 2025 — a 30-minute live webinar — Thursday, June 26th @ 10AM PDT
Close

Windows Server 2025 Hotfixes

This page tracks notable updates, release status, and issues for Windows Server 2025, focusing on Active Directory Certificate Services (ADCS), Public Key Infrastructure (PKI), and related enterprise security components. It also includes inherited behaviors from previous Windows Server versions that remain unresolved in Windows Server 2025.

We will continue to update this page as Microsoft releases cumulative updates and hotfixes.

Contact Us
Schedule a Demo

Last updated: [June 10, 2025]

Current Status

Windows Server 2025 reached General Availability (GA) on November 1, 2024.

Microsoft’s official Windows Server 2025 Release Health page has the latest servicing status, known issues, and update guidance.

Reference: Microsoft Lifecycle Product Page for Windows Server 2025

Platform Observations – Windows Server 2025

  • TLS 1.3 Enablement: TLS 1.3 is enabled by default in Windows Server 2025. Certificate authorities issuing web server certificates must ensure compatibility with updated clients and services.
  • LDAP Channel Binding and Signing: Continuing enforcement in 2025 may affect certificate template enumeration and client autoenrollment in environments where legacy domain controllers remain in use.

Active Issues and Resolutions – Windows Server 2025

 

Issue Resolution

Certificate Transparency and Configuration:

By default, Windows enrollment does not support Certificate Transparency (CT), which may now be required for externally trusted certificates. This applies to Windows Server 2025.

 To enable CT, a registry value named CertificateTransparencyFlags needs to be created and set to 0x1.

The Issuer Statement Specified in the Capolicy.inf File Is Not Included in the Issued Certificate:

This behavior applies to Windows Server 2025 using templates that derive the subject from Active Directory.

The Online Responder service does not return a deterministic GOOD for all certificates not included in the CRL:

Hotfix 2960124 behavior is included in Windows Server 2016+. This still applies to Windows Server 2025 if the OCSP configuration lacks deterministic support due to missing CA database exports.

 Follow the steps in the Hotfix to leverage existing database dump scripts (or create your own) and follow the steps to configure OCSP to reference the database dump.

Interactive Services Session 0 Isolation and HSM CSP/KSP:

This affects Windows Server 2025 when legacy drivers (e.g., Thales nCipher pre-12.1) require interactive services.

 For older versions of Security World change the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlWindowsNoInteractiveServices value to and reboot on security.

Windows XP Clients are unable to enroll by default with a Windows Server 2025 CA:

This RPC encryption enforcement affects Windows Server 2025 as well.

 On the CA, run certutil -setreg CAInterfaceFlags -IF_ENFORCEENCRYPTICERTREQUEST and restart Certificate Services.
You cannot enroll in an Online Certificate Status Protocol certificate (CERT_E_INVALID_POLICY):
Applies to Windows Server 2025 when EKU OIDs are manually restricted.		 When specifying specific OIDs for CA EKUs, the OCSP OID must be included (1.3.6.1.5.5.7.3.9. No steps are needed when using the default “All Application Policies” configuration.
Error when installing Certificate Authority with PowerShell on a Computer or VM without a Network Adapter:
This issue persists in Windows Server 2025, especially in standalone CA deployments in VM environments.

There are three options to work around the error:

  1. Configure the VM guest with a network adapter that is disconnected or disabled. Once the installation is completed, you can remove the network adapter from the VM guest.

  2. You can also specify the location for the CA database, even if it is the default location, by appending the argument –DatabaseDirectory $(Join-Path $env:SystemRoot “System32CertLog”)  to the PowerShell command.

  3. Use the Server Manager GUI to perform the installation.
Error when installing ADCS on computers with host names longer than 15 characters in length:
This issue is still present in Windows Server 2025 with offline CAs.

Use host names that are 15 or fewer characters.

If you have already installed ADCS and have experienced this issue, temporarily connect the network adapter to enable ADCS to be uninstalled, and then change the computer name.
Renewing a Root CA certificate and changing the Validity Period with CAPolicy.inf fails:
Server 2025 still prevents shortening certificate lifetime at renewal.

Use certutil –sign with desired validity, and associate manually.
Network Device Enrollment Service reports “You do not have sufficient permission to enroll with SCEP” even for administrative accounts:
This continues in Server 2025 if IIS is manually customized before NDES installation.

Remove all IIS/NDES roles, reinstall using defaults.

An alternative fix is also available if the uninstall doesn’t work.
The Windows Server sConfig Command-Line tool allows Domain Membership and Computer Name changes even with an ADCS Certification Authority installed:
Windows Server 2025 still lacks enforcement in sConfig to block unsafe changes.

Remove ADCS role features before using sConfig to change domain membership or computer hostname.

Alternatively, use the Control Panel System applet when using the GUI version of Windows Server.

External References

Stay Updated

We will continue to update this page with new insights, particularly if Microsoft releases hotfixes or introduces PKI-related changes post-GA.

Subscribe to our PKI Solutions Blog or bookmark this page for ongoing updates.

Request a demo of PKI Spotlight® to gain real-time visibility into ADCS misconfigurations and system-level PKI drift—before these issues break your infrastructure.