Windows Server 2016 – What’s New with ADCS

Well, here it is – the concise list of updates and changes to Active Directory Certificate Services (ADCS) for Windows Server 2016. I will go ahead and tell you now that there aren’t any new earth shattering features. Consider this an incremental set of improvements to ADCS. Remember that we still have things like Elliptical Curve Cryptography for us all to move to in the next few years as well – and that is already in the product.

So lets start with New Features:

• Key Attestation now supports the use of Smart Card Key Storage Providers. Key Attestation is an assurance mechanism whereby a CA can ensure that a client has generated a key pair inside of a specific platform – historically that has been inside a Trusted Platform Module (TPM). This enabled organizations to deploy Virtual Smart Cards and ensure the keys were generated inside the TPM. Normally a CA has no enforcement or assurance of WHERE a key was generated for the enrollment request. In Windows Server 2016 this feature has been improved to support Smart Card KSP providers in addition to TPM providers.
• Network Device Enrollment Service (NDES) now also supports Key Attestation enrollment enforcement as well. Previous to Windows Server 2016, Key Attestation only worked when directly enrolling with a CA (DCOM/RPC or CES/CEP).

Included Fixes/RollUps

• Online Certificate Status Protocol (OCSP) now includes the hotfix changes from KB 2960124 to provide Deterministic responses to queries. This enables the OCSP server to respond with status of Revoked, Good, or Unknown. The OCSP server lacked the ability to respond with Unknown or an authoritative Good response without this hotfix in the past. Note, while the OCSP server includes the hotfix, the powershell script (or similar process) referenced in the KB article is still needed on your CA. Without this, the list of issued certificates will be unavailable to your OCSP server. The KB article has NOT been updated to reflect this as of this time.
• OCSP includes hotfix KB 2923238 to enable the OCSP Responder to service requests that contain multiple certificates for revocation checking. This Hotfix is no longer applicable for Server 2016 since it is included.
• As documented on my ADCS Hotfix Digest, Bug 5298357 – Bad ASN.1 encoding of certificate issuance policy extensions, has been fixed in Windows Server 2016 and is no longer an known problem. You can read more about this bug on the Server 2012 R2 portion of the ADCS Hotfix list.

As always, the list of hotfixes and known issues for ADCS is tracked on the digest at ADCS Hotfixes | PKI Solutions. The Windows Server 2016 specific section is available at Windows Server 2016 Hotfixes | PKI Solutions.