Hi, To support Windows Hello for Business, we need to update the cert template for our W2K12R2 DCs FROM: TO:
Do you know what the impact (if any) is or could be when doing this? Thanks Met Vriendelijke Groeten / Cumprimentos / Kind Regards,Jorge de Almeida Pinto MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCTMVP Profile | Blog | Facebook | Twitter

updating DC certs to support WH4B
- 480 Views
- Last Post 16 March 2019
I did this last year and had no issues. I followed the guide linked below.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn771627(v=ws.11)
Eric Pagan | CASP
Network Administrator
The Citizens Bank
1356 Gamble Street
Turbeville, SC 29162
(843) 657-2001 Ext. 7280
www.thecitizensbank.cc
“Solid Traditions. Smart Solutions”
5-Star Rated with Bauer Financial
Hi Jorge,
The out of the box Domain Controller template allows Client Authentication and Server Authentication. In Windows Hello for Business this template is superseded by one whose use still contains Client Authentication and Server Authentication
and adds KDC Authentication and Smart Card login.
From the
docs it says:
“
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography
configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the
Kerberos Authentication certificate template a baseline
to create an updated domain controller certificate template.
“
The superseding certificate improves the performance of the original DC certificate and maintains the same functionality as well as adds additional usage to allow WHfB to provision. In my own testing it still behaves like a DC cert.
Thanks, Paul

We did that few months back (to support WHFB), so far no issues reported. We have both 2012 R2 and 2016 DCs in our environment.
Thanks,
Pradeep Rawat, CISSP
Hi Jorge – This would change the key storage provider while maintaining the RSA algorithm. I wouldn’t anticipate any negative impact from this. Regards Slav MCM-DS