updating DC certs to support WH4B

  • Last Post 16 March 2019
ZJORZ posted this 15 March 2019

Hi, To support Windows Hello for Business, we need to update the cert template for our W2K12R2 DCs FROM:                                                                                                                                  TO:                  Do you know what the impact (if any) is or could be when doing this? Thanks  Met Vriendelijke Groeten / Cumprimentos / Kind Regards,Jorge de Almeida Pinto MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCTMVP Profile | Blog | Facebook | Twitter Description: Description: Description: Description: Think Green 

Order By: Standard | Newest | Votes
tcbep posted this 15 March 2019

I did this last year and had no issues. I followed the guide linked below.




Eric Pagan | CASP

Network Administrator

The Citizens Bank

1356 Gamble Street

Turbeville, SC 29162

(843) 657-2001 Ext. 7280


“Solid Traditions. Smart Solutions”

5-Star Rated with Bauer Financial



paulhut posted this 15 March 2019

Hi Jorge,


The out of the box Domain Controller template allows Client Authentication and Server Authentication.  In Windows Hello for Business this template is superseded by one whose use still contains Client Authentication and Server Authentication

and adds KDC Authentication and Smart Card login.


From the

it says:


By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography

configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the

Kerberos Authentication certificate template a baseline

to create an updated domain controller certificate template.


The superseding certificate improves the performance of the original DC certificate and maintains the same functionality as well as adds additional usage to allow WHfB to provision. In my own testing it still behaves like a DC cert.


Thanks, Paul



pradeeprawat85 posted this 15 March 2019

We did that few months back (to support WHFB), so far no issues reported. We have both 2012 R2 and 2016 DCs in our environment.




Pradeep Rawat, CISSP



slavickp posted this 16 March 2019

Hi Jorge –  This would change the key storage provider while maintaining the RSA algorithm. I wouldn’t anticipate any negative impact from this. Regards Slav MCM-DS