When a certificate request is received by a certification authority (CA), encryption for the request can be enforced by the CA via the RPC_C_AUTHN_LEVEL_PKT flag, as described in MSDN article Authentication-Level
On Windows Server 2008 R2 and earlier versions, this setting is not enabled by default on the CA.
On a Windows Server “8” Beta CA, this enhanced security setting is enabled by default.
This means that Windows XP clients will by default not be able to enroll for certificates from a Windows “8” Beta CA – unless RPC packet-level encryption is turned off for the certificate requests.
What’s new in AD CS [in Windows “8” beta]?