Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


Consider the following scenario:

  • You have an Active Directory Federation Services (AD FS) passive endpoint that is running Windows Server 2012 R2.

  • You enable the ExtendedProtectionTokenCheck setting in an AD FS 3.0 configuration.

In this scenario, the ExtendedProtectionTokenCheck setting is displayed as enabled when you view theAD FS properties by using the Get-ADFSProperties command. However, regardless of the setting, the current passive endpoints do not use the ExtendedProtectionTokenCheck setting.


To resolve this issue, install update rollup 2975719. For more information about how to obtain this update rollup package, click the following article number to view the article in the Microsoft Knowledge Base:

2975719 August 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about how to set the ExtendedProtectionTokenCheck setting

Set-ADFSPropertiesFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!