There is a brand new option called Enable certificate privacy in Windows 10 and Windows 2016 which you can enable when exporting a certificate together with its private key into a PFX file (PKCS#12) by using the Certificates MMC console. It seemed weird to me, because traditionally the PFX files exported from Windows 8.1 or Windows 2012 and older where completelly encrypted, thus very well privacy protected indeed :-)
The following are some screenshots from the certificate export wizard, the new Enable certificate privacy option is visible on the second one:
PFX files have always been fully encrypted with the provided password or with the group key based on KDS (key distribution service) if your AD domain functional level was at least Windows 2012. You could try to open its contents in a hex editor and you would see a highly entropic trash.
You could also use certutil on the file but it would ask for the password immediatelly and would not display anything if the password was incorrect:
Which might be on one part interesting because generally the certificate contents except for its private key are considered public and no software gives them too much of an effort to stop public certificates from propagating anywhere. The fact also made some obstacles to me in the past, because you cannot determine what certificate the PFX file contains unless you know the password while you cannot find the password if you do not know what certificate you are working with.
The new behavior of certificate export in Windows 10
The certificate export wizard behavior has changed in Windows 10. By default, if you do not enable the Enable certificate privacy option then the certificate contents is left unencrypted in the PFX file and the only (password or group key) protection is applied to the private key. You can verify it with certutil which does not ask for password and displays the certificate contents.
Good change by default in my view.
Yet if you want to get back to the previous behavior you can always enable the Enable certificate privacy option. If you enable the certificate privacy then the whole PFX file will be encrypted just like in older Windows.
Compatiblity?
Both forms of exported PFX files either with certificate privacy (fully encrypted) or without (only private key encrypted) can be imported into an older systems such as Windows 7 as I have tested. Very well done!
Cheers!