Default RSACryptoServiceProvider in IIS 8.5 does not support SHA256 hash

i don't know if this is an issue with IIS or .Net, The certificate that’s used to create a S2S token somehow loads "Microsoft RSA SChannel Cryptographic Provider" as the private key instead of "Microsoft Enhanced RSA and AES Cryptographic Provider". The former one does not support SHA256 hash, therefore it fails with NTE_BAD_ALGID (0x80090008)

How do you force the default crypto provider to RSACng which support the SHA256 hash in an IIS application?