MC1092195 – M365 Change Digest

One-line summary

Windows updates will enforce stricter certificate-based authentication for domain controllers, requiring CAs in the NTAuth store starting July 8, 2025, with full enforcement October 14, 2025.

Similar updates

Details

Body (from Message Center)

Starting with the April 8, 2025 Windows security updates, protections for CVE-2025-26647 are being rolled out and enforced in phases. These updates change how certificate-based authentication (CBA) is handled when the issuing certificate authority (CA) is not in the NTAuth store but a Subject Key Identifier (SKI) mapping exists in the altSecID attribute.

When will this happen:

July 8, 2025: Enforced by Default phase

Updates released on or after July 8, 2025, will enforce the NTAuth store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this security update will be removed.

October 14, 2025: Enforcement mode

Updates released on or after October 14, 2025, will discontinue Microsoft support for the AllowNtAuthPolicyBypass registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.

How this will affect your organization:

If your environment uses CBA and relies on certificates from CAs not in the NTAuth store, authentication may fail once Enforcement mode is enabled. This change affects domain controllers and requires updates to ensure secure authentication behavior. New audit events will help identify affected certificates and CAs.

What you need to do to prepare:

UPDATE all domain controllers with a Windows update released on or after April 8, 2025.
MONITOR new events (e.g., Event ID 45 and 21) that will be visible on domain controllers to identify affected certificate authorities.
ENABLE Enforcement mode after your environment is now only using logon certificates issued by authorities that are in the NTAuth store.
REVIEW AND UPDATE altSecID mappings if needed to ensure compatibility.

Additional information:

For full technical details, including registry settings and audit event IDs, see KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Update all domain controllers with April 8, 2025 or later Windows updates",
      "Monitor new audit events to identify affected CAs",
      "Review and update altSecID mappings",
      "Ensure CAs are in NTAuth store before enforcement"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Windows updates will enforce stricter certificate-based authentication for domain controllers, requiring CAs in the NTAuth store starting July 8, 2025, with full enforcement October 14, 2025.",
    "ai_topics": [
      "Windows"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1092195",
    "importance": 5,
    "is_major_change": false,
    "last_modified": "2025-06-11T17:01:03Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Prepare for Kerberos CBA changes: Enforcement begins with July updates"
  }
}