MC1143929 – M365 Change Digest

One-line summary

Starting with September 2025 Windows updates, strict certificate mapping will be enforced on AD CS and domain controllers, blocking authentication if requirements aren't met.

Similar updates

Details

Body (from Message Center)

Since 2023, Microsoft has been sharing reminders of changes coming to certificate mapping security requirements in Windows Servers. These changes address vulnerabilities discussed in CVE-2022-34691 and others. As part of these changes, servers which run Active Directory Certificate Services, as well as Windows domain controllers that service certificate-based authentication, will be required to meet certain certificate mapping criteria in order for authentication operations to succeed.

The final milestone of this rollout will take place with Windows updates released September 2025. For full details, see KB5014754: Certificate-based authentication changes on Windows domain controllers.

When will this happen:

Beginning 2022, Windows updates have addressed certain vulnerabilities related to certificate emulation. As part of this, new certificate mapping requirements have been rolling out with various degrees of enforcement throughout 2023 and 2024. Windows updates released prior to September 2025 make it possible to further control the degree to which these requirements are enforced across environments. However, after the September updates, the ability to bypass requirements will end.

How this will affect your organization:

The specific vulnerability addressed in this scenario involves the use of dollar sign ($) at the end of a machine name. When present, methods could be used to emulate (spoof) certificates under some circumstances. Additionally, conflicts between User Principal Names (UPN) and sAMAccountName introduced other emulation vulnerabilities.

Updates released September 2025, will conclude the rollout of security hardening which prevents these vulnerabilities. From that time on, certain authentication operations will be denied if certificates cannot be strongly mapped per the security measures.

What you need to do to prepare:

We advise IT administrators to conduct testing that confirms normal operations in accordance with the new certificate mapping criteria. As always, we recommend that you update your devices to the latest security update available, to take advantage of the advanced protections from the latest security threats. Review the links provided in the Additional information section.

Additional information:

KB5014754: Certificate-based authentication changes on Windows domain controllers.

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": "2025-09-09T16:30:00Z",
    "ai_action_required_by": null,
    "ai_actions": [
      "Test certificate mapping compliance",
      "Update devices to latest security updates",
      "Review KB5014754 guidance"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting with September 2025 Windows updates, strict certificate mapping will be enforced on AD CS and domain controllers, blocking authentication if requirements aren\u0027t met.",
    "ai_topics": [
      "Windows",
      "Windows Server",
      "Entra"
    ],
    "category": "planForChange",
    "details_map": {},
    "id": "MC1143929",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2025-08-28T20:57:32Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Certificate-based authentication changes on Windows domain controllers - coming September 2025"
  }
}