MC1150557 – M365 Change Digest

One-line summary

Starting September 9, 2025, Windows updates enforce new certificate mapping requirements on Windows Servers, ending gradual rollout and requiring immediate admin action to ensure authentication works.

Similar updates

Details

Body (from Message Center)

Windows updates released September 9, 2025 and later, introduce security hardening changes to certificate mapping requirements in Windows Servers. The is the final milestone of a rollout that has gradually been taking place since 2023. IT administrators need to take action to ensure normal operations in accordance with the new certificate mapping criteria, and install the September 9, 2025 updates.

For full details, see KB5014754: Certificate-based authentication changes on Windows domain controllers.

When will this happen:

This change is effective immediately in Windows updates released September 9, 2025. Servers which run Active Directory Certificate Services, as well as Windows domain controllers that service certificate-based authentication, are now required to meet certain certificate mapping criteria in order for authentication operations to succeed. These changes address vulnerabilities discussed in CVE-2022-34691 and others.

How this will affect your organization:

Vulnerabilities addressed in this scenario involve the use of dollar sign ($) at the end of a machine name, as well as conflicts between User Principal Names (UPN) and sAMAccountName. Both scenarios introduced vulnerabilities in the form of certificate emulation (spoofing).

The September 2025 updates conclude the rollout of security requirements which prevent these vulnerabilities. If certificates cannot be strongly mapped per the security measures following installation of this update, certain authentication operations might be denied.

What you need to do to prepare:

The new certificate mapping requirements mentioned here have been rolling out with various degrees of enforcement throughout 2023 and 2024. Beginning with the September 9 updates, previous methods of grading enforcement across environments have been disabled. IT administrators need to confirm normal operations in accordance with the new certificate mapping criteria.

As always, we recommend that you update your devices to the latest security update available to take advantage of the advanced protections from the latest security threats. Review the links provided in the Additional information section.

Additional information:

KB5014754: Certificate-based authentication changes on Windows domain controllers

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Install September 9, 2025 Windows updates",
      "Verify certificate mapping compliance",
      "Review KB5014754 for details"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting September 9, 2025, Windows updates enforce new certificate mapping requirements on Windows Servers, ending gradual rollout and requiring immediate admin action to ensure authentication works.",
    "ai_topics": [
      "Windows",
      "Windows Server"
    ],
    "category": "planForChange",
    "details_map": {},
    "id": "MC1150557",
    "importance": 5,
    "is_major_change": true,
    "last_modified": "2025-09-09T17:07:04Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Certificate-based authentication changes following installation of Windows updates released September 9, 2025"
  }
}