Category
stayInformed
Severity
normal
Major change
True
Last modified
2025-02-11 18:00:15
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
—
Action by (AI)
—
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs
One-line summary
Full Enforcement mode for certificate-based authentication on Windows domain controllers starts with February 2025 updates; non-compliant certificates will be denied authentication.
Similar updates
More like thisMC1143929 Certificate-based authentication changes on Windows domain controllers - coming September 2025
Certificate-based authentication changes on Windows domain controllers - coming September 2025 Starting with September 2025 Windows updates, strict certificate mapping will be enforced on AD CS and domain controllers, blocking authentication if requirements aren't met. Since 2023, Microsoft has been sharing reminders of changes coming to.
MC1150557 Certificate-based authentication changes following installation of Windows updates released September 9, 2025
Certificate-based authentication changes following installation of Windows updates released September 9, 2025 Starting September 9, 2025, Windows updates enforce new certificate mapping requirements on Windows Servers, ending gradual rollout and requiring immediate admin action to ensure authentication works. ...see KB5014754: Certificate-based.
MC1111657 Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today
Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today Windows updates will enforce stricter certificate-based authentication from July 8, 2025, requiring CAs in the NTAuth store; full enforcement and policy bypass removal starts October 14, 2025. Starting with the Ap... Windows updates will enforce.
MC1092195 Prepare for Kerberos CBA changes: Enforcement begins with July updates
Prepare for Kerberos CBA changes: Enforcement begins with July updates Windows updates will enforce stricter certificate-based authentication for domain controllers, requiring CAs in the NTAuth store starting July 8, 2025, with full enforcement October 14, 2025. Additional information: For full technical details, including registry settings and.
MC1050816 KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)
KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) Windows updates from April 8, 2025 add protections for a Kerberos vulnerability; enforcement starts July 8, 2025, with full enforcement and registry key removal on October 14, 2025. The Windows security updates released on or after April 8, 2025, contain protections for a.
MC1027793 30-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056
30-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056 Starting April 2025, Windows updates will enforce new Kerberos PAC Validation security behavior, removing Compatibility mode and requiring all domain controllers and clients to be updated. Last year, Windows updates released on or after April 9, 2024 added new.
Details
Body (from Message Center)
The last phase of the changes to certificate-based authentication on domain controllers (DC) is here. As stated in reminders, Full Enforcement mode phase starts in February 2025. This mode change occurs when you install the Windows updates dated February 2025 or later.
Starting in May 2022, certificate-based authentication on Windows DCs started to go through a series of changes to enhance security, following a planned timeline of Enablement Phases.
After you install the Windows security updates released in February 2025 or later, authentication for certificates that do not meet the expected mapping requirements will be denied. This change is known as Full Enforcement mode. However, you can move back to Compatibility mode until September 2025. For full details, see KB5014754.
When will this happen:
In February 2025, devices will move to Full Enforcement mode.
How this will affect your organization:
When you install the February 2025 or later Windows update, devices that are not already in Full Enforcement mode (StrongCertificateBindingEnforcement registry value is set to 2) will be moved to Full Enforcement mode. If authentication is denied, you will see Event ID 39 (or Event ID 41 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2). You will have the option to set the registry key value back to 1 (Compatibility mode) at this stage. In the September 2025 Windows update, the StrongCertificateBindingEnforcement registry value will no longer be supported.
What you need to do to prepare:
Review the date changes in the “Take action”, “Full Enforcement mode”, and “Registry key information” sections of KB5014754. Take the appropriate action needed to make your devices more secure.
Additional information:
For full detailed information, see KB5014754: Certificate-based authentication changes on Windows domain controllers.
Raw JSON (for debugging)
Expand/collapse the full payload below.
Show/hide raw
{
"snapshot_item": {
"action_required_by": null,
"ai_action_required_by": null,
"ai_actions": [
"Review KB5014754 for required actions",
"Update devices to meet certificate mapping requirements",
"Prepare for Full Enforcement mode in February 2025"
],
"ai_master_tags": [
"Security"
],
"ai_model": "gpt-4.1",
"ai_summary": "Full Enforcement mode for certificate-based authentication on Windows domain controllers starts with February 2025 updates; non-compliant certificates will be denied authentication.",
"ai_topics": [
"Windows",
"Windows Server"
],
"category": "stayInformed",
"details_map": {},
"id": "MC959496",
"importance": 5,
"is_major_change": true,
"last_modified": "2025-02-11T18:00:15Z",
"ms_products": [
"Windows"
],
"platforms": null,
"roadmap_ids": [],
"services": [
"Windows"
],
"severity": "normal",
"tags": [
"Admin impact"
],
"title": " Full Enforcement mode for certificate-based authentication on Windows DCs effective February 2025"
}
}