On September 10, 2024, we updated article KB5014754 with changes that affect the timeline of security requirements for certificate-based authentication requests on Windows domain controllers.

After you install the Windows security updates released in February 2025 security update, authentication for certificates that do not meet the expected mapping requirements will be denied. This change is known as Full Enforcement mode. For full details, see KB5014754.

In February 2025, or later, devices will move to Full Enforcement mode. However, you can move back to Compatibility mode until September 2025.

When you install the February 2025 security update, Windows updates, devices that are not already in Full Enforcement mode (StrongCertificateBindingEnforcement registry value is set to 2), will be moved to Full Enforcement mode. If authentication is denied, you will see Event ID 39 (or Event ID 41 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2). You will have the option to set the registry key value back to 1 (Compatibility mode) at this stage. In the September 2025 Windows update, the StrongCertificateBindingEnforcement registry value will no longer be supported. ​​​​​​​

Review the date changes in the “Take action”, “Full Enforcement mode”, and “Registry key information” sections of KB5014754. Take the appropriate action needed to make your devices more secure.

For full detailed information, see KB5014754: Certificate-based authentication changes on Windows domain controllers.