Starting in May 2022, certificate-based authentication on Windows domain controllers (DCs) started to go through a series of changes to enhance security, following a planned timeline of Enablement Phases.

On September 10, 2024, we updated the timeline of security requirements for certificate-based authentication requests on Windows DCs.

After you install the Windows security updates released in February 2025, authentication for certificates that do not meet the expected mapping requirements will be denied. This change is known as Full Enforcement mode. However, you can move back to Compatibility mode until September 2025. For full details, see KB5014754.

 

In February 2025, or later, devices will move to Full Enforcement mode.

 

When you install the February 2025 Windows security update, devices that are not already in Full Enforcement mode (StrongCertificateBindingEnforcement registry value is set to 2), will be moved to Full Enforcement mode. If authentication is denied, you will see Event ID 39 (or Event ID 41 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2). You will have the option to set the registry key value back to 1 (Compatibility mode) at this stage. In the September 2025 Windows update, the StrongCertificateBindingEnforcement registry value will no longer be supported.

 

Review the date changes in the “Take action”, “Full Enforcement mode”, and “Registry key information” sections of KB5014754. Take the appropriate action needed to make your devices more secure.

 

For full detailed information, see KB5014754: Certificate-based authentication changes on Windows domain controllers.