{"id":12608,"date":"2025-08-29T06:00:55","date_gmt":"2025-08-28T21:00:55","guid":{"rendered":"https:\/\/m365jp.net\/?p=12608"},"modified":"2025-08-29T06:02:28","modified_gmt":"2025-08-28T21:02:28","slug":"mc1143929-certificate-based-authentication-changes-on-windows-domain-controllers-coming-september-2025","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2025-08-29-mc1143929-certificate-based-authentication-changes-on-windows-domain-controllers-coming-september-2025","title":{"rendered":"MC1143929 | Certificate-based authentication changes on Windows domain controllers &#8211; coming September 2025"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1143929 | Certificate-based authentication changes on Windows domain controllers &#8211; coming September 2025<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>planForChange<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>08\/28\/2025 20:57:32<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>08\/28\/2025 20:57:32<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>09\/09\/2026 16:30:00<\/td>\n<\/tr>\n<tr>\n<th>Action Required By Date<\/th>\n<td>2025-09-09T16:30:00Z<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<div>Since 2023, Microsoft has been sharing reminders of changes coming to certificate mapping security requirements in Windows Servers. These changes address vulnerabilities discussed in  <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-34691\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2022-34691<\/a> and others. As part of these changes, servers which run Active Directory Certificate Services, as well as Windows domain controllers that service certificate-based authentication, will be required to meet certain certificate mapping criteria   in order for authentication operations to succeed.&nbsp;<\/div>\n<div>  <\/div>\n<div>The final milestone of this rollout will take place with Windows updates released September 2025. For full details, see  <a href=\"https:\/\/support.microsoft.com\/help\/5014754\" rel=\"noopener noreferrer\" target=\"_blank\">  KB5014754: Certificate-based authentication changes on Windows domain controllers<\/a>.<\/div>\n<div>  <\/div>\n<div><b>When will this happen:<\/b><\/div>\n<div>Beginning 2022, Windows updates have addressed certain vulnerabilities related to certificate emulation. As part of this, new certificate mapping requirements have been rolling out with various degrees of enforcement throughout 2023 and 2024. Windows updates   released prior to September 2025 make it possible to further control the degree to which these requirements are enforced across environments. However, after the September updates, the ability to bypass requirements will end.<\/div>\n<div>  <\/div>\n<div><b>How this will affect your organization:<\/b><\/div>\n<div>The specific vulnerability addressed in this scenario involves the use of dollar sign ($) at the end of a machine name. When present, methods could be used to emulate (spoof) certificates under some circumstances. Additionally,&nbsp;conflicts between User Principal   Names (UPN) and&nbsp;sAMAccountName&nbsp;introduced other emulation vulnerabilities.<\/div>\n<div>  <\/div>\n<div>Updates released September 2025, will conclude the rollout of security hardening which prevents these vulnerabilities. From that time on, certain authentication operations will be denied if certificates cannot be strongly mapped per the security measures.&nbsp;<\/div>\n<div>  <\/div>\n<div><b>What you need to do to prepare:<\/b><\/div>\n<div>We advise IT administrators to conduct testing that confirms normal operations in accordance with the new certificate mapping criteria. As always, we recommend that you update your devices to the latest security update available, to take advantage of the   advanced protections from the latest security threats. Review the links provided in the Additional information section.<\/div>\n<div>  <\/div>\n<div><b>Additional information:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5014754\" rel=\"noopener noreferrer\" target=\"_blank\">KB5014754: Certificate-based authentication changes on Windows domain controllers<\/a>.<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<div>2023 \u5e74\u4ee5\u6765\u3001Microsoft \u306f Windows Server \u306e\u8a3c\u660e\u66f8\u30de\u30c3\u30d4\u30f3\u30b0 \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8981\u4ef6\u306b\u5909\u66f4\u304c\u52a0\u3048\u3089\u308c\u308b\u3053\u3068\u306e\u30ea\u30de\u30a4\u30f3\u30c0\u30fc\u3092\u5171\u6709\u3057\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u5909\u66f4\u306f\u3001  <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2022-34691\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2022-34691<\/a> \u306a\u3069\u3067\u8aac\u660e\u3055\u308c\u3066\u3044\u308b\u8106\u5f31\u6027\u306b\u5bfe\u51e6\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u5909\u66f4\u306e\u4e00\u74b0\u3068\u3057\u3066\u3001Active Directory \u8a3c\u660e\u66f8\u30b5\u30fc\u30d3\u30b9\u3092\u5b9f\u884c\u3059\u308b\u30b5\u30fc\u30d0\u30fc\u3068\u3001\u8a3c\u660e\u66f8\u30d9\u30fc\u30b9\u306e\u8a8d\u8a3c\u3092\u63d0\u4f9b\u3059\u308b Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u306f\u3001\u8a8d\u8a3c\u64cd\u4f5c\u3092\u6210\u529f\u3055\u305b\u308b\u305f\u3081\u306b\u3001\u7279\u5b9a\u306e\u8a3c\u660e\u66f8\u30de\u30c3\u30d4\u30f3\u30b0\u6761\u4ef6\u3092\u6e80\u305f\u3059\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002&nbsp;<\/div>\n<div>  <\/div>\n<div>\u3053\u306e\u30ed\u30fc\u30eb\u30a2\u30a6\u30c8\u306e\u6700\u5f8c\u306e\u30de\u30a4\u30eb\u30b9\u30c8\u30fc\u30f3\u306f\u30012025 \u5e74 9 \u6708\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3067\u884c\u308f\u308c\u307e\u3059\u3002\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u300c <a href=\"https:\/\/support.microsoft.com\/help\/5014754\" rel=\"noopener noreferrer\" target=\"_blank\">  KB5014754: Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3067\u306e\u8a3c\u660e\u66f8\u30d9\u30fc\u30b9\u306e\u8a8d\u8a3c\u306e\u5909\u66f4<\/a>\u300d\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/div>\n<div>  <\/div>\n<div><b>\u3053\u308c\u306f\u3044\u3064\u8d77\u3053\u308a\u307e\u3059\u304b:<\/b><\/div>\n<div>2022 \u5e74\u4ee5\u964d\u3001Windows Update \u306f\u8a3c\u660e\u66f8\u30a8\u30df\u30e5\u30ec\u30fc\u30b7\u30e7\u30f3\u306b\u95a2\u9023\u3059\u308b\u7279\u5b9a\u306e\u8106\u5f31\u6027\u306b\u5bfe\u51e6\u3057\u307e\u3057\u305f\u3002\u305d\u306e\u4e00\u74b0\u3068\u3057\u3066\u30012023 \u5e74\u304b\u3089 2024 \u5e74\u306b\u304b\u3051\u3066\u3001\u3055\u307e\u3056\u307e\u306a\u7a0b\u5ea6\u306e\u65bd\u884c\u3067\u65b0\u3057\u3044\u8a3c\u660e\u66f8\u30de\u30c3\u30d4\u30f3\u30b0\u8981\u4ef6\u304c\u5c55\u958b\u3055\u308c\u3066\u3044\u307e\u3059\u30022025 \u5e74 9 \u6708\u3088\u308a\u524d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u306f\u3001\u3053\u308c\u3089\u306e\u8981\u4ef6\u304c\u74b0\u5883\u5168\u4f53\u3067\u9069\u7528\u3055\u308c\u308b\u7a0b\u5ea6\u3092\u3055\u3089\u306b\u5236\u5fa1\u3067\u304d\u307e\u3059\u3002\u305f\u3060\u3057\u30019\u6708\u306e\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u4ee5\u964d\u306f\u3001\u8981\u4ef6\u3092\u30d0\u30a4\u30d1\u30b9\u3059\u308b\u6a5f\u80fd\u304c\u7d42\u4e86\u3057\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u3053\u308c\u304c\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff:<\/b><\/div>\n<div>\u3053\u306e\u30b7\u30ca\u30ea\u30aa\u3067\u5bfe\u51e6\u3055\u308c\u308b\u7279\u5b9a\u306e\u8106\u5f31\u6027\u306b\u306f\u3001\u30de\u30b7\u30f3\u540d\u306e\u672b\u5c3e\u306b\u30c9\u30eb\u8a18\u53f7 ($) \u304c\u4f7f\u7528\u3055\u308c\u3066\u3044\u308b\u3053\u3068\u304c\u542b\u307e\u308c\u307e\u3059\u3002\u5b58\u5728\u3059\u308b\u5834\u5408\u3001\u72b6\u6cc1\u306b\u3088\u3063\u3066\u306f\u3001\u8a3c\u660e\u66f8\u3092\u30a8\u30df\u30e5\u30ec\u30fc\u30c8 (\u30b9\u30d7\u30fc\u30d5\u30a3\u30f3\u30b0) \u3059\u308b\u305f\u3081\u306b\u30e1\u30bd\u30c3\u30c9\u3092\u4f7f\u7528\u3067\u304d\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u30e6\u30fc\u30b6\u30fc \u30d7\u30ea\u30f3\u30b7\u30d1\u30eb\u540d (UPN) \u3068&nbsp;sAMAccountName&nbsp;\u306e\u9593\u306e\u7af6\u5408\u306b\u3088\u308a&nbsp;\u3001\u4ed6\u306e\u30a8\u30df\u30e5\u30ec\u30fc\u30b7\u30e7\u30f3\u306e\u8106\u5f31\u6027\u304c\u767a\u751f\u3057\u307e\u3057\u305f\u3002<\/div>\n<div>  <\/div>\n<div>2025 \u5e74 9 \u6708\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3067\u306f\u3001\u3053\u308c\u3089\u306e\u8106\u5f31\u6027\u3092\u9632\u3050\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5f37\u5316\u306e\u5c55\u958b\u304c\u7d42\u4e86\u3057\u307e\u3059\u3002\u305d\u308c\u4ee5\u964d\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56\u306b\u5f93\u3063\u3066\u8a3c\u660e\u66f8\u3092\u5f37\u529b\u306b\u30de\u30c3\u30d4\u30f3\u30b0\u3067\u304d\u306a\u3044\u5834\u5408\u3001\u7279\u5b9a\u306e\u8a8d\u8a3c\u64cd\u4f5c\u306f\u62d2\u5426\u3055\u308c\u307e\u3059\u3002&nbsp;<\/div>\n<div>  <\/div>\n<div><b>\u6e96\u5099\u306b\u5fc5\u8981\u306a\u3053\u3068:<\/b><\/div>\n<div>IT \u7ba1\u7406\u8005\u306b\u306f\u3001\u65b0\u3057\u3044\u8a3c\u660e\u66f8\u30de\u30c3\u30d4\u30f3\u30b0\u57fa\u6e96\u306b\u5f93\u3063\u3066\u901a\u5e38\u306e\u52d5\u4f5c\u3092\u78ba\u8a8d\u3059\u308b\u30c6\u30b9\u30c8\u3092\u5b9f\u65bd\u3059\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002\u3044\u3064\u3082\u306e\u3088\u3046\u306b\u3001\u6700\u65b0\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u8105\u5a01\u306b\u5bfe\u3059\u308b\u9ad8\u5ea6\u306a\u4fdd\u8b77\u3092\u5229\u7528\u3059\u308b\u305f\u3081\u306b\u3001\u30c7\u30d0\u30a4\u30b9\u3092\u5229\u7528\u53ef\u80fd\u306a\u6700\u65b0\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306b\u66f4\u65b0\u3059\u308b\u3053\u3068\u3092\u304a\u52e7\u3081\u3057\u307e\u3059\u3002\u300c\u8ffd\u52a0\u60c5\u5831\u300d\u30bb\u30af\u30b7\u30e7\u30f3\u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u30ea\u30f3\u30af\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u8ffd\u52a0\u60c5\u5831:<\/b><\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5014754\" rel=\"noopener noreferrer\" target=\"_blank\">KB5014754: Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u3067\u306e\u8a3c\u660e\u66f8\u30d9\u30fc\u30b9\u306e\u8a8d\u8a3c\u306e\u5909\u66f4<\/a>\u3002<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1143929 | Certificate-based authentication changes on Windows domain controllers &#8211; coming September 20 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-12608","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/12608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=12608"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/12608\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=12608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=12608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=12608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}