The last phase of the changes to certificate-based authentication on domain controllers (DC) is here. As stated in reminders, Full Enforcement mode phase starts in February 2025. This mode change occurs when you install the Windows updates dated February 2025 or later.
Starting in May 2022, certificate-based authentication on Windows DCs started to go through a series of changes to enhance security, following a planned timeline of Enablement Phases.
After you install the Windows security updates released in February 2025 or later, authentication for certificates that do not meet the expected mapping requirements will be denied. This change is known as Full Enforcement mode. However, you can move back to Compatibility mode until September 2025. For full details, see KB5014754.
When will this happen:
In February 2025, devices will move to Full Enforcement mode.
How this will affect your organization:
When you install the February 2025 or later Windows update, devices that are not already in Full Enforcement mode (StrongCertificateBindingEnforcement registry value is set to 2) will be moved to Full Enforcement mode. If authentication is denied, you will see Event ID 39 (or Event ID 41 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2). You will have the option to set the registry key value back to 1 (Compatibility mode) at this stage. In the September 2025 Windows update, the StrongCertificateBindingEnforcement registry value will no longer be supported.
What you need to do to prepare:
Review the date changes in the “Take action”, “Full Enforcement mode”, and “Registry key information” sections of KB5014754. Take the appropriate action needed to make your devices more secure.
Additional information:
For full detailed information, see KB5014754: Certificate-based authentication changes on Windows domain controllers.