MC1143929 – Certificate-based authentication changes on Windows domain controllers – coming September 2025

Product:

Windows, Windows Server

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Since 2023, Microsoft has been sharing reminders of changes coming to certificate mapping security requirements in Windows Servers. These changes address vulnerabilities discussed in CVE-2022-34691 and others. As part of these changes, servers which run Active Directory Certificate Services, as well as Windows domain controllers that service certificate-based authentication, will be required to meet certain certificate mapping criteria in order for authentication operations to succeed.


The final milestone of this rollout will take place with Windows updates released September 2025. For full details, see KB5014754: Certificate-based authentication changes on Windows domain controllers.


When will this happen:
Beginning 2022, Windows updates have addressed certain vulnerabilities related to certificate emulation. As part of this, new certificate mapping requirements have been rolling out with various degrees of enforcement throughout 2023 and 2024. Windows updates released prior to September 2025 make it possible to further control the degree to which these requirements are enforced across environments. However, after the September updates, the ability to bypass requirements will end.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-08-29

updated:
2025-08-29

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Authentication Failures
If the new certificate mapping criteria are not prepared for, users may experience authentication failures when trying to access services that rely on certificate-based authentication.
   - roles: IT Administrators, End Users
   - references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691

Increased Helpdesk Tickets
Unprepared changes may lead to a surge in helpdesk tickets as users encounter issues with logging in or accessing resources, impacting IT support resources.
   - roles: Helpdesk Staff, End Users
   - references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691

Service Downtime
Without proper testing and preparation, critical services may experience downtime due to failed authentication processes, affecting business operations.
   - roles: System Administrators, Business Users
   - references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691

User Experience Degradation
Users may face a degraded experience due to unexpected authentication prompts or failures, leading to frustration and decreased productivity.
   - roles: End Users, IT Support Staff
   - references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691

Compliance Risks
Failure to comply with the new security requirements may expose the organization to compliance risks and potential security vulnerabilities.
   - roles: Compliance Officers, IT Security Staff
   - references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhanced Security Posture
Implementing the new certificate mapping requirements will significantly enhance the security posture of the organization by reducing the risk of certificate spoofing and related vulnerabilities. This proactive approach to security will protect sensitive data and maintain trust in authentication processes.
   - next-steps: Conduct a security audit to identify current certificate usage and mapping practices. Develop a plan to transition to the new requirements, including necessary training for IT staff and end-users.
   - roles: IT Security Manager, System Administrator, Compliance Officer
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691" target="_blank" rel="nofollow noopener noreferrer">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691, https://support.microsoft.com/help/5014754 " target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/help/5014754

Streamlined IT Operations
By aligning with the new certificate mapping criteria, IT operations can reduce the complexity of managing legacy authentication methods, leading to streamlined processes and reduced troubleshooting time.
   - next-steps: Review current authentication processes and identify areas where legacy methods can be phased out. Train IT staff on the new criteria to ensure smooth operations post-implementation.
   - roles: IT Operations Manager, Help Desk Staff, Network Administrator
   - references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691" target="_blank" rel="nofollow noopener noreferrer">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691

User Experience Improvement
With the implementation of stricter certificate mapping, users will experience fewer authentication failures due to improved reliability and security in the authentication process, enhancing overall user satisfaction.
   - next-steps: Gather user feedback on current authentication experiences. Communicate upcoming changes and provide training resources to prepare users for the transition to the new mapping requirements.
   - roles: User Experience Manager, Training Coordinator, End Users
   - references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691" target="_blank" rel="nofollow noopener noreferrer">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only