check before: 2025-09-09
Product:
Windows Server
Platform:
Online, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Since 2023, Microsoft has been sharing reminders of changes coming to certificate mapping security requirements in Windows Servers. These changes address vulnerabilities discussed in CVE-2022-34691 and others. As part of these changes, servers which run Active Directory Certificate Services, as well as Windows domain controllers that service certificate-based authentication, will be required to meet certain certificate mapping criteria in order for authentication operations to succeed.
The final milestone of this rollout will take place with Windows updates released September 2025. For full details, see KB5014754: Certificate-based authentication changes on Windows domain controllers.
When will this happen:
Beginning 2022, Windows updates have addressed certain vulnerabilities related to certificate emulation. As part of this, new certificate mapping requirements have been rolling out with various degrees of enforcement throughout 2023 and 2024. Windows updates released prior to September 2025 make it possible to further control the degree to which these requirements are enforced across environments. However, after the September updates, the ability to bypass requirements will end.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-08-29
updated:
2025-08-29
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Authentication Failures
If the new certificate mapping criteria are not prepared for, users may experience authentication failures when trying to access services that rely on certificate-based authentication.
- roles: IT Administrators, End Users
- references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691
Increased Helpdesk Tickets
Unprepared changes may lead to a surge in helpdesk tickets as users encounter issues with logging in or accessing resources, impacting IT support resources.
- roles: Helpdesk Staff, End Users
- references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691
Service Downtime
Without proper testing and preparation, critical services may experience downtime due to failed authentication processes, affecting business operations.
- roles: System Administrators, Business Users
- references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691
User Experience Degradation
Users may face a degraded experience due to unexpected authentication prompts or failures, leading to frustration and decreased productivity.
- roles: End Users, IT Support Staff
- references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691
Compliance Risks
Failure to comply with the new security requirements may expose the organization to compliance risks and potential security vulnerabilities.
- roles: Compliance Officers, IT Security Staff
- references: https://support.microsoft.com/help/5014754, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-34691
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Imagine you have a key that opens a special door to your office. This key has a unique design that ensures only you can use it. Now, let's say there's a flaw in the design of the key that allows someone else to create a copy of it without your permission. This is similar to what was happening with certificate-based authentication in Windows domain controllers.
Certificates are like digital keys that allow computers and users to prove their identity when accessing systems. However, there were vulnerabilities that allowed these digital keys to be copied or emulated by unauthorized users. Microsoft identified these vulnerabilities and has been working on fixing them since 2023.
Think of the updates Microsoft is rolling out as a locksmith upgrading the locks on your office door. These updates are changing the way certificates are checked and verified, ensuring that only the right keys can open the door. By September 2025, all systems will need to use these new, more secure locks, and the old keys will no longer work.
For those managing IT systems, this means making sure that all digital keys (certificates) meet the new security standards. It's like ensuring all employees have the new keys before the locksmith changes the locks. This process involves testing and updating systems to ensure everything works smoothly with the new security measures in place.
The goal is to protect the digital office from unauthorized access, just like you would protect a physical office. By updating to the latest security standards, organizations can ensure their systems remain secure against potential threats.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 4 weeks ago ago
