[German]Small addendum for administrators of Windows domain controllers (DCs). Microsoft has updated the article KB5014754 on September 10, 2024. This deals with changes to certificate-based authentication on Windows domain controllers. Microsoft has postponed a date there to February 2025.
Reader's notes
Microsoft will allow administrators to downgrade domain controllers from "Enforcement Mode" to "Compatiblity Mode" via a registry entry intil February 11, 2025. Here are the reader's comments:
Change date 9/10/2024
Description
Changed the Full Enforcement mode description in the "Timing for Windows updates" section to reflect new dates. February 11, 2025 will move devices to Enforcement mode but leave support to move back to Compatibility mode. Full registry key support will now end September 10, 2025.
I had put that on the back burner, but now I've come across another post on the subject and I'm putting it here briefly in the blog.
KB5014754: Change from Sept. 10, 2024
Microsoft has pointed out the changes in the Microsoft 365 Message Center under MC894351, which is addressed here by Joao Ferreira. On September 10, 2024, the KB5014754 article was updated in the passages that affect the security requirements timeframe for certificate-based authentication requests on Windows domain controllers. Here is the relevant message from the Microsoft 365 Message Center;
After you install the Windows security updates released in February 2025 security update, authentication for certificates that do not meet the expected mapping requirements will be denied. This change is known as Full Enforcement mode. For full details, see KB5014754.
When will this happen:
In February 2025, or later, devices will move to Full Enforcement mode. However, you can move back to Compatibility mode until September 2025.
How this will affect your organization:
When you install the February 2025 security update, Windows updates, devices that are not already in Full Enforcement mode (StrongCertificateBindingEnforcement registry value is set to 2), will be moved to Full Enforcement mode.
If authentication is denied, you will see Event ID 39 (or Event ID 41 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2). You will have the option to set the registry key value back to 1 (Compatibility mode) at this stage. In the September 2025 Windows update, the
StrongCertificateBindingEnforcement
registry value will no longer be supported.
What you need to do to prepare:
Additional information:
Review the date changes in the "Take action", "Full Enforcement mode", and "Registry key information" sections of KB5014754. Take the appropriate action needed to make your devices more secure.
So: From February 11, 2025 (Patchday), the "Full Enforcement mode" will be enforced for certificate-based authentication on Windows domain controllers. Before that, you can revert to compatibility mode. The details can be found in the support article KB5014754: Certificate-based authentication changes on Windows domain controllers.
Ich habe gerade mal bei uns geguckt auf den DCs und da ist kein Eintrag für "StrongCertificateBindingEnforcement" unter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc
muss man den manuell anlegen?
(Sind Windows Server 2019er Maschinen und sind komplett Up2Date)