Action Required: Certificate-Based Authentication Changes on Windows Domain Controllers - KB5014754
Summary
Related SOTI ONE Platform Products
Environment
Customers relying on Active Directory Certificate Services (AD CS) issued user-based certificates are impacted by the enforcement of strong mapping by Microsoft KB5014754. By February 2025, if the StrongCertificateBindingEnforcement registry key is not configured, domain controllers will move to Full Enforcement mode. To ensure there are no interruptions once Full Enforcement is enabled, customers should ensure that the certificates used for certificate-based authentication workflows are strongly mapped according to Microsoft’s guidelines.
Who may be impacted
SOTI MobiControl customers using AD CS Certificate Authority with certificate target set to ‘User’:
Note: Some customers may have configured their device Wi-Fi certificates with a user-based certificate and therefore will be impacted by the Microsoft update (this is the case for customers using RADIUS servers where Wi-Fi authentication requires user credentials as well as a certificate).
Solution
SOTI MobiControl 2024.0.2 features strong mapping capabilities that support mapping via the Security Identifier (SID) using the macro %ENROLLED USER SID% in the subject alternative name (SAN).
Action Required
In SOTI MobiControl 2024.0.2, customers using user-based certificates must bind the SID by following these steps:
1. Navigate to the AD CS certificate authority. Select Hamburger menu -> Global Settings -> Services -> Certificate Authorities.
2. In the AD CS certificate template, add a new Subject Alternative Name
3. Enter the Alternative Name type as “URL Name”
4. Enter the value: tag:microsoft.com,2022-09-14:sid:%ENROLLED_USER_SID%
Note: To enter the macro ENROLLED_USER_SID, you must select the gear icon and choose the %ENROLLED_USER_SID% macro from the dropdown menu.
5. Select Add and save changes to the AD CS certificate authority. Changes to the certificates take effect upon the next issuance or renewal.
Note: For immediate changes, customers must re-issue certificates by re-deploying the profile containing AD CS certificate configurations:
- Navigate to the Profiles page.
- Select the profile which was used to deploy the certificate configurations.
- Edit the profile and ensure the correct certificate template is in use.
- Assign the profile to your device groups.
Key Dates and Enforcement Phases
Customers must have the May 2022 Windows update which contains the audit logs for devices with weak binding. After this update, customers may choose to use audit mode or enforcement mode, to receive logs whenever devices do not provide sufficient key binding.
With the February 11, 2025 Windows update, if the StrongCertificateBindingEnforcement key is not set to Compatibility or Enforcement, it will automatically be moved to Enforcement. If authentication is denied, customers will see Event ID 39 (or Event ID 41 for Windows Server 2008 R2 SP1 and Windows Server 2008 SP2). Customers will have the option to set the registry key value back to 1 (Compatibility mode) at this stage.
In the September 10, 2025 Windows update, the StrongCertificateBindingEnforcement registry value will no longer be supported. That is, Domain Controllers will be switched to Full Enforcement mode without the option to go back to Compatibility mode.
It is imperative that customers transition to SOTI MobiControl 2024.0.2 before September 10, 2025, to allow enough time for all devices to receive new certificates bound by SID.
Was this helpful?
Thanks for your feedback