Certificate-based authentication changes following installation of Windows updates released September 9, 2025

Windows updates released September 9, 2025 and later, introduce security hardening changes to certificate mapping requirements in Windows Servers. The is the final milestone of a rollout that has gradually been taking place since 2023. IT administrators need to take action to ensure normal operations in accordance with the new certificate mapping criteria, and install the September 9, 2025 updates.

For full details, see KB5014754: Certificate-based authentication changes on Windows domain controllers.

This change is effective immediately in Windows updates released September 9, 2025. Servers which run Active Directory Certificate Services, as well as Windows domain controllers that service certificate-based authentication, are now required to meet certain certificate mapping criteria in order for authentication operations to succeed. These changes address vulnerabilities discussed in CVE-2022-34691 and others.

Vulnerabilities addressed in this scenario involve the use of dollar sign ($) at the end of a machine name, as well as conflicts between User Principal Names (UPN) and sAMAccountName. Both scenarios introduced vulnerabilities in the form of certificate emulation (spoofing).

The September 2025 updates conclude the rollout of security requirements which prevent these vulnerabilities. If certificates cannot be strongly mapped per the security measures following installation of this update, certain authentication operations might be denied.

The new certificate mapping requirements mentioned here have been rolling out with various degrees of enforcement throughout 2023 and 2024. Beginning with the September 9 updates, previous methods of grading enforcement across environments have been disabled. IT administrators need to confirm normal operations in accordance with the new certificate mapping criteria.

As always, we recommend that you update your devices to the latest security update available to take advantage of the advanced protections from the latest security threats. Review the links provided in the Additional information section.