Skip to content
Support
  • There are no suggestions because the search field is empty.

Upcoming Microsoft Change: strong certificate mapping required

From September 10th, 2025 Microsoft will enforce strong mapping as required for all certificate-based authentication to Active Directory.

 
Article Contents
  1. What is Strong Certificate Mapping
  2. What’s Already Happened (Past to Present)
  3. How to Check if You’re Impacted
  4. Fixes – Hybrid vs Cloud-Native
  5. Wi-Fi & NPS – Alternatives to AD Authentication
  6. Immediate Actions Before September 10, 2025

 

Introduction

Since the release of KB5014754 (May 10, 2022), Microsoft has been closing a security gap by phasing out weak certificate mapping methods. The new settings have been enforced by default since February 11th, 2025 however many customers were able to work around this with a registry override. This will no longer work from September 10th, and customers need to take action as soon as possible to mitigate any negative impacts to their environment. 

This article includes additional details and steps you can take to prepare for this change.
Please reach out to your network administrator for coordination and support.
 

1. What is Strong Certificate Mapping

Strong certificate mapping changes how Windows Domain Controllers verify and bind a certificate to an account during authentication.

  • Introduced in KB5014754 (May 10, 2022) to close a security gap where weak mapping methods—based on only the Subject Name, SAN-UPN, or SAN-Email—could be spoofed.
  • The new approach requires a Strong Mapping using a unique and verifiable identifier, typically the Security Identifier (SID), embedded in the certificate.
  • Impacts all certificate-based authentication to AD, including:
    • Wi-Fi 802.1X using NPS/RADIUS
    • VPN authentication
    • Smart card logon
    • Intune PKCS and SCEP-issued certificates used with AD

2. What’s Already Happened (Past to Present)

See a summary below of key dates, status changes and impacts.

Date Impact
May 10th, 2022 KB5014754 released. DCs default to Compatibility Mode. Weak mappings still work but log warnings (Event IDs 39, 40).
From 2022 - 2024 Microsoft extended compatibility mode multiple times to allow environments to update certificate issuance processes.
Oct 2024 Intune adds SID injection support for PKCS & SCEP certificates. Admins can now update templates for strong mapping.
Feb 11th, 2025 Default Full Enforcement Mode. Weakly-mapped certificates may start failing unless registry override applied.
Sep 10th, 2025

🚨 Final deadline.
All registry opt-outs removed. Weak mappings will be rejected with no rollback option. Environments without updated certificates will have authentication failures.
 

📘Additional background resources:  

 

3. How to Check if You’re Impacted

  • Event Logs on DCs
    • Event ID 39 – Missing strong mapping
    • Event ID 40 – Weak mapping used
    • Event ID 41 – Authentication failure due to no strong mapping
  • Review certificate templates for OID 1.3.6.1.4.1.311.25.2 (SID extension).
  • Test from affected services like Wi-Fi 802.1X, VPN, or smart card logon.
 

4. Fixes – Hybrid vs Cloud-Native

Please reach out to your network administrator for coordination and support and to apply the changes accordingly:
 

Hybrid (AD-joined or Hybrid-joined devices)

  • Update on-prem AD CS templates to include SID extension.
  • Re-issue user and device certificates from updated templates.
  • For Intune PKCS:
    • Update PKCS connector to 6.2406.0.1001+.
    • Enable EnableSidSecurityExtension=1 in connector registry.
    • Re-issue certificates via updated Intune profiles.
  • For Intune SCEP:
    • Add URI: to SAN-URI in template.

Cloud-Native (Entra-joined only)

  • If authentication depends on AD (e.g., Wi-Fi with NPS against on-prem AD), strong mapping changes still apply because the DC validates the certificate.
  • If moving away from AD authentication entirely (e.g., using Entra ID for Wi-Fi), strong mapping is not relevant—but migration planning is required.

5. Wi-Fi & NPS – Alternatives to AD Authentication

If you want to avoid certificate mapping to on-prem AD entirely:
  • Switch to Entra ID-based Wi-Fi authentication using WPA2-Enterprise/WPA3-Enterprise with EAP-TLS against a cloud-integrated RADIUS solution.
  • Azure-integrated options:
  • Entra ID Certificate-based Authentication (CBA) with a cloud RADIUS provider (e.g., SecureW2, Cloud RADIUS, JumpCloud).
  • Cloud-managed NAC (e.g., Cisco ISE in hybrid mode, Aruba ClearPass with Entra integration).
  • Use device identity from Intune with cloud RADIUS to remove the dependency on AD account mapping.
  • This removes the SID mapping requirement entirely and future-proofs Wi-Fi authentication as more environments go AD-less.

6. Immediate Actions Before September 10, 2025

  1. Audit DC Logs for Event IDs 39, 40, 41.
  2. Update certificate issuance (CA templates or Intune profiles) to include SID extension.
  3. Re-issue certificates for all impacted users/devices.
  4. Test Wi-Fi, VPN, and smart card logon in enforcement mode.
  5. For long-term: plan migration from AD-based cert auth where possible.