Microsoft is ending support for a registry key in Windows DCs next month

Back in May 2022, Microsoft released security updates for Windows to address CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923, which are elevation of privilege (EoP) vulnerabilities that target the servicing process of certificate-based authentication mechanisms implemented in the Kerberos Key Distribution Center (KDC).

Basically, Windows Domain Controllers (DCs) using this system were unable to account for the dollar sign ("$") at the end of a machine name, which allowed malicious actors to spoof certificates through various methods. After making various changes over the past couple of years to allow IT admins to adjust to the change without breaking compatibility, Microsoft has reminded customers about the next major milestone in this breaking change.

After installing the upcoming Patch Tuesday updates on September 9, the Key Distribution Center registry key will become unsupported. Microsoft offered this StrongCertificateBindingEnforcement key as a temporary workaround back in May 2022, enabling IT admins to continue with certificate-based mappings and authentication in Compatibility mode only. This key could validate the authenticity of the user in various ways and fallback mechanisms based on the value set.

Another registry key, namely Certificate Backdating (CertificateBackdatingCompensation), will be impacted in September too. This is another key designed for Compatibility mode that allowed users to be authenticated even with weak mappings as long as the certificate time was before the user creation time. However, following the updates releasing next month, weak certificate mappings will no longer be allowed. This makes sense considering setting this key was only a temporary workaround which actually disabled a security check.

Speaking of Compatibility mode, IT admins will not be allowed to move back to this mode after September 10 if they have already transitioned to Full Enforcement mode. That said, these are only high-level details so if you're an IT admin managing a Windows Domain Controller (DC), do check out Microsoft's detailed guidance here.