Did you read about Microsoft planning to change the default behaviour on all certificate based authentication on February 11?
No? Well you are not alone.
In short: If you have NOT planned for this and you are using Intune to distribute certificates from an On Premise Certification Authority, such as Microsoft ADCS, you might want to check up on this.
So what is it all about?
Well, Microsoft has acknowledged some security risks in how certificates can be used to authenticate with Active Directory. To remedy this problem, they released an update in May 2022 (KB5014754) that allowed administrators to enable so called "Strong Certificate Mapping". This was to ensure that a certificate issued by the CA has a strong mapping to an Object in Active Directory and could not be easily forged. The Domain Controllers default mode if not configured was "Compatibility mode", which basically means: "Allow but warn". If you wanted to ramp up security, you could set it to "Strong Certificate Mapping".
But in the February patch release, the default setting will be changed to "Strong Certificate mapping". So if you did not set this value, the default behaviour will change.
(To ease your mind, there is a registry setting to revert back to "compatibility mode". More on that later.)
OH NO! What should I do?
You are safe if:
-You distribute certificates via AD domain joined clients in an updated environment OR
-You have had modifications done to you Intune Setup to handle this OR
-You are not using AD for authentication for certificate usage (for instance, WiFi via non MS RADIUS)
Otherwise you need to check for a few things:
On your domain controllers, check for eventID 39,40 and 41 in the SYSTEM log. (48 and 49 on 2008R2 DC's, but let's not hope you don't have that issue). These Events will inform you if your environment is using certificate authentication with WEAK certificate mapping. If you see these entries you need to take action.
Check a certificate issued to one of your users. Is the following field marked below included in your certificates? Then the SID is included as a value to this field, and the mapping is considered strong. This is typically how it looks on a certificate distributed to a user on a domain joined client via AD.
OK, I seem to have issues with my certificates, what must I do?
Depending on the root cause, You might struggle in "fixing" all your certificates before this change occurs, or you are already affected. This registry key will revert the behavior of your Domain Controller by setting it's DWORD value to 1, like this:
Path: HKLM:\SYSTEM\CurrentControlSet\Services\Kdc
Key Name: StrongCertificateBindingEnforcement
Type: DWORD
Value: 1
You should not need to reboot your domain controller.
WOW! Thank you! So now I'm good?
Well, not quite. If you do nothing more than edit the Registry on your Domain Controllers, in September(as currently stated in the KB), Microsoft will issue a new update that will remove the compatibility mode, and set Full Enforcement. There will be NO option to go back, other than uninstalling the updates. So make sure you get your certificate distribution and configuration sorted!
For more information, Contact us, or read more at Microsoft:
