After several postponements, Microsoft finally decided that the Changes to Certificate Issuance and Certificate-Based Logon to Active Directory with the May 10, 2022 Patch for Windows Server (KB5014754) should now finally come into force.
Domain controllers will therefore automatically switch to full enforcement mode on February 25, 2025, unless configured otherwise. As of September 2025, it has been announced that deviating settings will no longer apply and there will therefore no longer be an alternative to full enforcement.
The consequence of this is that logins via PKInit can only be used for a login if they have the new Security Identifier (SID) certificate extension introduced with the patch.
What at first sounds as if this is not a major problem may well become one when you consider that fewer and fewer certificate-based use cases are using classic autoenrollment these days.
How the TameMyCerts Policy Module for the Active Directory Certificate Services can help with this problem is explained in more detail in the following article.
Continue reading „Die Security Identifier (SID) Zertifikaterweiterung in per Mobile Device Management (MDM) beantragte Zertifikate automatisch eintragen – mit dem TameMyCerts Policy Modul für die Microsoft Active Directory Certificate Services (ADCS)“
English 
Deutsch