Microsoft released, several months ago this important bulletin.
The key point is that, after February 2025 patch installation Windows domain controller certificate-based authentication will change (due to security reasons) to Full Enforcement mode. However, you can move back to Compatibility mode until September 2025.
There are several CA checks to be done to be sure that no problem will affect your organization.
One compatibility doubt that it might arise it could be related to organization that have no longer supported O.S. (like 2008 or older)
I think that working in compatibility mode might help to check, on internet, after February 2025 if any customer had some issues and find relative fixes/workarounds
In any case here they are essential checks that you should consider before enable “full enforcement mode”:
- Common Name (CN) and Subject Alternative Name (SAN): Must match the users or devices in Active Directory.
- Certificate Authority (CA): Certificates must be issued by a trusted and recognized CA.
- Certificate Chain: The certificate chain (including intermediate and root CA certificates) must be complete and valid.
- Revocation: It is necessary to check that the certificates have not been revoked.
- Time Validity: It must be verified that the certificates have not expired
KB5014754: Certificate-based authentication changes on Windows domain controllers
https://admin.microsoft.com/AdminPortal/home?#/MessageCenter/:/messages/MC894351
