KB5014754 applicable to Windows CA servers or just domain controllers?

ceez 2023-05-10 17:42:18 UTC #1

Hello everyone,

Trying to understand if KB5014754 “Certificate-based authentication changes on Windows domain controllers” applies to CA servers. We have domain controllers and a single member server with the CA role.

Either fixlet ID 623 (full enforcement) or 624 (compatibility) do not show the CA server as relevant but it does show our domain controllers.

The confusion is on the kb article "Update all servers that run Active Directory Certificate Services and Windows domain controllers"
Servers that are BOTH CA and DC’s? Else just update the DC’s and NOT the standalone member server running CA role?

https://support.microsoft.com/en-gb/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_certmap:~:text=Update%20all%20servers%20that%20run%20Active%20Directory%20Certificate%20Services%20and%20Windows%20domain%20controllers%20that%20service%20certificate-based%20authentication

I am going by what bfix is telling me, but then on two separate MS support calls - one engineer said no to the CA and only to install on DC’s and second engineer said yes to the member CA server and DC’s.

Is there someone with enough knowledge here to confirm what is the proper installation of this patch?

Thanks?

mesee2 2023-05-10 17:54:53 UTC #2

Please note that MS Changed the dates for these to be ‘enforced’ by default:

https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_kdcregkey

12/8/22: Changed Full Enforcement Mode date from May 9, 2023 to November 14, 2023, or later
1/26/23: Changed removal of Disabled mode from February 14, 2023 to April 11, 2023

JasonWalker 2023-05-10 18:04:28 UTC #3

KB5014754 has references that the May 2022 update should be applied on both DC’s and CA servers. That’s last year’s monthly update, so hopefully you’re on at least that level by now.

But KB5014754 is not itself the May 2022 update. KB5014754 is about setting the Enforced, Audit, or Disable mode of certificate-based auth, and these settings are only valid on Domain Controllers, not on CA servers themselves.

JasonWalker 2023-05-10 18:12:02 UTC #4

(I suppose I should say, I don’t know for sure whether that KB is actually the May 2022 update or not; I was checking it’s release date but it’s been modified a few times since its release.)

Both Domain Controllers, and CA Servers should have the May 2022 update installed (in fact so should every Windows server).

But the registry entries to enable Enforcement or Compatibility modes in Fixlets 623 and 624 only apply to Domain Controllers. Those Fixlets don’t install the update, they just manage the registry entries.

ceez 2023-05-10 18:44:11 UTC #5

@JasonWalker ok now that makes sense. Yes we are definitely patched up to date so May 2022 update is on both the DC’s and the CA server. Thanks for that explanation.

@mesee2 yes noticed that Enforcement time was extended to Nov 14th 23.