Microsoft to Retire Temporary Registry Keys for Kerberos Security Fixes Next Month

Microsoft has announced its plan to remove temporary registry key workarounds introduced in 2022. The company is doing so to address Kerberos Key Distribution Center (KDC) vulnerabilities on Windows Domain Controllers (DCs).

Registry Key Removal in September

Starting with the September 9, 2025, Patch Tuesday update, the StrongCertificateBindingEnforcement registry key will no longer be supported. This key was introduced as a temporary measure in May 2022 to allow administrators to continue certificate-based authentication in Compatibility mode after Microsoft patched CVE-2022-34691, CVE-2022-26931, and CVE-2022-26923.

Another setting, CertificateBackdatingCompensation, will also be impacted. This registry key allowed weaker certificate mappings by validating certificates if their timestamp was earlier than the associated account’s creation date. After September, weak mappings will no longer be allowed, closing a fallback mechanism that bypassed stronger enforcement.

End of Compatibility Mode

With these changes, IT admins will not be able to revert to Compatibility mode once they have enabled Full Enforcement mode. This marks the final stage of Microsoft’s phased rollout of Kerberos security hardening, first introduced more than two years ago.

Admins managing Windows DCs are strongly advised to review Microsoft’s official guidance and ensure their environments are fully compliant before the September update is applied.