HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Cryptography
The StrongCertificateBindingEnforcement registry key is a 32-bit DWORD value introduced by Microsoft to control how Kerberos Key Distribution Centers (KDCs) validate client certificates. It forces the DC to check for a "strong" mapping, such as a Security Identifier (SID) extension, rather than relying on weaker methods like Subject/Issuer name mapping. Key Location in Windows Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement strongcertificatebindingenforcement registry key location
On a (where the behavior is enforced), the key lives under:
After creating the key, it is critical to monitor for potential issues, particularly in the System event log on Domain Controllers. These events indicate that a certificate mapping is currently considered "weak" and will fail after September 2025. These events indicate that a certificate mapping is
Right-click the folder, select New > DWORD (32-bit) Value .
DCs allow weak mapping but log events (Event ID 39) for non-compliant certificates. This is used for auditing and remediation. This is used for auditing and remediation
Administrators must manage this key according to Microsoft’s phased rollout:
The specific registry key for Strong Certificate Binding Enforcement is:
The SCBE registry key is located at:
The StrongCertificateBindingEnforcement key is not present by default. It must be manually added to the registry on all Domain Controllers.