Strongcertificatebindingenforcement Jun 2026

However, if you use with Certificate Authentication (FIDO2 or CBA), you must ensure your on-prem AD is in Enforced mode to prevent relay attacks that pivot from the cloud to on-prem.

If you are seeing authentication failures or Event ID 39 in your logs, you must take action immediately: strongcertificatebindingenforcement

The behavior of your Domain Controllers is governed by the value assigned to HKLM\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement : However, if you use with Certificate Authentication (FIDO2