As Per the Microsoft KB linked below, we have found audit events on our domain controllers that indicate we will be impacted when this change is enforced. We need the remediation steps, so we can implement them before we're impacted. https://support.microsoft.com/en-au/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 .

The following information is divided into two sections depending on whether you are running in enforcement mode or compatibility mode, which is currently the mode by default on your domain controllers unless manually changed or changed by default to enforcement mode by Microsoft:- Compatibility mode:- • The certificates are either required to be mapped (secure mapping) to a user in Active Directory using the altSecurityIdentities attribute (Refer the MS KB for steps) of the users Object or the certificate must have the new SID extension added to it (any patched CA should include this in certificates that it would issue after the patch is installed) and it has to match the SID of the user. • If you go with secure mapping, please note that Citrix Smart Card logon certificates by default have a validity of 7 days and you would have to keep changing the mapping with the latest certificate after 7 days (The validity can be increased by tweaking the Citrix Smart Card logon template) • IF YOU FAIL TO MEET ANY OF THE ABOVE REQUIREMENTS (For example if you patch your DCs but not your CA and not have the secure mapping done), authentication will still succeed and a WARNING event with ID 39 will be logged on the Domain Controller validating the certificate. Enforcement mode:- • Has the same requirements as in compatibility mode but if those requirements are not met, authentication will fail and an ERROR event with ID 39 will be logged on the Domain Controller validating the certificate. Update some or all servers with the patch that run Active Directory Certificate Services and Windows domain controllers that service certificate-based authentication with the May 10, 2022 update. The May 10, 2022 update will provide audit events that identify certificates that are not compatible with Full Enforcement mode (Compatibility Mode). By November 14, 2023, or later, all devices will be updated to Full Enforcement mode. In this mode, if a certificate fails the strong (secure) mapping criteria, authentication will be denied. Enforcement can be set using the registry on DOMAIN CONTROLLERS before it is set by default.

---

Problem Cause

MS KB5014754 - Audit events found for FAS

FAS impacted with new MS patch update.

For more update , you can refer [https://support.citrix.com/article/CTX479236/fas-information-about-microsoft-kb-kb5014754cve202234691-cve202226931-and-cve202226923 ].
article may be internal so dont share it with customer. they wont be able to access it.