HANDS ON SharePoint
HANDS ON Teams
HANDS ON Lists
HANDS ON tek
M365 Admin
90-Day Reminder: The second phase of Kerberos PAC signature validation vulnerability mitigation begins October 15, 2024
Starting October 15, 2024, the Enforced by Default phase of Kerberos PAC signature validation mitigation begins. Updates released on or after this date will move all Windows domain controllers and clients in the environment to Enforced mode, enforcing the secure behavior by default. The Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.
When will this happen:
- October 15, 2024: The Enforced by Default phase starts where Windows domain controllers and clients will move to Enforced mode. Note that during this phase, the Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.
- April 8, 2025: Enforcement phase begins with no option to revert the new secure behavior.
How this will affect your organization:
To mitigate vulnerabilities described in CVE-2024-26248 and CVE-2024-29056, you must make sure your entire Windows environment (including both domain controllers and clients) is updated. Environments that are not updated will not recognize this new request structure after Enforcement mode begins. This will cause the security check to fail.
What you need to do to prepare:
To help protect your environment and prevent outages, we recommend the following steps:
Additional information:
- UPDATE: Windows domain controllers and Windows clients must be updated with a Windows security update released on or after April 9, 2024.
- MONITOR: Audit events will be visible in Compatibility mode to identify devices not updated.
- ENABLE: After Enforcement mode is fully enabled in your environment, the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 will be mitigated.
- KB5037754: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056
- KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
Message ID: MC814189
