HANDS ON SharePoint
HANDS ON Teams
HANDS ON Lists
HANDS ON tek
M365 Admin
30-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056
Last year, Windows updates released on or after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol. Presently, it is still possible to override the enforcement settings related to the new behaviors, and revert to a Compatibility mode.
This year, beginning with Windows updates to be released in April 2025, there will be no support for Compatibility mode, and the new secure behavior will be enabled during the Enforcement phase.
For full guidance, see KB5037754: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056.
When will this happen?
Enforcement phase begins in April 2025. Windows security updates released on or after this date will remove support for the Compatibility mode registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.
How will this affect your organization?
To mitigate the risks described in CVE-2024-26248 and CVE-2024-29056, you must update your entire Windows environment. This must include all Windows domain controllers and Windows clients. Environments that are not up to date will not recognize the new request structure after the Enforcement phase begins. Because of this, security checks will fail.
What do you need to do to prepare?
Be ready to fully enable Enforcement mode later this year.
- Ensure that all Windows domain controllers and Windows clients are updated with a Windows security update released on or after April 9, 2024.
- Review Audit events that are visible in Compatibility mode. This will help identify which devices have not been updated with a Windows security update released on or after April 9, 2024.
- Install the April 2025 Windows update on all Windows domain controllers and Windows clients, once it becomes available later this year. Enforcement mode will be fully enabled in your environment. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.
Additional information:
- KB5037754: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056
- KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
Message ID: MC1027793
