KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)

Originally posted by Microsoft Apr 9, 2025 Uncategorized 0 Comments

The Windows security updates released on or after April 8, 2025, contain protections for a vulnerability with Kerberos authentication. To learn more about this vulnerability, please see CVE-2025-26647.
 

When will this happen:
April 8, 2025: Initial Deployment phase – Audit mode
  • The initial deployment phase starts with the updates released on April 8, 2025. These updates add new behavior that detects the elevation of privilege vulnerability described in CVE-2025-26647 but does not enforce it.
  • To enable the new behavior and be secure from the vulnerability, you must ensure all Windows domain controllers are updated and the AllowNtAuthPolicyBypass registry key setting is set to 2.
July 8 2025: Enforced by Default phase
  • Updates released on or after July 8, 2025, will enforce the NTAuth Store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this security update will be removed.
October 14, 2025: Enforcement mode
  • Updates released on or after October 14, 2025, will discontinue Microsoft support for the AllowNtAuthPolicyBypass registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.
 
How this will affect your organization:
You are at risk when a certificate authority (CA) is part of the Windows root store but not the NTAuth store and a Subject Key Identifier (SKI) is present in a privileged account. To mitigate the risks, you must apply the protections described in CVE-2025-26647.
 
What you need to do to prepare:
  1. UPDATE all domain controllers with a Windows update released on or after April 8, 2025.
  2. MONITOR new events that will be visible on domain controllers to identify affected certificate authorities.
  3. ENABLE Enforcement mode once your environment is no longer using certificates issued by authorities that are not in the NTAuth store.
 
Additional information:

Message ID: MC1050816

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: