Change to the Enforced by Default phase timeline for Kerberos signature validation risks

Originally posted by Microsoft Oct 7, 2024 Uncategorized 0 Comments

Windows updates dated April 9, 2024, or later add new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol. These improvements are deployed in three phases (see below). The timeline of the second phase, Enforced by Default, has changed. This phase will occur in January 2025. For full guidance, see KB5037754.

When will this happen: 
  • April 9, 2024: The initial deployment phase started with the release of the April 2024 security update. This update added new secure behavior that prevents the elevation of privilege risks.
  • January 2025: The Enforced by Default phase starts. In this phase, Windows domain controllers (DC) and clients will move to Enforced mode. This mode will enforce the new secure behavior by default. Note that during this phase, you can override the Enforced by Default settings and revert to Compatibility mode.
  • April 2025: Enforcement phase begins. In this phase, there is no option to revert from the new secure behavior.
How this will affect your organization: 
To mitigate the risks described in CVE-2024-26248 and CVE-2024-29056, you must update your entire Windows environment. This must include DCs and clients. Environments that are not up to date will not recognize this new request structure after the Enforcement phase begins. Because of this, security checks will fail.
What you need to do to prepare: 
Additional information: 
  1. UPDATE: Install the April 9, 2024, or later update on all Windows DCs and Windows clients.
  2. MONITOR: Keep track of audit events that are visible in Compatibility mode. These events will identify devices that are not up to date.
  3. ENABLE: Turn on Enforcement mode fully in your environment. When you do, it mitigates the risks described in CVE-2024-26248 and CVE-2024-29056.

Message ID: MC904929

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: