← Back
60-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056
MC1003098 · build prod-20251231-200323
Category
planForChange
Severity
normal
Major change
False
Last modified
2025-02-11 18:00:13
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs

One-line summary

Windows updates in April 2025 will enforce new Kerberos PAC Validation security behavior, removing Compatibility mode and requiring all domain controllers and clients to be updated.

Similar updates

More like this
MC1050817 Immediate Action: Enforce PAC Validation for CVE-2024-26248 & CVE-2024-29056
Immediate Action: Enforce PAC Validation for CVE-2024-26248 & CVE-2024-29056 Starting with the April 2025 Windows security update, Enforcement phase for Kerberos PAC Validation begins, removing Compatibility mode and requiring all domain controllers and clients to update for security compliance. Last year, Windows updates released on and after.
MC1027793 30-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056
30-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056 Starting April 2025, Windows updates will enforce new Kerberos PAC Validation security behavior, removing Compatibility mode and requiring all domain controllers and clients to be updated. Last year, Windows updates released on or after April 9, 2024 added new.
MC1050815 (Updated) The April 2025 Windows security update is now available
(Updated) The April 2025 Windows security update is now available April 2025 security update for Windows 10/11 and Windows Server is now available, addressing security, quality, and DST changes; prompt installation is recommended. Updated April 9, 2025: This message was updated to reflect the current availability of Windows 10 2015 LTSB. The.
MC1096052 Windows add support for the new certificate authority handling logic in Application Control for Business
Windows add support for the new certificate authority handling logic in Application Control for Business Application Control for Business updates CA trust logic to handle expiring Microsoft CAs, requiring Windows updates by May 13, 2025 for seamless trust extension. Microsoft is updating the logic used by Application Control for Business to.
MC1092195 Prepare for Kerberos CBA changes: Enforcement begins with July updates
Prepare for Kerberos CBA changes: Enforcement begins with July updates Windows updates will enforce stricter certificate-based authentication for domain controllers, requiring CAs in the NTAuth store starting July 8, 2025, with full enforcement October 14, 2025. Starting with the April 8, 2025 Windows security updates, protections for .
MC1150557 Certificate-based authentication changes following installation of Windows updates released September 9, 2025
Certificate-based authentication changes following installation of Windows updates released September 9, 2025 Starting September 9, 2025, Windows updates enforce new certificate mapping requirements on Windows Servers, ending gradual rollout and requiring immediate admin action to ensure authentication works. Windows updates released September 9,.

Details

Body (from Message Center)

Last year, Windows updates released on or after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol. Presently, it is still possible to override the enforcement settings related to the new behaviors, and revert to a Compatibility mode.

This year, beginning with Windows updates to be released in April 2025, there will be no support for Compatibility mode, and the new secure behavior will be enabled during the Enforcement phase.

For full guidance, see KB5037754: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056.

When will this happen?
Enforcement phase begins in April 2025. Windows security updates released on or after this date will remove support for the Compatibility mode registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.
 
How will this affect your organization?
To mitigate the risks described in CVE-2024-26248 and CVE-2024-29056, you must update your entire Windows environment. This must include all Windows domain controllers and Windows clients. Environments that are not up to date will not recognize the new request structure after the Enforcement phase begins. Because of this, security checks will fail.
 
What do you need to do to prepare?
Be ready to fully enable Enforcement mode later this year.
  1. Ensure that all Windows domain controllers and Windows clients are updated with a Windows security update released on or after April 9, 2024.
  2. Review Audit events that are visible in Compatibility mode. This will help identify which devices have not been updated with a Windows security update released on or after April 9, 2024.
  3. Install the April 2025 Windows update on all Windows domain controllers and Windows clients, once it becomes available later this year. Enforcement mode will be fully enabled in your environment. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 will be mitigated.
 
Additional information:

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Update all Windows domain controllers and clients with security updates released on or after April 9, 2024",
      "Review audit events in Compatibility mode to identify outdated devices",
      "Install April 2025 Windows update when available"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Windows updates in April 2025 will enforce new Kerberos PAC Validation security behavior, removing Compatibility mode and requiring all domain controllers and clients to be updated.",
    "ai_topics": [
      "Windows"
    ],
    "category": "planForChange",
    "details_map": {},
    "id": "MC1003098",
    "importance": 5,
    "is_major_change": false,
    "last_modified": "2025-02-11T18:00:13Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "60-day notice: Manage PAC Validation related to CVE-2024-26248 \u0026 CVE-2024-29056"
  }
}