MC1050816 – M365 Change Digest

One-line summary

Windows updates from April 8, 2025 add protections for a Kerberos vulnerability; enforcement starts July 8, 2025, with full enforcement and registry key removal on October 14, 2025.

Similar updates

Details

Body (from Message Center)

The Windows security updates released on or after April 8, 2025, contain protections for a vulnerability with Kerberos authentication. To learn more about this vulnerability, please see CVE-2025-26647.

When will this happen:

April 8, 2025: Initial Deployment phase – Audit mode

The initial deployment phase starts with the updates released on April 8, 2025. These updates add new behavior that detects the elevation of privilege vulnerability described in CVE-2025-26647 but does not enforce it.
To enable the new behavior and be secure from the vulnerability, you must ensure all Windows domain controllers are updated and the AllowNtAuthPolicyBypass registry key setting is set to 2.

July 8 2025: Enforced by Default phase

Updates released on or after July 8, 2025, will enforce the NTAuth Store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this security update will be removed.

October 14, 2025: Enforcement mode

Updates released on or after October 14, 2025, will discontinue Microsoft support for the AllowNtAuthPolicyBypass registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.

How this will affect your organization:

You are at risk when a certificate authority (CA) is part of the Windows root store but not the NTAuth store and a Subject Key Identifier (SKI) is present in a privileged account. To mitigate the risks, you must apply the protections described in CVE-2025-26647.

What you need to do to prepare:

UPDATE all domain controllers with a Windows update released on or after April 8, 2025.
MONITOR new events that will be visible on domain controllers to identify affected certificate authorities.
ENABLE Enforcement mode once your environment is no longer using certificates issued by authorities that are not in the NTAuth store.

Additional information:

KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)

Raw JSON (for debugging)

Expand/collapse the full payload below.

Show/hide raw

{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Update all domain controllers with April 8, 2025 or later Windows updates",
      "Monitor domain controllers for new security events",
      "Ensure certificates are issued by NTAuth store authorities",
      "Prepare for enforcement and registry key removal"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Windows updates from April 8, 2025 add protections for a Kerberos vulnerability; enforcement starts July 8, 2025, with full enforcement and registry key removal on October 14, 2025.",
    "ai_topics": [
      "Windows",
      "Entra"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1050816",
    "importance": 5,
    "is_major_change": false,
    "last_modified": "2025-04-08T17:54:39Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)"
  }
}