← Back
Immediate Action: Enforce PAC Validation for CVE-2024-26248 & CVE-2024-29056
MC1050817 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-04-08 17:01:58
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Windows
Tags
Admin impact
Master tags
Security
Roadmap IDs

One-line summary

Starting with the April 2025 Windows security update, Enforcement phase for Kerberos PAC Validation begins, removing Compatibility mode and requiring all domain controllers and clients to update for security compliance.

Similar updates

More like this
MC1027793 30-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056
30-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056 Starting April 2025, Windows updates will enforce new Kerberos PAC Validation security behavior, removing Compatibility mode and requiring all domain controllers and clients to be updated. Last ... Enforcement  phase begins in April 2025. Starting April 2025, Windows.
MC1003098 60-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056
60-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056 Windows updates in April 2025 will enforce new Kerberos PAC Validation security behavior, removing Compatibility mode and requiring all domain controllers and clients to be updated. Last year, Windows updates released on or after April 9, 2024 added new behaviors that.
MC1092195 Prepare for Kerberos CBA changes: Enforcement begins with July updates
Prepare for Kerberos CBA changes: Enforcement begins with July updates Windows updates will enforce stricter certificate-based authentication for domain controllers, requiring CAs in the NTAuth store starting July 8, 2025, with full enforcement October 14, 2025. Starting with the April 8, 2025 Windows security updates, protections for .
MC1096052 Windows add support for the new certificate authority handling logic in Application Control for Business
Windows add support for the new certificate authority handling logic in Application Control for Business Application Control for Business updates CA trust logic to handle expiring Microsoft CAs, requiring Windows updates by May 13, 2025 for seamless trust extension. Microsoft is updating the logic used by Application Control for Business to.
MC1143929 Certificate-based authentication changes on Windows domain controllers - coming September 2025
Certificate-based authentication changes on Windows domain controllers - coming September 2025 Starting with September 2025 Windows updates, strict certificate mapping will be enforced on AD CS and domain controllers, blocking authentication if requirements aren't met. Since 2023, Microsoft has been sharing reminders of changes coming to.
MC1150557 Certificate-based authentication changes following installation of Windows updates released September 9, 2025
Certificate-based authentication changes following installation of Windows updates released September 9, 2025 Starting September 9, 2025, Windows updates enforce new certificate mapping requirements on Windows Servers, ending gradual rollout and requiring immediate admin action to ensure authentication works. Windows updates released September 9,.

Details

Body (from Message Center)

Last year, Windows updates released on and after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol.

Starting today, the Enforcement phase of deployment begins. After installing the April 2025 Windows security update and later updates on all Windows domain controllers and Windows clients, support for Compatibility mode will be removed, and the new secure behavior will be enabled by default. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.

When will this happen?
The Enforcement phase starts today with the release of the April 2025 Windows security update.

How will this affect your organization?
To mitigate the risks described in CVE-2024-26248 and CVE-2024-29056, you must update your entire Windows environment. This must include all Windows domain controllers and Windows clients. Environments that are not up to date will not recognize the new request structure and security checks will fail.
 
What do you need to do to prepare?
Install the April 2025 Windows security update on all Windows domain controllers and Windows clients. Enforcement mode will be fully enabled in your environment. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.

Additional information:

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Install April 2025 Windows security update on all domain controllers and clients"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting with the April 2025 Windows security update, Enforcement phase for Kerberos PAC Validation begins, removing Compatibility mode and requiring all domain controllers and clients to update for security compliance.",
    "ai_topics": [
      "Windows"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1050817",
    "importance": 5,
    "is_major_change": false,
    "last_modified": "2025-04-08T17:01:58Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Immediate Action: Enforce PAC Validation for CVE-2024-26248 \u0026 CVE-2024-29056"
  }
}