← Back
Immediate Action: Enforce PAC Validation for CVE-2024-26248 & CVE-2024-29056
MC1050817 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-04-08 17:01:58
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Windows
Tags
Admin impact
Master tags
Admin, Security
Roadmap IDs

One-line summary

Starting with the April 2025 Windows security update, Enforcement phase for Kerberos PAC Validation begins, removing Compatibility mode and requiring all domain controllers and clients to update for security compliance.

Similar updates

More like this
MC1092195 Prepare for Kerberos CBA changes: Enforcement begins with July updates
Prepare for Kerberos CBA changes: Enforcement begins with July updates Windows updates will enforce stricter certificate-based authentication for domain controllers, requiring CAs in the NTAuth store starting July 8, 2025, with full enforcement October 14, 2025. Starting with the April 8, 2025 Windows security updates, protections for .
MC1096052 Windows add support for the new certificate authority handling logic in Application Control for Business
Windows add support for the new certificate authority handling logic in Application Control for Business Application Control for Business updates CA trust logic to handle expiring Microsoft CAs, requiring Windows updates by May 13, 2025 for seamless trust extension. Microsoft is updating the logic used by Application Control for Business to.
MC1143929 Certificate-based authentication changes on Windows domain controllers - coming September 2025
Certificate-based authentication changes on Windows domain controllers - coming September 2025 Starting with September 2025 Windows updates, strict certificate mapping will be enforced on AD CS and domain controllers, blocking authentication if requirements aren't met. Since 2023, Microsoft has been sharing reminders of changes coming to.
MC1150557 Certificate-based authentication changes following installation of Windows updates released September 9, 2025
Certificate-based authentication changes following installation of Windows updates released September 9, 2025 Starting September 9, 2025, Windows updates enforce new certificate mapping requirements on Windows Servers, ending gradual rollout and requiring immediate admin action to ensure authentication works. Windows updates released September 9,.
MC1111657 Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today
Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today Windows updates will enforce stricter certificate-based authentication from July 8, 2025, requiring CAs in the NTAuth store; full enforcement and policy bypass removal starts October 14, 2025. Starting with the April 8, 2025, Windows security.
MC1050816 KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)
KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) Windows updates from April 8, 2025 add protections for a Kerberos vulnerability; enforcement starts July 8, 2025, with full enforcement and registry key removal on October 14, 2025. The Windows security updates released on or after April 8, 2025, contain protections for a.

Details

Body (from Message Center)

Last year, Windows updates released on and after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol.

Starting today, the Enforcement phase of deployment begins. After installing the April 2025 Windows security update and later updates on all Windows domain controllers and Windows clients, support for Compatibility mode will be removed, and the new secure behavior will be enabled by default. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.

When will this happen?
The Enforcement phase starts today with the release of the April 2025 Windows security update.

How will this affect your organization?
To mitigate the risks described in CVE-2024-26248 and CVE-2024-29056, you must update your entire Windows environment. This must include all Windows domain controllers and Windows clients. Environments that are not up to date will not recognize the new request structure and security checks will fail.
 
What do you need to do to prepare?
Install the April 2025 Windows security update on all Windows domain controllers and Windows clients. Enforcement mode will be fully enabled in your environment. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.

Additional information:

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Install April 2025 Windows security update on all domain controllers and clients"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Starting with the April 2025 Windows security update, Enforcement phase for Kerberos PAC Validation begins, removing Compatibility mode and requiring all domain controllers and clients to update for security compliance.",
    "ai_topics": [
      "Windows"
    ],
    "category": "stayInformed",
    "details_map": {},
    "id": "MC1050817",
    "importance": 5,
    "is_major_change": false,
    "last_modified": "2025-04-08T17:01:58Z",
    "ms_products": [
      "Windows"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Windows"
    ],
    "severity": "normal",
    "tags": [
      "Admin impact"
    ],
    "title": "Immediate Action: Enforce PAC Validation for CVE-2024-26248 \u0026 CVE-2024-29056"
  }
}