MC1027793 – 30-day notice: Manage PAC Validation related to CVE-2024-26248 & CVE-2024-29056 (archived)

Product:

Office 365 general, Windows

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Last year, Windows updates released on or after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol. Presently, it is still possible to override the enforcement settings related to the new behaviors, and revert to a Compatibility mode.


This year, beginning with Windows updates to be released in April 2025, there will be no support for Compatibility mode, and the new secure behavior will be enabled during the Enforcement phase.


For full guidance, see KB5037754: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056.


When will this happen?
Enforcement phase begins in April 2025. Windows security updates released on or after this date will remove support for the Compatibility mode registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-03-11

updated:
2025-03-11

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Compatibility Mode Removal
Without preparation, users may experience authentication failures as Compatibility mode will no longer be supported, leading to access issues for applications relying on Kerberos authentication.
   - roles: System Administrators, End Users
   - references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248 " target="_blank" rel="nofollow noopener noreferrer">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248

Security Check Failures
If the environment is not updated before the enforcement phase, security checks will fail, potentially exposing the organization to security vulnerabilities.
   - roles: Security Analysts, IT Support Staff
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056, https://support.microsoft.com/help/5037754

Increased Support Tickets
Users may report issues related to access and authentication, leading to a surge in support tickets and increased workload for IT support teams.
   - roles: Help Desk Technicians, System Administrators
   - references: https://support.microsoft.com/help/5020805, https://support.microsoft.com/help/5037754

Audit Event Overload
Failure to update systems may result in an overload of audit events, complicating the identification of unpatched devices and increasing administrative overhead.
   - roles: System Administrators, Compliance Officers
   - references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782, https://support.microsoft.com/help/5037754

User Experience Degradation
Users may face degraded experience due to unexpected authentication issues, leading to frustration and decreased productivity.
   - roles: End Users, IT Support Staff
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248, https://support.microsoft.com/help/5037754

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only