check before: 2025-04-01
Product:
Office 365 general
Platform:
Online, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Last year, Windows updates released on or after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol. Presently, it is still possible to override the enforcement settings related to the new behaviors, and revert to a Compatibility mode.
This year, beginning with Windows updates to be released in April 2025, there will be no support for Compatibility mode, and the new secure behavior will be enabled during the Enforcement phase.
For full guidance, see KB5037754: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056.
When will this happen?
Enforcement phase begins in April 2025. Windows security updates released on or after this date will remove support for the Compatibility mode registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-03-11
updated:
2025-03-11
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Compatibility Mode Removal
Without preparation, users may experience authentication failures as Compatibility mode will no longer be supported, leading to access issues for applications relying on Kerberos authentication.
- roles: System Administrators, End Users
- references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248
" target="_blank" rel="nofollow noopener noreferrer">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248
Security Check Failures
If the environment is not updated before the enforcement phase, security checks will fail, potentially exposing the organization to security vulnerabilities.
- roles: Security Analysts, IT Support Staff
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056, https://support.microsoft.com/help/5037754
Increased Support Tickets
Users may report issues related to access and authentication, leading to a surge in support tickets and increased workload for IT support teams.
- roles: Help Desk Technicians, System Administrators
- references: https://support.microsoft.com/help/5020805, https://support.microsoft.com/help/5037754
Audit Event Overload
Failure to update systems may result in an overload of audit events, complicating the identification of unpatched devices and increasing administrative overhead.
- roles: System Administrators, Compliance Officers
- references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782, https://support.microsoft.com/help/5037754
User Experience Degradation
Users may face degraded experience due to unexpected authentication issues, leading to frustration and decreased productivity.
- roles: End Users, IT Support Staff
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248, https://support.microsoft.com/help/5037754
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Compliance
Transitioning to the new secure behavior of the PAC Validation Protocol will enhance the overall security posture of the organization by mitigating vulnerabilities associated with CVE-2024-26248 and CVE-2024-29056. This ensures that all systems are up-to-date and compliant with the latest security standards, reducing the risk of security breaches.
- next-steps: Conduct a thorough audit of current systems to identify which devices have not been updated. Create a timeline for updating all Windows domain controllers and clients before the April 2025 deadline.
- roles: IT Security Manager, System Administrator, Compliance Officer
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056
Improved User Experience
By enforcing the new PAC Validation Protocol, users will experience fewer authentication issues and improved access to resources, as outdated compatibility settings can lead to errors and access denials. This ensures a smoother operation for end-users across the organization.
- next-steps: Gather feedback from users regarding current authentication experiences and identify pain points. Develop a communication plan to inform users of the upcoming changes and provide support during the transition.
- roles: End Users, IT Support Team, Help Desk Manager
- references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782
Streamlined IT Operations
Updating all systems to comply with the new PAC Validation Protocol can streamline IT operations by reducing the need for ongoing support for compatibility issues. This will allow IT teams to focus on proactive management rather than reactive troubleshooting.
- next-steps: Develop a comprehensive update plan that includes timelines, responsibilities, and resource allocation for the update process. Ensure training for IT staff on the new protocol to enhance operational efficiency.
- roles: IT Operations Manager, Network Administrator, IT Project Manager
- references: https://support.microsoft.com/help/5037754, https://support.microsoft.com/help/5020805
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 1 week ago
