check before: 2025-04-08
Product:
Office 365 general
Platform:
Online, World tenant
Status:
Change type:
Admin impact
Links:
Details:
The Windows security updates released on or after April 8, 2025, contain protections for a vulnerability with Kerberos authentication. To learn more about this vulnerability, please see CVE-2025-26647.
When will this happen:
April 8, 2025: Initial Deployment phase - Audit mode
The initial deployment phase starts with the updates released on April 8, 2025. These updates add new behavior that detects the elevation of privilege vulnerability described in CVE-2025-26647 but does not enforce it.
To enable the new behavior and be secure from the vulnerability, you must ensure all Windows domain controllers are updated and the AllowNtAuthPolicyBypass registry key setting is set to 2.
July 8 2025: Enforced by Default phase
Updates released on or after July 8, 2025, will enforce the NTAuth Store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this security update will be removed.
October 14, 2025: Enforcement mode
Updates released on or after October 14, 2025, will discontinue Microsoft support for the AllowNtAuthPolicyBypass registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-04-09
updated:
2025-04-09
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Microsoft is implementing updates to address a Kerberos vulnerability, starting with an Audit mode on April 8, 2025, to detect but not block fake IDs, moving to automatic blocking by July 8, 2025, and fully enforcing the new security rules by October 14, 2025, requiring system updates and monitoring for compliance.
Direct effects for Operations**
Kerberos Authentication Vulnerability
Failure to update domain controllers before the enforcement phase may lead to unauthorized access due to the elevation of privilege vulnerability in Kerberos authentication.
- roles: System Administrator, Security Officer
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647
Certificate Authority Compliance
If the NTAuth store is not updated, certificates issued by non-compliant authorities may lead to service disruptions and security breaches after enforcement mode.
- roles: Network Administrator, Compliance Officer
- references: https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
User Authentication Failures
Users may experience authentication failures if their certificates are not recognized due to the NTAuth store not being updated, impacting access to services.
- roles: End User, Help Desk Support
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647
Increased Monitoring Requirements
Post-update, there will be a need for increased monitoring of domain controllers to identify affected certificate authorities, which may strain resources if unprepared.
- roles: IT Operations Manager, System Administrator
- references: https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
Operational Downtime
Without proper preparation, the transition to enforcement mode may cause operational downtime as systems may fail to authenticate users or services, leading to productivity loss.
- roles: IT Manager, Business Continuity Planner
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 1 week ago
