check before: 2025-04-01
Product:
Office 365 general, Windows
Platform:
Online, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Last year, Windows updates released on and after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol.
Starting today, the Enforcement phase of deployment begins. After installing the April 2025 Windows security update and later updates on all Windows domain controllers and Windows clients, support for Compatibility mode will be removed, and the new secure behavior will be enabled by default. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.
When will this happen?
The Enforcement phase starts today with the release of the April 2025 Windows security update.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-04-09
updated:
2025-04-09
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Compatibility Issues
If the environment is not updated, clients will fail to recognize the new request structure, leading to authentication failures.
- roles: System Administrators, IT Support Staff
- references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782, https://support.microsoft.com/help/5037754
User Authentication Failures
Users may experience login issues due to the lack of support for the new secure behavior in outdated systems.
- roles: End Users, Help Desk Technicians
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056
" target="_blank" rel="nofollow noopener noreferrer">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056
Increased Support Tickets
The transition to the new PAC validation may lead to a surge in support requests from users facing issues.
- roles: Help Desk Technicians, IT Support Staff
- references: https://support.microsoft.com/help/5020805" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/help/5020805, https://support.microsoft.com/help/5037754
Service Disruption
Critical services relying on Kerberos authentication may become unavailable if not all systems are updated.
- roles: System Administrators, Network Engineers
- references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782, https://support.microsoft.com/help/5037754
User Experience Degradation
Users may face delays and interruptions in accessing services due to authentication issues stemming from outdated systems.
- roles: End Users, IT Support Staff
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056, https://support.microsoft.com/help/5020805" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/help/5020805
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Posture
By enforcing PAC validation, the organization will significantly improve its security posture against vulnerabilities associated with Kerberos, specifically CVE-2024-26248 and CVE-2024-29056. This ensures that all authentication requests are validated correctly, reducing the risk of unauthorized access.
- next-steps: Conduct a thorough audit of the current Windows environment to identify all domain controllers and clients that need updating. Schedule and execute the update process for the April 2025 Windows security update across the organization.
- roles: IT Security Manager, System Administrator, Network Administrator
- references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248
Improved User Experience
With the removal of Compatibility mode and the implementation of the new secure behavior, users will experience fewer authentication issues and smoother access to resources. This change will reduce the time spent on troubleshooting authentication problems.
- next-steps: Communicate the upcoming changes to all users and provide guidance on what to expect. Prepare support staff to assist users with any potential issues during the transition.
- roles: Help Desk Manager, User Support Specialist, IT Operations Manager
- references: https://support.microsoft.com/help/5037754, https://support.microsoft.com/help/5020805
Streamlined IT Operations
The transition to the new PAC validation process will streamline IT operations by reducing the complexity associated with maintaining Compatibility mode. This will allow IT teams to focus on more strategic initiatives rather than troubleshooting compatibility issues.
- next-steps: Review and update IT operational procedures to reflect the new authentication processes. Train IT staff on the new security measures and ensure that they are prepared to support the updated environment.
- roles: IT Operations Manager, System Administrator, Compliance Officer
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056, https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782" target="_blank" rel="nofollow noopener noreferrer">https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 3 months ago ago
