MC1050817 – Immediate Action: Enforce PAC Validation for CVE-2024-26248 & CVE-2024-29056

Product:

Office 365 general

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Last year, Windows updates released on and after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol.


Starting today, the Enforcement phase of deployment begins. After installing the April 2025 Windows security update and later updates on all Windows domain controllers and Windows clients, support for Compatibility mode will be removed, and the new secure behavior will be enabled by default. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.


When will this happen?
The Enforcement phase starts today with the release of the April 2025 Windows security update.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-04-09

updated:
2025-04-09

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

Starting with the April 2025 Windows security update, the Kerberos PAC Validation Protocol will automatically enforce new security measures, phasing out the older "Compatibility mode" to address vulnerabilities CVE-2024-26248 and CVE-2024-29056, requiring updates across all domain controllers and client machines.

Direct effects for Operations**

Compatibility Issues
If the environment is not updated, clients will fail to recognize the new request structure, leading to authentication failures.
   - roles: System Administrators, IT Support Staff
   - references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782, https://support.microsoft.com/help/5037754

User Authentication Failures
Users may experience login issues due to the lack of support for the new secure behavior in outdated systems.
   - roles: End Users, Help Desk Technicians
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26248, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056 " target="_blank" rel="nofollow noopener noreferrer">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056

Increased Support Tickets
The transition to the new PAC validation may lead to a surge in support requests from users facing issues.
   - roles: Help Desk Technicians, IT Support Staff
   - references: https://support.microsoft.com/help/5020805" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/help/5020805, https://support.microsoft.com/help/5037754

Service Disruption
Critical services relying on Kerberos authentication may become unavailable if not all systems are updated.
   - roles: System Administrators, Network Engineers
   - references: https://learn.microsoft.com/openspecs/windows_protocols/ms-apds/82b7b7c6-413d-4d66-b6b7-4a9224549782, https://support.microsoft.com/help/5037754

User Experience Degradation
Users may face delays and interruptions in accessing services due to authentication issues stemming from outdated systems.
   - roles: End Users, IT Support Staff
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29056, https://support.microsoft.com/help/5020805" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/help/5020805

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

XXXXXXX ... free basic plan only

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only