check before: 2025-07-08
Product:
Office 365 general
Platform:
Online, World tenant
Status:
Change type:
Admin impact
Links:
Details:
Starting with the April 8, 2025 Windows security updates, protections for CVE-2025-26647 are being rolled out and enforced in phases. These updates change how certificate-based authentication (CBA) is handled when the issuing certificate authority (CA) is not in the NTAuth store but a Subject Key Identifier (SKI) mapping exists in the altSecID attribute.
When will this happen:
July 8, 2025: Enforced by Default phase
Updates released on or after July 8, 2025, will enforce the NTAuth store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this security update will be removed.
October 14, 2025: Enforcement mode
Updates released on or after October 14, 2025, will discontinue Microsoft support for the AllowNtAuthPolicyBypass registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-06-12
updated:
2025-06-12
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Starting in April 2025, Microsoft will change how certificate-based authentication works in Windows, enforcing by October 2025 that only certificates from trusted authorities in the NTAuth store will be accepted, phasing out previous workarounds.
Direct effects for Operations**
Authentication Failures
If the environment uses certificate-based authentication (CBA) with certificates from CAs not in the NTAuth store, authentication may fail once Enforcement mode is enabled.
- roles: System Administrator, Network Engineer
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
Increased Support Calls
Users may experience login issues leading to an increase in support calls and tickets due to authentication failures.
- roles: Help Desk Technician, IT Support Specialist
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
Operational Downtime
Failure to update domain controllers and review altSecID mappings may lead to operational downtime as users cannot authenticate to services.
- roles: System Administrator, IT Operations Manager
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
Compliance Risks
Organizations may face compliance risks if they do not adhere to the new authentication requirements, potentially leading to security vulnerabilities.
- roles: Compliance Officer, Security Analyst
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
User Experience Degradation
Users may experience degraded performance or delays in accessing services due to authentication issues stemming from the changes.
- roles: End User, IT Support Specialist
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Compliance Monitoring
Implementing monitoring tools to track and log new audit events (Event ID 45 and 21) will provide insights into certificate usage and compliance with the new NTAuth store requirements. This proactive monitoring can help identify potential issues before they affect user authentication, thereby improving security and user experience.
- next-steps: Set up a centralized logging solution to capture and analyze audit events related to certificate authentication. Train IT staff on interpreting these logs and responding to alerts.
- roles: IT Security Team, System Administrators, Compliance Officers
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
Streamlined Certificate Management Process
Reviewing and updating the altSecID mappings will ensure that only compliant certificates are used, thus preventing authentication failures. This process can be automated to reduce administrative overhead and improve efficiency.
- next-steps: Conduct an audit of current certificate authorities and their mappings. Develop a script or use a certificate management tool to automate the updating of altSecID mappings.
- roles: Network Administrators, IT Operations Team, Help Desk Staff
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
User Education and Communication Strategy
Educating users about the upcoming changes in authentication processes and potential impacts will enhance user experience and reduce support calls. Clear communication can prepare users for the transition and mitigate confusion during enforcement phases.
- next-steps: Develop training materials and schedule informational sessions for users. Create a FAQ document addressing common concerns related to the changes in authentication.
- roles: HR Training Coordinators, IT Support Staff, End Users
- references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 4 weeks ago
