MC1111657 – Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today

Product:

Office 365 general, Windows

Platform:

Online, World tenant

Status:

Change type:

Admin impact

Links:

Details:

Starting with the April 8, 2025, Windows security updates, protections for CVE-2025-26647 are being rolled out and enforced in phases. These updates change how certificate-based authentication (CBA) is handled when the issuing certificate authority (CA) is not in the NTAuth store but a Subject Key Identifier (SKI) mapping exists in the altSecID attribute.


The second phase, Enforced by Default phase, begins today, July 8, 2025.


When will this happen:
July 8, 2025: Enforced by Default phase
Updates released on or after July 8, 2025, will enforce the NTAuth store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this security update will be removed.
October 14, 2025: Enforcement mode
Updates released on or after October 14, 2025, will discontinue Microsoft support for the AllowNtAuthPolicyBypass registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.

Change Category:
XXXXXXX ... free basic plan only

Scope:
XXXXXXX ... free basic plan only

Release Phase:

Created:
2025-07-09

updated:
2025-07-09

Task Type

XXXXXXX ... free basic plan only

Docu to Check

XXXXXXX ... free basic plan only

MS How does it affect me

XXXXXXX ... free basic plan only

MS Preperations

XXXXXXX ... free basic plan only

MS Urgency

XXXXXXX ... free basic plan only

MS workload name

XXXXXXX ... free basic plan only

summary for non-techies**

XXXXXXX ... free basic plan only

Direct effects for Operations**

Authentication Failures
If the environment uses certificate-based authentication (CBA) with certificates from CAs not in the NTAuth store, authentication may fail once Enforcement mode is enabled.
   - roles: System Administrators, Network Engineers
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647

Increased Support Calls
Users may experience login issues leading to an increase in support calls and tickets due to authentication failures.
   - roles: Help Desk Support, IT Support Staff
   - references: https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53

Operational Downtime
Failure to update domain controllers and review altSecID mappings may lead to operational downtime as users cannot authenticate to the network.
   - roles: System Administrators, Network Engineers
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647

Security Compliance Issues
Organizations may face compliance issues if they do not adhere to the new authentication requirements, potentially leading to security vulnerabilities.
   - roles: Compliance Officers, Security Analysts
   - references: https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53

Increased Audit Workload
New audit events will require additional monitoring and analysis, increasing the workload for IT staff responsible for security audits.
   - roles: Security Analysts, System Administrators
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647

Configutation Options**

XXXXXXX ... paid membership only

Opportunities**

Enhancing Security Posture
Implementing the changes for CVE-2025-26647 will significantly enhance the organization's security posture by ensuring that only certificates from trusted authorities are used for authentication. This reduces the risk of unauthorized access and strengthens overall security compliance.
   - next-steps: Conduct a thorough audit of current certificate authorities and ensure that all certificates in use are from the NTAuth store. Update domain controllers as per the guidelines and prepare for the enforcement phase.
   - roles: IT Security Manager, Network Administrator, Compliance Officer
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53

Streamlining Certificate Management
The enforcement of NTAuth store checks necessitates a review of certificate management practices. This presents an opportunity to streamline the process of issuing and managing certificates, potentially leading to reduced administrative overhead and increased efficiency.
   - next-steps: Evaluate current certificate issuance processes and identify areas for improvement. Consider automating certificate renewals and updates to minimize manual interventions and errors.
   - roles: IT Administrator, DevOps Engineer, System Architect
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53

Improving User Experience During Transition
As the organization transitions to the enforced NTAuth store checks, there is a chance to enhance user experience by proactively communicating changes and providing training to users on how to navigate any potential issues with authentication.
   - next-steps: Develop a communication plan that includes training sessions for end-users on the changes in authentication processes. Provide clear guidelines and support channels to address user concerns during the transition period.
   - roles: User Support Manager, Training Coordinator, IT Helpdesk Staff
   - references: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26647, https://support.microsoft.com/topic/5f5d753b-4023-4dd3-b7b7-c8b104933d53

Potentional Risks**

XXXXXXX ... paid membership only

IT Security**

XXXXXXX ... paid membership only

explanation for non-techies**

XXXXXXX ... free basic plan only