New steps have been released to mitigate Kerberos signature validation vulnerabilities

The April 2024 security update released on April 9, 2024 addresses a security vulnerability in the Kerberos PAC Validation Protocol. New Take Action steps have been released as part of KB5037754 to prevent bypassing PAC signature validation security checks added in KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967. When will this happen:  April 9, 2024: Initial deployment phase started with the release of the April 2024 security update. October 15, 2024: The Enforced by Default phase starts where Windows domain controllers and clients will move to Enforced mode. Note that during that during this phase, the Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode. April 8, 2025: Enforcement phase begins with no option to revert the new secure behavior. How this will affect your organization:  To mitigate vulnerabilities described in CVE-2024-26248 and CVE-2024-29056, you must make sure your entire Windows environment (including both domain controllers and clients) is updated. Environments that are not updated will not recognize this new request structure after Enforcement mode begins. This will cause the security check to fail. What you need to do to prepare:  To help protect your environment and prevent outages, we recommend the following steps: Additional information:  UPDATE: Windows domain controllers and Windows clients must be updated with a Windows security update released on or after April 9, 2024. MONITOR: Audit events will be visible in Compatibility mode to identify devices not updated. ENABLE: After Enforcement mode is fully enabled in your environment, the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 will be mitigated. KB5037754: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 Message ID: MC776076

The post New steps have been released to mitigate Kerberos signature validation vulnerabilities appeared first on M365 Admin.