Last year, Windows updates released on or after April 9, 2024 added new behaviors that start the process of addressing a security risk in the Kerberos PAC Validation Protocol. Presently, it is still possible to override the enforcement settings and revert to Compatibility mode.
However, beginning with Windows updates to be released in April 2025, there will be no support for Compatibility mode, and the new secure behavior will be enabled during the Enforcement phase.
Be ready to fully enable Enforcement mode later this year:
Ensure that all Windows domain controllers and Windows clients are updated with a Windows security update released on or after April 9, 2024.
Review Audit events that are visible in Compatibility mode. This will help identify which devices have not been updated with a Windows security update released on or after April 9, 2024.
Install the April 2025 Windows update on all Windows domain controllers and Windows clients, once it becomes available later this year. Enforcement mode will be fully enabled in your environment. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 will be mitigated.
However, beginning with Windows updates to be released in April 2025, there will be no support for Compatibility mode, and the new secure behavior will be enabled during the Enforcement phase.
Be ready to fully enable Enforcement mode later this year:
Ensure that all Windows domain controllers and Windows clients are updated with a Windows security update released on or after April 9, 2024.
Review Audit events that are visible in Compatibility mode. This will help identify which devices have not been updated with a Windows security update released on or after April 9, 2024.
Install the April 2025 Windows update on all Windows domain controllers and Windows clients, once it becomes available later this year. Enforcement mode will be fully enabled in your environment. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.
