Microsoft Support:
Change log
| Change date | Change description |
|---|---|
| January 17, 2025 | Added the April 2024, January 2025, and April 2025 entries under the "Hardening changes by month" section. |
| March 10, 2024 | Revised the Monthly timeline adding more hardening related content and removed the February 2024 entry from the timeline as it is not hardening related. |
Introduction
Hardening is a key element of our ongoing security strategy to help keep your estate protected while you focus on your job. Increasingly creative cyberthreats target weaknesses anywhere possible, from the chip to the cloud. Have you seen our publications on hardening on the Windows message center? Some of those recently enforced include DCOM authentication hardening and Netjoin: domain join hardening. Let's review vulnerable areas that are undergoing hardening in the upcoming months.Note: This article will be updated over time to provide the latest information about hardening changes and timelines. Last updated: March 10, 2024.
Hardening changes at a glance
Review the visual timeline to focus on the specific changes that are of interest to you. Find the details for each phase below.
Figure 1: A visual timeline of the hardening changes taking place in 2023.
Figure 2: A visual timeline of the hardening changes taking place in 2024.
Hardening changes by month
Consult the details for all upcoming hardening changes by month to help you plan for each phase and final enforcement.January 2025
- PAC Validation changes KB5037754 | Enforcement by default phase
Updates released in or after January 2025 will move all Windows domain controllers and clients in the environment to Enforced mode. This mode will enforce secure behavior by default. Existing registry key settings that have been previously set will override this default behavior change.
The default Enforced mode settings can be overridden by an Administrator to revert to Compatibility mode.
February 2025 or later
- Certificate-based authentication KB5014754 | Phase 3
Full Enforcement mode. If a certificate cannot be strongly mapped, authentication will be denied.
April 2025
- PAC Validation changes KB5037754 | Enforcement phase
The Windows security updates released in or after April 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.
Get the latest news
Please bookmark the Windows message center to easily find the latest updates and reminders. And if you are an IT admin with access to the Microsoft 365 admin center, set up Email preferences on the Microsoft 365 admin center to receive important notifications and updates. Read more:
Latest Windows hardening guidance and key dates - Microsoft Support
support.microsoft.com
