90-Day Reminder: The second phase of Kerberos PAC signature validation vulnerability mitigation begins October 15, 2024

Starting October 15, 2024, the Enforced by Default phase of Kerberos PAC signature validation mitigation begins. Updates released on or after this date will move all Windows domain controllers and clients in the environment to Enforced mode, enforcing the secure behavior by default. The Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.When will this happen: October 15, 2024: The Enforced by Default phase st...

• October 15, 2024: The Enforced by Default phase starts where Windows domain controllers and clients will move to Enforced mode. Note that during this phase, the Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.
• April 8, 2025: Enforcement phase begins with no option to revert the new secure behavior.

1. UPDATE: Windows domain controllers and Windows clients must be updated with a Windows security update released on or after April 9, 2024.
2. MONITOR: Audit events will be visible in Compatibility mode to identify devices not updated.
3. ENABLE: After Enforcement mode is fully enabled in your environment, the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 will be mitigated.

• KB5037754: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056
• KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967