Jump to content
Login new information ×
Login new information
  • Software News

    KB5036534: Microsoft shares latest Windows 10/11 DC hardening update for 2025

    Karlston

    By Karlston,
    Published Date:

    • 104 views
    • 2 minutes
     Share
    • 104 views
    • 2 minutes

    Microsoft has released the latest update on the Domain Controller (DC) hardening roadmap. In case you are not familiar with it, hardening essentially refers to the process of securing the operating system by reducing its attack surface and mitigating potential vulnerabilities.

     

    These measures are meant to protect against CVE-2024-26248 and CVE-2024-29056 Kerberos PAC (Privilege Attribute Certificate) flaws and Black Lotus Secure Boot flaw.

     

    DC security hardening is strengthening the servers that run Azure Active Directory (AD) in order to reduce the risk of unauthorized access and data breaches, and they are being deployed in phases.

     

    In the previous phase that commenced in October 2024, Secure Boot bypass protections were enforced under the Mandatory Enforcement Phase.

     

    The new timeline is given below:

     

    January 2025

     

    • PAC Validation changes KB5037754 | Enforcement by default phase

    Updates released in or after January 2025 will move all Windows domain controllers and clients in the environment to Enforced mode. This mode will enforce secure behavior by default. Existing registry key settings that have been previously set will override this default behavior change.

     

    The default Enforced mode settings can be overridden by an Administrator to revert to Compatibility mode.

     

    February 2025 or later

     

    • Certificate-based authentication KB5014754 | Phase 3

    Full Enforcement mode. If a certificate cannot be strongly mapped, authentication will be denied.

     

    April 2025

     

    • PAC Validation changes KB5037754 | Enforcement phase

    The Windows security updates released in or after April 2025, will remove support for the registry subkeys PacSignatureValidationLeveland CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.

    You can find the timeline in this support article (KB5036534) on Microsoft's official website.

     

    Source

    Hope you enjoyed this news post.

    Thank you for appreciating my time and effort posting news every day for many years.

    News posts... 2023: 5,800+ | 2024: 5,700+

    RIP Matrix | Farewell my friend  :sadbye:

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...