{"id":12147,"date":"2025-07-09T03:00:59","date_gmt":"2025-07-08T18:00:59","guid":{"rendered":"https:\/\/m365jp.net\/?p=12147"},"modified":"2025-07-09T03:10:41","modified_gmt":"2025-07-08T18:10:41","slug":"mc1111657-second-phase-for-kb5057784-protections-for-cve-2025-26647-kerberos-authentication-begins-today","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2025-07-09-mc1111657-second-phase-for-kb5057784-protections-for-cve-2025-26647-kerberos-authentication-begins-today","title":{"rendered":"MC1111657 | Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC1111657 | Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>stayInformed<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>07\/08\/2025 17:02:41<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>07\/08\/2025 17:02:38<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>07\/08\/2026 17:02:38<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<div>Starting with the April 8, 2025, Windows security updates, protections for <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-26647\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2025-26647<\/a> are being rolled out and enforced in phases. These updates change how certificate-based authentication (CBA) is handled when the issuing certificate authority (CA) is not in the NTAuth store but a Subject Key Identifier (SKI) mapping exists   in the altSecID attribute.<\/div>\n<div>  <\/div>\n<div>The second phase, <b>Enforced by Default phase,<\/b> begins today, July 8, 2025.<\/div>\n<div>  <\/div>\n<div><b>When will this happen:<\/b><\/div>\n<div><b>July 8, 2025: Enforced by Default phase<\/b><\/div>\n<ul>\n<li>Updates released on or after July 8, 2025, will enforce the NTAuth store check by default. The  <b>AllowNtAuthPolicyBypass<\/b> registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this security update will be removed.<\/li>\n<\/ul>\n<div><b>October 14, 2025: Enforcement mode<\/b><\/div>\n<ul>\n<li>Updates released on or after October 14, 2025, will discontinue Microsoft support for the  <b>AllowNtAuthPolicyBypass<\/b> registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>How this will affect your organization:<\/b><\/div>\n<div>If your environment uses CBA and relies on certificates from CAs not in the NTAuth store, authentication may fail once Enforcement mode is enabled. This change affects domain controllers and requires updates to ensure secure authentication behavior. New   audit events will help identify affected certificates and CAs.<\/div>\n<div>&nbsp;<\/div>\n<div><b>What you need to do to prepare:<\/b><\/div>\n<ul>\n<li><b>UPDATE<\/b> all domain controllers with a Windows update released on or after April 8, 2025.<\/li>\n<li><b>MONITOR<\/b> new events (e.g., Event ID 45 and 21) that will be visible on domain controllers to identify affected certificate authorities.<\/li>\n<li><b>ENABLE<\/b>&nbsp;Enforcement mode after your environment is now only using logon certificates&nbsp;issued by authorities that are in the NTAuth store.<\/li>\n<li><b>REVIEW AND UPDATE<\/b> altSecID mappings if needed to ensure compatibility.<\/li>\n<\/ul>\n<div>&nbsp;<\/div>\n<div><b>Additional information:<\/b><\/div>\n<ul>\n<li>For full technical details, including registry settings and audit event IDs, see  <a href=\"https:\/\/support.microsoft.com\/topic\/5f5d753b-4023-4dd3-b7b7-c8b104933d53\" rel=\"noopener noreferrer\" target=\"_blank\">  KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)<\/a><\/li>\n<\/ul>\n<div>  <\/div>\n<div>To learn more about these protections, please see <a href=\"https:\/\/support.microsoft.com\/topic\/5f5d753b-4023-4dd3-b7b7-c8b104933d53\" rel=\"noopener noreferrer\" target=\"_blank\">  Guidance for applying protections related to CVE-2025-26647<\/a>.<\/div>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<div>2025 \u5e74 4 \u6708 8 \u65e5\u306e Windows \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u304b\u3089\u3001 <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2025-26647\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2025-26647<\/a> \u306e\u4fdd\u8b77\u304c\u6bb5\u968e\u7684\u306b\u5c55\u958b\u3055\u308c\u3001\u9069\u7528\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u66f4\u65b0\u306b\u3088\u308a\u3001\u767a\u884c\u5143\u306e\u8a3c\u660e\u6a5f\u95a2 (CA) \u304c NTAuth \u30b9\u30c8\u30a2\u306b\u306a\u3044\u304c\u3001\u30b5\u30d6\u30b8\u30a7\u30af\u30c8 \u30ad\u30fc\u8b58\u5225\u5b50 (SKI) \u30de\u30c3\u30d4\u30f3\u30b0\u304c altSecID \u5c5e\u6027\u306b\u5b58\u5728\u3059\u308b\u5834\u5408\u306e\u8a3c\u660e\u66f8\u30d9\u30fc\u30b9\u306e\u8a8d\u8a3c (CBA) \u306e\u51e6\u7406\u65b9\u6cd5\u304c\u5909\u66f4\u3055\u308c\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div>\u7b2c 2 \u30d5\u30a7\u30fc\u30ba\u3067\u3042\u308b <b>Enforced by Default \u30d5\u30a7\u30fc\u30ba\u306f\u3001<\/b> \u672c\u65e5 2025 \u5e74 7 \u6708 8 \u65e5\u306b\u958b\u59cb\u3055\u308c\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u3053\u308c\u306f\u3044\u3064\u884c\u308f\u308c\u307e\u3059\u304b:<\/b><\/div>\n<div><b>2025 \u5e74 7 \u6708 8 \u65e5: \u30c7\u30d5\u30a9\u30eb\u30c8\u306b\u3088\u308b\u5f37\u5236\u30d5\u30a7\u30fc\u30ba<\/b><\/div>\n<ul>\n<li>2025 \u5e74 7 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u306f\u3001\u65e2\u5b9a\u3067 NTAuth \u30b9\u30c8\u30a2 \u30c1\u30a7\u30c3\u30af\u304c\u9069\u7528\u3055\u308c\u307e\u3059\u3002 <b>AllowNtAuthPolicyBypass<\/b> \u30ec\u30b8\u30b9\u30c8\u30ea \u30ad\u30fc\u8a2d\u5b9a\u3092\u4f7f\u7528\u3059\u308b\u3068\u3001\u5fc5\u8981\u306b\u5fdc\u3058\u3066\u76e3\u67fb\u30e2\u30fc\u30c9\u306b\u623b\u3059\u3053\u3068\u304c\u3067\u304d\u307e\u3059\u3002\u305f\u3060\u3057\u3001\u3053\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u5b8c\u5168\u306b\u7121\u52b9\u306b\u3059\u308b\u6a5f\u80fd\u306f\u524a\u9664\u3055\u308c\u307e\u3059\u3002<\/li>\n<\/ul>\n<div><b>2025 \u5e74 10 \u6708 14 \u65e5: \u5f37\u5236\u30e2\u30fc\u30c9<\/b><\/div>\n<ul>\n<li>2025 \u5e74 10 \u6708 14 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u306f\u3001 <b>Microsoft \u306b\u3088\u308b AllowNtAuthPolicyBypass<\/b> \u30ec\u30b8\u30b9\u30c8\u30ea \u30ad\u30fc\u306e\u30b5\u30dd\u30fc\u30c8\u304c\u7d42\u4e86\u3057\u307e\u3059\u3002\u3053\u306e\u6bb5\u968e\u3067\u306f\u3001\u3059\u3079\u3066\u306e\u8a3c\u660e\u66f8\u306f\u3001NTAuth \u30b9\u30c8\u30a2\u306e\u4e00\u90e8\u3067\u3042\u308b\u6a5f\u95a2\u306b\u3088\u3063\u3066\u767a\u884c\u3055\u308c\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>\u3053\u308c\u304c\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff:<\/b><\/div>\n<div>\u74b0\u5883\u3067 CBA \u3092\u4f7f\u7528\u3057\u3001NTAuth \u30b9\u30c8\u30a2\u306b\u306a\u3044 CA \u304b\u3089\u306e\u8a3c\u660e\u66f8\u306b\u4f9d\u5b58\u3057\u3066\u3044\u308b\u5834\u5408\u3001\u5f37\u5236\u30e2\u30fc\u30c9\u3092\u6709\u52b9\u306b\u3059\u308b\u3068\u8a8d\u8a3c\u304c\u5931\u6557\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u306e\u5909\u66f4\u306f\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u306b\u5f71\u97ff\u3057\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u3067\u4fdd\u8b77\u3055\u308c\u305f\u8a8d\u8a3c\u52d5\u4f5c\u3092\u78ba\u4fdd\u3059\u308b\u305f\u3081\u306e\u66f4\u65b0\u304c\u5fc5\u8981\u3067\u3059\u3002\u65b0\u3057\u3044\u76e3\u67fb\u30a4\u30d9\u30f3\u30c8\u306f\u3001\u5f71\u97ff\u3092\u53d7\u3051\u308b\u8a3c\u660e\u66f8\u3068 CA \u3092\u7279\u5b9a\u3059\u308b\u306e\u306b\u5f79\u7acb\u3061\u307e\u3059\u3002<\/div>\n<div>&nbsp;<\/div>\n<div><b>\u6e96\u5099\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a\u3053\u3068:<\/b><\/div>\n<ul>\n<li>2025 \u5e74 4 \u6708 8 \u65e5\u4ee5\u964d\u306b\u30ea\u30ea\u30fc\u30b9\u3055\u308c\u305f Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u3001\u3059\u3079\u3066\u306e\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc<b>\u3092\u66f4\u65b0\u3057\u307e\u3059<\/b>\u3002<\/li>\n<li>\u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc\u306b\u8868\u793a\u3055\u308c\u308b\u65b0\u3057\u3044\u30a4\u30d9\u30f3\u30c8 (\u30a4\u30d9\u30f3\u30c8 ID 45 \u3084 21 \u306a\u3069) <b>\u3092\u76e3\u8996\u3057<\/b>\u3066\u3001\u5f71\u97ff\u3092\u53d7\u3051\u308b\u8a3c\u660e\u6a5f\u95a2\u3092\u7279\u5b9a\u3057\u307e\u3059\u3002<\/li>\n<li><b>ENABLE<\/b>&nbsp;\u5f37\u5236\u30e2\u30fc\u30c9\u306f\u3001NTAuth \u30b9\u30c8\u30a2\u5185\u306e\u6a5f\u95a2\u306b\u3088\u3063\u3066\u767a\u884c\u3055\u308c\u305f\u30ed\u30b0\u30aa\u30f3\u8a3c\u660e\u66f8&nbsp;\u306e\u307f\u3092\u4f7f\u7528\u3059\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u5f8c\u306e\u74b0\u5883\u3067\u3059\u3002<\/li>\n<li>\u4e92\u63db\u6027\u3092\u78ba\u4fdd\u3059\u308b\u305f\u3081\u306b\u3001\u5fc5\u8981\u306b\u5fdc\u3058\u3066 <b>altSecID \u30de\u30c3\u30d4\u30f3\u30b0\u3092\u78ba\u8a8d\u304a\u3088\u3073\u66f4\u65b0<\/b>\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<div>&nbsp;<\/div>\n<div><b>\u8ffd\u52a0\u60c5\u5831:<\/b><\/div>\n<ul>\n<li>\u30ec\u30b8\u30b9\u30c8\u30ea\u8a2d\u5b9a\u3084\u76e3\u67fb\u30a4\u30d9\u30f3\u30c8 ID \u306a\u3069\u3001\u6280\u8853\u7684\u306a\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u300c<a href=\"https:\/\/support.microsoft.com\/topic\/5f5d753b-4023-4dd3-b7b7-c8b104933d53\" rel=\"noopener noreferrer\" target=\"_blank\">KB5057784: CVE-2025-26647 (Kerberos \u8a8d\u8a3c) \u306e\u4fdd\u8b77<\/a>\u300d\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/li>\n<\/ul>\n<div>  <\/div>\n<div>\u3053\u308c\u3089\u306e\u4fdd\u8b77\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001 <a href=\"https:\/\/support.microsoft.com\/topic\/5f5d753b-4023-4dd3-b7b7-c8b104933d53\" rel=\"noopener noreferrer\" target=\"_blank\">  CVE-2025-26647 \u306b\u95a2\u9023\u3059\u308b\u4fdd\u8b77\u306e\u9069\u7528\u306b\u95a2\u3059\u308b\u30ac\u30a4\u30c0\u30f3\u30b9<\/a>\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC1111657 | Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-12147","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/12147","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=12147"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/12147\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=12147"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=12147"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=12147"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}