{"id":8434,"date":"2024-10-05T06:00:53","date_gmt":"2024-10-04T21:00:53","guid":{"rendered":"https:\/\/m365jp.net\/?p=8434"},"modified":"2024-10-05T06:15:43","modified_gmt":"2024-10-04T21:15:43","slug":"mc904929-change-to-the-enforced-by-default-phase-timeline-for-kerberos-signature-validation-risks","status":"publish","type":"post","link":"https:\/\/m365jp.net\/index.php\/2024-10-05-mc904929-change-to-the-enforced-by-default-phase-timeline-for-kerberos-signature-validation-risks","title":{"rendered":"MC904929 | Change to the Enforced by Default phase timeline for Kerberos signature validation risks"},"content":{"rendered":"<div class=\"postie-post\">\n<div>\n<hr>\n<table id=\"section\">\n<tbody>\n<tr>\n<th width=\"95%\">MC904929 | Change to the Enforced by Default phase timeline for Kerberos signature validation risks<\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr>\n<table id=\"data\">\n<tbody>\n<tr>\n<th>Classification<\/th>\n<td>stayInformed<\/td>\n<\/tr>\n<tr>\n<th>Last Updated<\/th>\n<td>10\/04\/2024 20:56:31<\/td>\n<\/tr>\n<tr>\n<th>Start Time<\/th>\n<td>10\/04\/2024 20:56:27<\/td>\n<\/tr>\n<tr>\n<th>End Time<\/th>\n<td>10\/04\/2025 20:56:27<\/td>\n<\/tr>\n<tr>\n<th>Message Content<\/th>\n<td>\n<div>Windows updates dated April 9, 2024, or later add new behaviors that start the process of addressing a security risk in the  <a href=\"https:\/\/learn.microsoft.com\/openspecs\/windows_protocols\/ms-apds\/82b7b7c6-413d-4d66-b6b7-4a9224549782\" rel=\"noopener noreferrer\" target=\"_blank\">  Kerberos PAC Validation Protocol<\/a>. These improvements are deployed in three phases (see below). The timeline of the second phase,  <b>Enforced by Default<\/b>, has changed. This phase will occur in January 2025. For full guidance, see  <a href=\"https:\/\/support.microsoft.com\/help\/5037754\" rel=\"noopener noreferrer\" target=\"_blank\">  KB5037754<\/a>.<\/div>\n<div>  <\/div>\n<div>  <\/div>\n<div><b>When will this happen:<\/b>&nbsp;<\/div>\n<ul>\n<li>April 9, 2024: The initial deployment phase started with the release of the April 2024 security update. This update added new secure behavior that prevents the elevation of privilege risks.<\/li>\n<li>January 2025: The <b>Enforced by Default<\/b> phase starts. In this phase, Windows domain controllers (DC) and clients will move to  <b>Enforced <\/b>mode. This mode will enforce the new secure behavior by default. Note that during this phase, you can override the&nbsp;<b>Enforced by Default<\/b>&nbsp;settings and revert to&nbsp;<b>Compatibility<\/b>&nbsp;mode.<\/li>\n<li>April 2025: <b>Enforcement<\/b> phase begins. In this phase, there is no option to revert from the new secure behavior.<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>How this will affect your organization:<\/b>&nbsp;<\/div>\n<div>To mitigate the risks described in&nbsp;<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-26248\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-26248<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-29056\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-29056<\/a>,   you must update your entire Windows environment. This must include DCs and clients. Environments that are not up to date will not recognize this new request structure after the  <b>Enforcement <\/b>phase begins. Because of this, security checks will fail.<\/div>\n<div>  <\/div>\n<div><b>What you need to do to prepare:<\/b>&nbsp;<\/div>\n<ol>\n<li><b>UPDATE:<\/b>&nbsp;Install the April 9, 2024, or later update on all Windows DCs and Windows clients.<\/li>\n<li><b>MONITOR:<\/b>&nbsp;Keep track of audit events that are visible in&nbsp;<b>Compatibility<\/b>&nbsp;mode. These events will identify devices that are not up to date.<\/li>\n<li><b>ENABLE:<\/b>&nbsp;Turn on <b>Enforcement<\/b>&nbsp;mode&nbsp;fully in your environment. When you do, it mitigates the risks described in&nbsp;<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-26248\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-26248<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-29056\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-29056<\/a>.<\/li>\n<\/ol>\n<div>  <\/div>\n<div><b>Additional information:<\/b>&nbsp;<\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5037754\" rel=\"noopener noreferrer\" target=\"_blank\">KB5037754: How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056<\/a><\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5020805\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr>\n<th>Machine Translation<\/th>\n<td>\n<div>2024 \u5e74 4 \u6708 9 \u65e5\u4ee5\u964d\u306e Windows \u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u306f\u3001 <a href=\"https:\/\/learn.microsoft.com\/openspecs\/windows_protocols\/ms-apds\/82b7b7c6-413d-4d66-b6b7-4a9224549782\" rel=\"noopener noreferrer\" target=\"_blank\">  Kerberos PAC \u691c\u8a3c\u30d7\u30ed\u30c8\u30b3\u30eb<\/a>\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30ea\u30b9\u30af\u306b\u5bfe\u51e6\u3059\u308b\u30d7\u30ed\u30bb\u30b9\u3092\u958b\u59cb\u3059\u308b\u65b0\u3057\u3044\u52d5\u4f5c\u304c\u8ffd\u52a0\u3055\u308c\u3066\u3044\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u6a5f\u80fd\u5f37\u5316\u306f\u30013\u3064\u306e\u30d5\u30a7\u30fc\u30ba\u3067\u5c55\u958b\u3055\u308c\u307e\u3059(\u4ee5\u4e0b\u3092\u53c2\u7167)\u3002\u7b2c 2 \u30d5\u30a7\u30fc\u30ba\u306e\u30bf\u30a4\u30e0\u30e9\u30a4\u30f3\u3067\u3042\u308b  <b>[\u65e2\u5b9a\u3067\u5f37\u5236<\/b>] \u304c\u5909\u66f4\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u306e\u30d5\u30a7\u30fc\u30ba\u306f 2025 \u5e74 1 \u6708\u306b\u884c\u308f\u308c\u307e\u3059\u3002\u5b8c\u5168\u306a\u30ac\u30a4\u30c0\u30f3\u30b9\u306b\u3064\u3044\u3066\u306f\u3001 <a href=\"https:\/\/support.microsoft.com\/help\/5037754\" rel=\"noopener noreferrer\" target=\"_blank\">  KB5037754<\/a>\u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/div>\n<div>  <\/div>\n<div>  <\/div>\n<div><b>\u3053\u308c\u306f\u3044\u3064\u884c\u308f\u308c\u307e\u3059\u304b:<\/b>&nbsp;<\/div>\n<ul>\n<li>2024 \u5e74 4 \u6708 9 \u65e5: \u521d\u671f\u30c7\u30d7\u30ed\u30a4 \u30d5\u30a7\u30fc\u30ba\u306f\u30012024 \u5e74 4 \u6708\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u306e\u30ea\u30ea\u30fc\u30b9\u304b\u3089\u958b\u59cb\u3055\u308c\u307e\u3057\u305f\u3002\u3053\u306e\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3067\u306f\u3001\u7279\u6a29\u30ea\u30b9\u30af\u306e\u6607\u683c\u3092\u9632\u3050\u65b0\u3057\u3044\u5b89\u5168\u306a\u52d5\u4f5c\u304c\u8ffd\u52a0\u3055\u308c\u307e\u3057\u305f\u3002<\/li>\n<li>2025 \u5e74 1 \u6708: <b>\u300c\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u5f37\u5236\u300d<\/b> \u30d5\u30a7\u30fc\u30ba\u304c\u958b\u59cb\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30d5\u30a7\u30fc\u30ba\u3067\u306f\u3001Windows \u30c9\u30e1\u30a4\u30f3 \u30b3\u30f3\u30c8\u30ed\u30fc\u30e9\u30fc (DC) \u3068\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306f  <b>\u5f37\u5236 <\/b>\u30e2\u30fc\u30c9\u306b\u79fb\u884c\u3057\u307e\u3059\u3002\u3053\u306e\u30e2\u30fc\u30c9\u3067\u306f\u3001\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u65b0\u3057\u3044\u30bb\u30ad\u30e5\u30a2\u52d5\u4f5c\u304c\u5f37\u5236\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30d5\u30a7\u30fc\u30ba\u3067\u306f\u3001\u65e2\u5b9a\u306e&nbsp;\u8a2d\u5b9a<b>\u306b\u3088\u308b\u5f37\u5236<\/b>\u3092\u30aa\u30fc\u30d0\u30fc\u30e9\u30a4\u30c9&nbsp;\u3057\u3066\u3001<b>\u4e92\u63db<\/b>&nbsp;\u30e2\u30fc\u30c9\u306b\u623b\u3059&nbsp;\u3053\u3068\u304c\u3067\u304d\u308b\u3053\u3068\u306b\u6ce8\u610f\u3057\u3066\u304f\u3060\u3055\u3044\u3002<\/li>\n<li>2025 \u5e74 4 \u6708: <b>\u65bd\u884c<\/b> \u30d5\u30a7\u30fc\u30ba\u304c\u958b\u59cb\u3055\u308c\u307e\u3059\u3002\u3053\u306e\u30d5\u30a7\u30fc\u30ba\u3067\u306f\u3001\u65b0\u3057\u3044\u5b89\u5168\u306a\u52d5\u4f5c\u304b\u3089\u5143\u306b\u623b\u3059\u30aa\u30d7\u30b7\u30e7\u30f3\u306f\u3042\u308a\u307e\u305b\u3093\u3002<\/li>\n<\/ul>\n<div>  <\/div>\n<div><b>\u3053\u308c\u304c\u7d44\u7e54\u306b\u4e0e\u3048\u308b\u5f71\u97ff:<\/b>&nbsp;<\/div>\n<div><a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-26248\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-26248<\/a>&nbsp;\u3068&nbsp;<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-29056\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-29056<\/a>   \u306b\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b&nbsp;\u30ea\u30b9\u30af\u3092\u8efd\u6e1b\u3059\u308b\u306b\u306f\u3001Windows \u74b0\u5883\u5168\u4f53\u3092\u66f4\u65b0\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\u3053\u308c\u306b\u306f\u3001DC \u3068\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304c\u542b\u307e\u308c\u3066\u3044\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\u6700\u65b0\u3067\u306a\u3044\u74b0\u5883\u306f\u3001<b>\u5f37\u5236<\/b>\u30d5\u30a7\u30fc\u30ba\u306e\u958b\u59cb\u5f8c\u306b\u3053\u306e\u65b0\u3057\u3044\u8981\u6c42\u69cb\u9020\u3092\u8a8d\u8b58\u3057\u307e\u305b\u3093\u3002\u3053\u306e\u305f\u3081\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30c1\u30a7\u30c3\u30af\u306f\u5931\u6557\u3057\u307e\u3059\u3002<\/div>\n<div>  <\/div>\n<div><b>\u6e96\u5099\u3059\u308b\u305f\u3081\u306b\u5fc5\u8981\u306a\u3053\u3068:<\/b>&nbsp;<\/div>\n<ol>\n<li><b>\u66f4\u65b0:<\/b>&nbsp;2024 \u5e74 4 \u6708 9 \u65e5\u4ee5\u964d\u306e\u66f4\u65b0\u30d7\u30ed\u30b0\u30e9\u30e0\u3092\u3001\u3059\u3079\u3066\u306e Windows DC \u3068 Windows \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u306b\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u307e\u3059\u3002<\/li>\n<li><b>MONITOR:<\/b>&nbsp;<b>\u4e92\u63db<\/b>&nbsp;\u30e2\u30fc\u30c9\u3067\u8868\u793a\u3055\u308c\u308b&nbsp;\u76e3\u67fb\u30a4\u30d9\u30f3\u30c8\u3092\u8ffd\u8de1\u3057\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30a4\u30d9\u30f3\u30c8\u306f\u3001\u6700\u65b0\u3067\u306a\u3044\u30c7\u30d0\u30a4\u30b9\u3092\u8b58\u5225\u3057\u307e\u3059\u3002<\/li>\n<li><b>\u6709\u52b9\u306b\u3059\u308b:<\/b>&nbsp;\u74b0\u5883\u3067 <b>\u5f37\u5236<\/b>&nbsp;\u30e2\u30fc\u30c9&nbsp;\u3092\u5b8c\u5168\u306b\u30aa\u30f3\u306b\u3057\u307e\u3059\u3002\u3053\u308c\u3092\u884c\u3046\u3068\u3001<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-26248\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-26248<\/a>&nbsp;\u304a\u3088\u3073&nbsp;<a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-29056\" rel=\"noopener noreferrer\" target=\"_blank\">CVE-2024-29056<\/a>   \u3067\u8aac\u660e\u3055\u308c\u3066\u3044\u308b&nbsp;\u30ea\u30b9\u30af\u304c\u8efd\u6e1b\u3055\u308c\u307e\u3059\u3002<\/li>\n<\/ol>\n<div>  <\/div>\n<div><b>\u8ffd\u52a0\u60c5\u5831:<\/b>&nbsp;<\/div>\n<ul>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5037754\" rel=\"noopener noreferrer\" target=\"_blank\">KB5037754: CVE-2024-26248 \u304a\u3088\u3073 CVE-2024-29056 \u306b\u95a2\u9023\u3059\u308b PAC \u691c\u8a3c\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5<\/a><\/li>\n<li><a href=\"https:\/\/support.microsoft.com\/help\/5020805\" rel=\"noopener noreferrer\" target=\"_blank\">KB5020805: CVE-2022-37967 \u306b\u95a2\u9023\u3059\u308b Kerberos \u30d7\u30ed\u30c8\u30b3\u30eb\u306e\u5909\u66f4\u3092\u7ba1\u7406\u3059\u308b\u65b9\u6cd5<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>MC904929 | Change to the Enforced by Default phase timeline for Kerberos signature validation risks Classifica [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-8434","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/8434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/comments?post=8434"}],"version-history":[{"count":0,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/posts\/8434\/revisions"}],"wp:attachment":[{"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/media?parent=8434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/categories?post=8434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/m365jp.net\/index.php\/wp-json\/wp\/v2\/tags?post=8434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}