The Windows security updates released on or after April 9, 2024 address elevation of privilege vulnerabilities with the Kerberos PAC Validation Protocol.
Take Action
IMPORTANT Step 1 to install the update released on or after April 9, 2024 will NOT fully address the security issues in CVE-2024-26248 and CVE-2024-29056 by default. To fully mitigate the security issue for all devices, you must move to Enforced mode (described in Step 3) once your environment is fully updated.
To help protect your environment and prevent outages, we recommend the following steps:
UPDATE: Windows domain controllers and Windows clients must be updated with a Windows security update released on or after April 9, 2024.
MONITOR: Audit events will be visible in Compatibility mode to identify devices not updated.
ENABLE: After Enforcement mode is fully enabled in your environment, the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 will be mitigated.
(Install the April 2025 Windows update on all Windows domain controllers and Windows clients, once it becomes available later this year. Enforcement mode will be fully enabled in your environment. This will properly mitigate the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056.)