Latest Windows hardening guidance and key dates

Netlogon protocol changes KB5021130 | Phase 2

Initial Enforcement phase. Removes the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.

Certificate-based authentication KB5014754 | Phase 2

Removes Disabled mode.

Secure Boot bypass protections KB5025885 | Phase 1

Initial Deployment phase. Windows Updates released on or after May 9, 2023 address vulnerabilities discussed in CVE-2023-24932, changes to Windows boot components, and two revocation files which can be manually applied (a Code Integrity policy and an updated Secure Boot disallow list (DBX)).

Netlogon protocol changes KB5021130 | Phase 3

Enforcement by default. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode.

Kerberos PAC Signatures KB5020805 | Phase 3

Third Deployment phase. Removes the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.

Netlogon protocol changes KB5021130 | Phase 4

Final enforcement. The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. This enables the Enforcement phase of CVE-2022-38023.

Kerberos PAC Signatures KB5020805 | Phase 4

Initial Enforcement mode. Removes the ability to set value 1 for the KrbtgtFullPacSignature subkey, and moves to Enforcement mode as default (KrbtgtFullPacSignature = 3), which you can override with an explicit Audit setting. 

Secure Boot bypass protections KB5025885 | Phase 2

Second Deployment phase. Updates for Windows released on or after July 11, 2023 include automated deployment of the revocation files, new Event Log events to report whether revocation deployment was successful, and SafeOS Dynamic Update package for WinRE.

Kerberos PAC Signatures KB5020805 | Phase 5

Full Enforcement phase. Removes support for the registry subkey KrbtgtFullPacSignature, removes support for Audit mode, and all service tickets without the new PAC signatures will be denied authentication.

Active Directory (AD) permissions updates KB5008383 | Phase 5

Final deployment phase. The final deployment phase can begin once you have completed the steps listed in the "Take Action" section of KB5008383. To move to Enforcement mode, follow the instructions in the "Deployment Guidance" section to set the 28th and 29th bits on the dSHeuristics attribute. Then monitor for events 3044-3046. They report when Enforcement mode has blocked an LDAP Add or Modify operation that might have previously been allowed in Audit mode. 

Secure Boot bypass protections KB5025885 | Phase 3

Third Deployment phase. This phase will add additional boot manager mitigations. This phase will start no sooner than April 9, 2024.

PAC Validation changes KB5037754 | Compatibility mode phase

The initial deployment phase starts with the updates released on April 9, 2024. This update adds new behavior that prevents the elevation of privilege vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 but does not enforce it unless both Windows domain controllers and Windows clients in the environment are updated.

To enable the new behavior and to mitigate the vulnerabilities, you must make sure your entire Windows environment (including both domain controllers and clients) is updated. Audit Events will be logged to help identify devices not updated.

Secure Boot bypass protections KB5025885 | Phase 3

Mandatory Enforcement phase. The revocations (Code Integrity Boot policy and Secure Boot disallow list) will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.

PAC Validation changes KB5037754​​​​​​​ | Enforcement by default phase

Updates released in or after January 2025 will move all Windows domain controllers and clients in the environment to Enforced mode. This mode will enforce secure behavior by default. Existing registry key settings that have been previously set will override this default behavior change.

The default Enforced mode settings can be overridden by an Administrator to revert to Compatibility mode.

Certificate-based authentication KB5014754 | Phase 3

Full Enforcement mode. If a certificate cannot be strongly mapped, authentication will be denied.

PAC Validation changes KB5037754​​​​​​​ | Enforcement phase

The Windows security updates released in or after April 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.

Secure Boot bypass protections  KB5025885  | Enforcement Phase​​​​​​​

​​​​​​​The Enforcement Phase will not begin before January 2026, and we will give at least six months of advance warning in this article before this phase begins. When updates are released for the Enforcement Phase, they will include the following:

• The “Windows Production PCA 2011” certificate will automatically be revoked by being added to the Secure Boot UEFI Forbidden List (DBX) on capable devices. These updates will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disable.