MC1111657: Second phase for KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication) begins today

Starting with the April 8, 2025, Windows security updates, protections for CVE-2025-26647 are being rolled out and enforced in phases. These updates change how certificate-based authentication (CBA) is handled when the issuing certificate authority (CA) is not in the NTAuth store but a Subject Key Identifier (SKI) mapping exists in the altSecID attribute.The second phase, Enforced by Default phase, begins today, July 8, 2025.When will this happen:July 8, 2025: Enforced by Default phase

• Updates released on or after July 8, 2025, will enforce the NTAuth store check by default. The AllowNtAuthPolicyBypass registry key setting will still allow customers to move back to Audit mode if needed. However, the ability to completely disable this security update will be removed.

October 14, 2025: Enforcement mode

• Updates released on or after October 14, 2025, will discontinue Microsoft support for the AllowNtAuthPolicyBypass registry key. At this stage, all certificates must be issued by authorities that are a part of NTAuth store.

How this will affect your organization:If your environment uses CBA and relies on certificates from CAs not in the NTAuth store, authentication may fail once Enforcement mode is enabled. This change affects domain controllers and requires updates to ensure secure authentication behavior. New audit events will help identify affected certificates and CAs. What you need to do to prepare:

• UPDATE all domain controllers with a Windows update released on or after April 8, 2025.
• MONITOR new events (e.g., Event ID 45 and 21) that will be visible on domain controllers to identify affected certificate authorities.
• ENABLE Enforcement mode after your environment is now only using logon certificates issued by authorities that are in the NTAuth store.
• REVIEW AND UPDATE altSecID mappings if needed to ensure compatibility.

 Additional information:

• For full technical details, including registry settings and audit event IDs, see KB5057784: Protections for CVE-2025-26647 (Kerberos Authentication)

To learn more about these protections, please see Guidance for applying protections related to CVE-2025-26647.