MC1216196: Hardening changes coming to Common Log File System (CLFS) authentication
A new hardening authentication mitigation has been introduced for the Common Log File System (CLFS) driver. Windows updates that include this new version of CLFS will initiate a 90 day "learning mode" period during which authentication codes will be added to log files automatically. Device behavior will change after this period. For more information, see Common Log File System (CLFS) Authentication Mitigation.When will this happen:Windows 11, version 25H2 and Windows Server 2025 updates released on or after October 28, 2025 include this change. A mitigation adoption period, referred to as "learning mode" will be in place for 90 days following installation of updates. During this time, authentication codes are automatically added to existing logfiles when they are opened. After this period ends, the CLFS driver will enter enforcement mode, requiring all logfiles to contain valid authentication codes.How this will affect your organization:The authentication mitigation for the CLFS driver adds a hash-based message authentication code (HMAC) to the underlying files of a CLFS logfile. With this, CLFS logfiles include authentication codes generated by combining file data with a system-unique cryptographic key stored in the registry, accessible only to administrators and SYSTEM accounts. Once enforcement mode begins, any logfile without a valid authentication code will fail to open. Logfiles not updated during the 90-day learning mode period must be manually authenticated by an Administrator using the fsutil clfs authenticate command line utility.What you need to do to prepare:Review systems that use CLFS logfiles and ensure they are opened during the 90-day learning mode period, so authentication codes are applied automatically. For logfiles that remain untouched during this time, plan for manual authentication before enforcement mode begins. See the Additional information section below for detailed guidance.Additional information: