When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft reminds about Windows DC Kerberos Netlogon full enforcement which is coming up


Microsoft has published a reminder today about the upcoming Full Enforcement phase of Windows Netlogon and Kerberos hardening next month. The changes will be deployed via the October 2023 Patch Tuesday which will be released on 10th of October. The full timeline is available in this dedicated article.

The deployment phase ended back in June and a month later in July, via the monthly Patch Tuesday, the initial Enforcement Phase was released:

The Windows updates released on or after July 11, 2023 will do the following:

  • Removes the ability to set value 1 for the KrbtgtFullPacSignature subkey.
  • Moves the update to Enforcement mode (Default) (KrbtgtFullPacSignature = 3) which can be overridden by an Administrator with an explicit Audit setting.

In case you are not aware, this hardening is meant to address a security bypass and elevation of privilege vulnerabilities with Privilege Attribute Certificate (PAC) signatures in the Netlogon and Kerberos protocols (tracked under ID "CVE-2022-37967").

On its health dashboard website, the tech giant writes:

Reminder: Security hardening changes for Netlogon and Kerberos effective October 10, 2023

Windows updates release November 8, 2022 and later include changes that address security vulnerabilities affecting Windows Server domain controllers (DC). Among the addressed vulnerabilities is a Kerberos security bypass and elevation of privilege scenario involving alteration of Privilege Attribute Certificate (PAC) signatures. Changes to address this issue have been released following a series of phases throughout 2023, and are reaching the final stage of enforcement in October.

Administrators should observe changes which affect Kerberos protocol requirements and are coming into effect with the Windows updates released on and after October 10, 2023.

October 10, 2023 - Full Enforcement phase

Windows updates released on and after this date will have the following effect:

  • Remove the ability to disable PAC signature addition (previously done via the registry subkey KrbtgtFullPacSignature)
  • Remove support for Audit mode (this enabled authentication whether PAC signatures were missing or invalid, and created audit logs for review).
  • Deny authentication to incoming service tickets without the new PAC signatures.

The phase described above is the final phase of these security hardening measures.

All domain-joined, machine accounts are affected by these vulnerabilities.

You may find more details about the topic on this page (KB5020805) on Microsoft's official website.

Report a problem with article
OneDrive roadmap update
Next Article

Microsoft confirms OneDrive will work without internet, something which Windows 11 too needs

apple 2023 event
Previous Article

Apple iPhone 15 event: Here's how and where you can watch the event

Join the conversation!

Login or Sign Up to read and post a comment.

3 Comments - Add comment