[German]Quick reminder for administrators, in case anyone hasn't noticed. On the April 2025 patchday (8.4.2025), the "enforcement phase" for the hardening of the Kerberos protocol regarding the Kerberos PAC Validation Protocol came into force. This removed certain modes that could still be activated via registry.
Microsoft had already taken the hardening of Windows clients and servers for the Kerberos protocol seriously in February 2025. As part of the timetable for gradual hardening, the "Enforcement Phase" (KB5037754) for the Kerberos PAC Validation Protocol came into force on April 8, 2025.
The Privilege Attribute Certificate (PAC) is an extension of the Kerberos service tickets. It contains information about the authenticating user and their authorizations.
The Windows security updates that will be released in April 2025 or later will enforce the new security behavior. To do this, the updates remove support for the PacSignatureValidationLevel and CrossDomainFilteringLevel registry subkeys. After installing the April 8, 2025 update, there will no longer be support for compatibility mode.
If you are still using Windows XP systems in an AD environment, you should read the comments in my German article Kerberos PAC-Schwachstellen: Kommt das Ende für Windows XP im April 2025?.
Similar articles
Windows 10/11 and Server hardening: Timeline for 2025 and beyond
Patchday: Windows Server-Updates (April 8, 2025)
Kerberos PAC-Schwachstellen: Kommt das Ende für Windows XP im April 2025?
