About PAC Validation coming changes

Question

Hi guys

About PAC Validation coming changes: https://support.microsoft.com/en-gb/topic/how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1

We have some Windows Server 2012 R2 and Windows 10 servers that we cannot upgrade due to some legacy software restrictions.

We have a migration plan, but we will not be able to complete it by April. Therefore, I need to find a way to keep the environment running after April. I am considering keeping our domain controllers updated until January 2025, but with the compatibility registry key enabled.

With this approach, I hope to achieve the goal of maintaining a stable environment, even with some servers remaining unpatched.

Based on your knowledge, in this case, would it be valid to say that both the updated servers after April and the ones that are not updated would function normally without breaking the environment?

thank you

Answer 1

Hi Rodrigo Maldonado,

Thanks for your post. Please understand as FAQ said in the changes: https://support.microsoft.com/en-gb/topic/how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1. If you do not update the whole environment, system will be vulnerable. This is because the new Network Ticket Logon flow may have to be routed across domains to reach the domain of the service account.

 

https://learn.microsoft.com/en-us/answers/questions/2183741/no-ai-components-in-settings-on-snapdragon-and-lun

https://learn.microsoft.com/en-us/answers/questions/2183523/sysprep-failing-for-windows-11-24h2

Best Regards,

Ian Xue

---

If the Answer is helpful, please click "Accept Answer" and upvote it.