Windows 10 End of Support & Critical Kerberos Security Updates: What You Need to Know

The end of an era is approaching for Windows 10 users, a reality made explicit by Microsoft’s recent announcement regarding its official support schedule. As of October 14, 2025, Windows 10 will no longer receive free software updates, security fixes, or official technical support from Microsoft. The landscape for organizations and individuals relying on Windows 10 is changing rapidly, and with it comes an intense focus on meticulous planning, security adaptation, and awareness of potentially disruptive forces. In particular, the April 2024 update, catalogued under KB5037754, introduces critical security changes—primarily dealing with the Kerberos PAC Validation Protocol—that organizations must understand thoroughly to safeguard their environments in the transition’s run-up.

Windows 10 End of Support: What It Means​

Windows 10’s time in the sun is ending, making way for continued innovation and support under Windows 11. After the sunset date in October 2025, devices running Windows 10 will still function, but they will become increasingly risky to operate. No more security updates means newly discovered vulnerabilities could be left unpatched, making systems and networks attractive targets for cybercriminals. For businesses, public sector organizations, and even home power users, this represents a nontrivial security and operational risk.
Microsoft’s recommendation is clear: migrate to Windows 11 as soon as practicable. The company positions Windows 11 not just as a follow-on upgrade, but as a security-focused evolution of its flagship OS, with zero-trust features, improved credential protection, and ongoing development momentum. Yet the journey between platforms is rarely smooth, especially for large organizations with complex legacy environments.

The Kerberos PAC Validation Protocol: The Heart of the Update​

One of the most significant changes bundled in the April 9, 2024 security update (and its subsequent enforcement phases) centers on the Kerberos PAC (Privilege Attribute Certificate) Validation Protocol. Kerberos, the de facto authentication protocol in Windows domains, relies on the PAC extension to carry critical user privilege information as part of its service tickets. This underpins access control across the entire enterprise, dictating everything from group memberships to device claims.
The reason for urgent action is twofold. First, the update addresses a serious vulnerability where a user or process could spoof the PAC signature, thereby circumventing the safeguards implemented after the disclosure of CVE-2022-37967. Second, it patches an additional vulnerability affecting certain cross-forest authentication scenarios, further bolstering the fabric of Active Directory trust boundaries.
By enhancing signature validation checks and cross-domain filtering logic, the update aims to close exploitable holes that could allow privilege escalation or unauthorized access. However, applying this fix is no mere matter of patch-and-go.

The Update Path: Not a Flip of a Switch​

It’s easy to think of security updates as a one-shot operation—install, reboot, and revert to business as usual. Not so with the KB5037754 update and the vulnerabilities it targets (CVE-2024-26248 and CVE-2024-29056). Microsoft’s mitigation approach splits the deployment into multiple coordinated phases, each with its own subtleties and implications.

Compatibility Mode: April 2024 – January 2025​

With the initial deployment commencing in April 2024, the security update enters all targeted systems in a “Compatibility mode.” Here’s what this means in practice:

• The new security logic is present but not enforced by default.
• Updated domain controllers and clients can interoperate with unpatched devices, allowing organizations more time for complete coverage.
• Audit events are generated to help administrators pinpoint which devices are not yet updated.

This compatibility-first phase reflects a recognition that real-world environments often cannot move in lockstep. It allows for phased rollouts and compatibility with legacy systems—at the cost of full mitigation not being active until enforcement is universally enabled.

Enforced by Default: January 2025​

Come January 2025, updates will automatically switch all Windows domain controllers and clients into “Enforced mode.” Key behaviors here change dramatically:

• Secure behavior (i.e., stringent PAC validation) becomes the default.
• Existing registry key overrides set by administrators can still revert to Compatibility mode, at least temporarily.
• The system administrator maintains the ability to fine-tune enforcement for compatibility, but this flexibility is time-limited.

This is the critical preparation period. Organizations have a last window to identify, update, and resolve problematic devices or services before enforcement becomes immutable.

April 2025: Enforcement Is Absolute​

From April 2025, Microsoft’s updates remove any backdoors. Registry subkeys used to toggle compatibility (PacSignatureValidationLevel and CrossDomainFilteringLevel) are no longer supported:

• The secure, enforced behavior is mandatory; administrators cannot back out.
• Compatibility mode ceases to exist.
• Any unpatched or incompatible systems facing new signature checking and filtering logic may fail, with no supported fallback.

This finality is designed to eliminate lingering vulnerabilities and ensure ecosystem-wide security. However, it also means latecomers to the update process face disruption and authentication errors with little time to react.

What’s at Stake: Security, Privacy, and Operational Continuity​

The underlying vulnerabilities (CVE-2024-26248, CVE-2024-29056) aren’t mere technical curiosities—they represent tangible risks to enterprise security. Attackers exploiting these weaknesses could gain unauthorized privileges, impersonate users, or bypass access controls.
Organizations that lag on patch deployment or neglect to coordinate the transition to Enforcement mode risk:

• Loss of authentication capability in multi-domain or cross-forest setups.
• Access denials for legitimate users when outdated devices cannot meet new verification requirements.
• Elevation of privilege attacks if signature validation is inconsistently enforced.

Mitigating these risks and ensuring uninterrupted business operations puts the onus not just on IT departments, but on executive leadership to prioritize the update as a business imperative.

Technical Deep Dive: How Kerberos PAC Validation Works​

To appreciate the update’s gravity, a functional understanding of Kerberos PAC validation is crucial. In a standard Windows environment, when a workstation receives a Kerberos service ticket, it validates the ticket’s PAC—this certificate contains user privileges and group memberships required for resource access.

• The workstation forwards a Network Ticket Logon request to its domain controller (DC) using Netlogon.
• If the service account is in a different domain, the request traverses trust boundaries via a chain of DCs, each filtering relevant authorization data.
• The Key Distribution Center (KDC) processes and validates PAC signatures, then sends the authorization data back for use in the authentication flow.

Weaknesses in PAC signature checking, or failures in proper cross-domain SIDs filtering, can lead to inadvertent privilege leaks or impersonation.

Audit Events: The IT Administrator’s Radar​

Recognition of patch deployment status and operational readiness relies heavily on monitoring newly introduced audit events. Administrators now have a granular window into authentication flows, failures, and fallback scenarios.

• Kerberos Ticket Logon Action (Event ID 21): Informs when domain controllers process tickets and identify filtered SIDs or compound identity removals.
• Kerberos Ticket Logon Failure (Event ID 22): Flags denied authentication attempts, exposing devices falling short of new protocol expectations.
• Kerberos Ticket Logon Fallback (Event ID 23): Warns or errors if authentication falls back—or fails to, depending on enforcement settings—giving clear signals for compatibility issues.
• Netlogon Unexpected Failure (Event ID 5842): Triggers on unhandled errors during Network Ticket Logon, helping diagnose unexplained access issues.
• Netlogon Unable to Forward (Event ID 5843): Provides early warning if requests can’t traverse domain trusts due to mismatched protocol versions or update states.

This audit framework allows organizations to proactively identify and remediate weak links well before final enforcement deadlines.

Registry Keys: Temporary Levers for Controlled Rollout​

Microsoft has afforded administrators some flexibility to stagger the rollout and handle compatibility turbulence. Key registry settings include:

• PacSignatureValidationLevel (default 2; set to 3 for enforced validation)
• CrossDomainFilteringLevel (default 2; set to 4 for full enforcement)
• AuditKerberosTicketLogonEvents (controls the verbosity and content of Netlogon event logging)

Understanding and managing these registry keys helps organizations bridge the gap between immediate compatibility and future-mandated security. Yet, this control is ephemeral—after April 2025, override keys are deprecated.

Potential Issues and Organizational Impact​

With every meaningful security update comes a constellation of downstream IT challenges. Here’s what’s potentially at risk:

• Breakage in legacy systems. Key business applications relying on older Kerberos implementations or PAC validation algorithms could cease functioning if unpatched.
• Cross-forest authentication outages. Multi-domain enterprise environments are particularly vulnerable if update rollouts are uneven or delayed, especially with intricate trust chains.
• Operational delays. Because fallbacks are only available during the Compatibility mode phase, issues discovered after Enforcement becomes mandatory could directly impact business continuity.

Microsoft ships fallback logic and detailed event logging to help remediate, but the critical message is: delay is dangerous.

Recommendations and Best Practices for IT Decision Makers​

To mitigate the risks and benefit fully from the enhanced protection, organizations should move quickly and thoughtfully:

• Inventory Assets: Catalogue all devices—clients, servers, domain controllers—that participate in Kerberos authentication within your environment.
• Patch Everything: Ensure all endpoints, not just DCs, receive relevant security updates from April 2024 onward.
• Audit Continuously: Use the introduced event logs to identify and address laggards or devices malfunctioning under the new security regime.
• Coordinate Across Domains: Especially in complex or merged organizations, work with cross-team stakeholders to validate compatibility and sequencing of upgrades.
• Test in Non-Production: Before enabling enforced security in production, pilot the changes in a lab mirroring your environment to expose issues without disrupting operations.
• Communicate Clearly: End users and application teams should be made aware of timing and potential authentication interruptions in advance.
• Set Registry Keys Strategically: Use the temporary registry key controls to stage and monitor the transition to full enforcement, but plan for their deprecation.
• Plan the Migration to Windows 11: With only 18 months before Windows 10 support ends, harmonize Kerberos-related updates with your broader OS migration to avoid duplicated effort.

Security Strengths and Strategic Implications​

While disruption is a possibility whenever foundational authentication protocols are updated, Microsoft’s changes bring undeniable strengths:

• Definitive closure of privilege escalation paths. With PAC signature validation fully enforced, attackers will have a far harder time abusing undetected flaws.
• Unified, secure-by-default Windows environments. The staged rollout allows managed transition yet draws a firm line for ecosystem-wide compliance.
• Deep, actionable telemetry for IT defenders. The improved audit events amplify real-time security visibility and incident response.

From an IT governance perspective, the transparency in change communication, along with a detailed change log and progressive enforcement, enhances trust—provided organizations act on it in time.

Hidden Risks and Pitfalls​

Despite robust design, several underappreciated risks linger beneath the surface:

• Shadow IT and unmanaged endpoints. Any device not centrally managed—or missed in asset inventories—may harbor vulnerabilities past the deadline.
• Inflexibility in heterogeneous environments. Organizations with mixed-vendor infrastructure or non-Windows clients relying on AD SSO may face unique headaches during final enforcement.
• Skills and knowledge gaps. Smaller organizations or poorly resourced IT departments may lack the expertise to interpret audit events and remediate promptly.
• Potential privacy considerations. Increased visibility and logging, while beneficial for security teams, may raise compliance and privacy concerns in regulated sectors.

These underscore the need for comprehensive project management, cross-functional alignment, and executive sponsorship.

Looking Ahead: A Time for Action​

Windows 10’s sunset and the pivotal Kerberos PAC Validation update exemplify the broader shift toward zero-trust, identity-centric security in the Microsoft ecosystem. The direction is clear; inaction invites both operational and reputational risk.
By beginning comprehensive preparation today—including updates, monitoring, registry management, and user communication—organizations can turn the challenge of this transition into an opportunity. It’s a chance to close old vulnerabilities, build resilience for new threat landscapes, and emerge ready for the next era on Windows 11’s platform.
In summary, while the technical specifics around Kerberos PAC Validation may seem arcane, they encapsulate a much larger truth: in the digital world, relentless adaptation is the price of security. October 2025 will come sooner than expected; the time for decisive, company-wide action is now.

---

Source: support.microsoft.com How to manage PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 - Microsoft Support