Updated DC hardening timeline for Secure Boot, DCOM, Kerberos, Netlogon shared by Microsoft

Recently, Microsoft confirmed a major Windows Server issue when Domain Controllers (DCs) had LSASS memory leak whereby in extreme scenarios, it would lead to unscheduled reboots when undergoing Kerberos authentication requests. Fortunately, the company fixed it in a couple of days via Out-of-band updates.

Meanwhile, the company also recently updated its DC hardening timeline. On a new support document on its website, the company has removed a February 2024 entry as it was not related to hardening.

On the changelog for the support article, Microsoft writes:

March 10, 2024

Revised the Monthly timeline adding more hardening related content and removed the February 2024 entry from the timeline as it is not hardening related.

For those wondering, DC security hardening is the process of strengthening the servers that run Azure Active Directory (AD) in order to reduce the risk of unauthorized access and data breaches, and they are being deployed in phases. The company last published an updated timeline for it back in April of 2023 detailing upcoming changes up to January 2024.

The new timeline adds guidance and key dates till February 2025. The one coming up in April 2024 is the third deployment phase against the BlackLotus Secure Boot bypass, and this will be followed by a mandatory enforcement phase in October.

You can find the details below:

April 2024

  • Secure Boot bypass protections KB5025885 | Phase 3

Third Deployment phase. This phase will add additional boot manager mitigations. This phase will start no sooner than April 9, 2024.

October 2024 or later

  • Secure Boot bypass protections KB5025885 | Phase 3

Mandatory Enforcement phase. The revocations (Code Integrity Boot policy and Secure Boot disallow list) will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.

February 2025 or later

  • Certificate-based authentication KB5014754 | Phase 3

Full Enforcement mode. If a certificate cannot be strongly mapped, authentication will be denied.

You can find the full timeline details in the official support document (KB5036534) on Microsoft"s website.

Report a problem with article
Next Article

Chrome will get improved text rendering thanks to Microsoft

Previous Article

Fosi Audio BT20A TPA3116 Class D amp, Sonos Sub mini subwoofer, Ray hit lowest ever prices