cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Tech Community Live: Windows edition
May 31 2023, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community
Find out more
Latest Windows hardening guidance and key dates
By
Namrata_Bachwani
Published Apr 28 2023 11:00 AM 31.4K Views
Namrata_Bachwani
Microsoft
‎Apr 28 2023 11:00 AM

Latest Windows hardening guidance and key dates

‎Apr 28 2023 11:00 AM

Hardening is a key element of our ongoing security strategy to help keep your estate protected while you focus on your job. Increasingly creative cyberthreats target weaknesses anywhere possible, from the chip to the cloud. Have you seen our publications on hardening on the Windows message center? Some of those recently enforced include DCOM authentication hardening and Netjoin: domain join hardening. Let's review vulnerable areas that are undergoing hardening in the upcoming months.

Hardening changes at a glance

Review the visual timeline to focus on the specific changes that are of interest to you. Find the details for each phase below.

A visual timeline of the hardening changes taking place in 2023A visual timeline of the hardening changes taking place in 2023

Hardening changes by month

Consult the details for all upcoming hardening changes by month to help you plan for each phase and final enforcement. Please refer to the Knowledge Base (KB) articles provided for detailed guidance and updates.

April 2023

  • Netlogon protocol changes KB5021130 | Phase 2
    Initial enforcement; removes the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
  • Certificate-based authentication KB5014754 | Phase 2
    Removes Disabled mode.

June 2023

  • Netlogon protocol changes KB5021130 | Phase 3
    Enforcement by default. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode.
  • Kerberos PAC Signatures KB5020805 | Phase 3
    Removes the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.

July 2023

  • Netlogon protocol changes KB5021130 | Phase 4
    Final enforcement. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode. Will remove the Compatibility mode (the ability to set value 1 to the RequireSeal registry subkey).
    Editor's note (5.2.2023): The previous post incorrectly described the final enforcement phase for Netlogon protocol. We corrected this in this post to align with the official description documented in the corresponding KB article.
  • Kerberos PAC Signatures KB5020805 | Phase 4
    Enforcement mode as default (KrbtgtFullPacSignature = 3), which you can override with an explicit Audit setting.

October 2023

  • Kerberos PAC Signatures KB5020805 | Phase 5
    Final, full enforcement.

November 2023

  • Certificate-based authentication KB5014754 | Phase 3
    Final, full enforcement.

January 2024

  • Active Directory (AD) permissions issue KB5008383 | Phase 5
    Final enforcement.

A visual timeline of the hardening changes taking place in 2024A visual timeline of the hardening changes taking place in 2024

Get the latest news

Please bookmark the Windows message center to easily find the latest updates and reminders. And if you are an IT admin with access to the Microsoft 365 admin center, set up Email preferences on the Microsoft 365 admin center to receive important notifications and updates.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community and follow us @MSWindowsITPro on Twitter. Looking for support? Visit Windows on Microsoft Q&A.

12 Comments
Co-Authors
Version history
Last update:
‎May 02 2023 04:21 PM
Updated by:
Labels