AskWoody
KB articles that need follow up
Additional resources  Latest Windows hardening guidance and key dates - Microsoft Community Hub
KB Date Phase What Actions
KB5014754 5/10/2022 Initial Certificate-based authentication changes on Windows domain controllers Initial install of hardening
KB5020805 11/8/2022 Initial Kerberos protocol changes related to CVE-2022-37967 Adds PAC signatures to the Kerberos PAC buffer.
KB5021130 11/8/2022 Initial Netlogon protocol changes related to CVE-2022-38023 By default, devices will be set in Compatibility mode. 
KB5020805 12/13/2022 Second Kerberos protocol changes related to CVE-2022-37967 With this update, all devices will be in Audit mode by default: see also https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-authentication-after-installing-the/ba-p/3696351
KB5004442 3/14/2023 Final enforcement Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414) Final enforcement
KB5021130 4/11/2023 Initial enforcement Netlogon protocol changes related to CVE-2022-38023 The Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
KB5014754 4/11/2023 Enablement Certificate-based authentication changes on Windows domain controllers The Enablement Phase starts with the April 11, 2023 updates for Windows, which will ignore the Disabled mode registry key setting. 
KB5014754 4/11/2023 Removal of disabled mode Certificate-based authentication changes on Windows domain controllers Exclusion removed
KB5025885 5/9/2023 Initial Secure boot loader - initial phase Two revocation files which can be manually applied 
KB5020805 6/13/2023 Third Kerberos protocol changes related to CVE-2022-37967 Remove the ability to disable PAC signature addition by setting the  KrbtgtFullPacSignature subkey to a value of 0.
KB5021130 6/13/2023 Enforcement by default Netlogon protocol changes related to CVE-2022-38023 The RequireSeal registry subkey will be moved to Enforced mode unless Administrators explicitly configure to be under Compatibility mode
KB5020805 7/11/2023 First enforcement Kerberos protocol changes related to CVE-2022-37967 Moves the update to Enforcement mode (Default) (KrbtgtFullPacSignature = 3) which can be overridden by an Administrator with an explicit Audit settin
KB5025885 7/11/2023 Second Secure boot loader - second phase New Event Log events will be available to report whether revocation deployment was successful or not.
KB5021130 7/11/2023 Final enforcement Netlogon protocol changes related to CVE-2022-38023 The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal registry subkey. 
We are here >>>> KB5020805 10/10/2023 Final enforcement Kerberos protocol changes related to CVE-2022-37967 Removes support for the registry subkey KrbtgtFullPacSignature. Removes support for Audit mode.
KB5008383 1/9/2024 Final enforcement AD Permissions These new mitigations will require that media be updated.
KB5025885 1/9/2024 Third Secure boot loader - third phase These new mitigations will require that media be updated.
KB5025885 7/9/2024 Final enforcement Secure boot loader - Enforcement The revocations (Code Integrity Boot policy and Secure Boot disallow list) will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.
KB5014754 2/11/2025 Full enforcement Certificate-based authentication changes on Windows domain controllers If a certificate cannot be strongly mapped, authentication will be denied.