Skip to Content

MC1216196: Hardening changes coming to Common Log File System (CLFS) authentication

By: Author Alex Lim

Posted on

Categories Update

Home » Update » MC1216196: Hardening changes coming to Common Log File System (CLFS) authentication

Summary

  • A new authentication mitigation for the CLFS driver adds hash-based message authentication codes to logfiles.
  • A 90-day “learning mode” period will allow automatic addition of authentication codes to existing logfiles when opened.
  • After the learning mode, the CLFS driver will enforce that all logfiles contain valid authentication codes to be accessible.
  • Logfiles not updated during the learning mode will require manual authentication using the fsutil command.
  • Administrators should review systems using CLFS logfiles to ensure compliance before enforcement mode begins.

Admin Impact: High
User Impact: Low
Release Start: 28 Oct 2025
Release End: 28 Oct 2025
Services: Windows
Category: Stay informed
Tags: Admin Action

History

1/9/2026 Item Added to Message Center

Microsoft Message

A new hardening authentication mitigation has been introduced for the Common Log File System (CLFS) driver. Windows updates that include this new version of CLFS will initiate a 90 day “learning mode” period during which authentication codes will be added to log files automatically. Device behavior will change after this period. For more information, see Common Log File System (CLFS) Authentication Mitigation.

When will this happen

Windows 11, version 25H2 and Windows Server 2025 updates released on or after October 28, 2025 include this change. A mitigation adoption period, referred to as “learning mode” will be in place for 90 days following installation of updates. During this time, authentication codes are automatically added to existing logfiles when they are opened. After this period ends, the CLFS driver will enter enforcement mode, requiring all logfiles to contain valid authentication codes.

How this will affect your organization

The authentication mitigation for the CLFS driver adds a hash-based message authentication code (HMAC) to the underlying files of a CLFS logfile. With this, CLFS logfiles include authentication codes generated by combining file data with a system-unique cryptographic key stored in the registry, accessible only to administrators and SYSTEM accounts. Once enforcement mode begins, any logfile without a valid authentication code will fail to open. Logfiles not updated during the 90-day learning mode period must be manually authenticated by an Administrator using the fsutil clfs authenticate command line utility.

What you need to do to prepare

Review systems that use CLFS logfiles and ensure they are opened during the 90-day learning mode period, so authentication codes are applied automatically. For logfiles that remain untouched during this time, plan for manual authentication before enforcement mode begins. See the Additional information section below for detailed guidance.

Additional information

  • Common Log File System (CLFS) Authentication Mitigation
  • CLFS Authentication Mitigation – Frequently asked questions (FAQ)​​​​​​​