Applies ToWindows Server 2012 Windows Server 2012 R2 Windows 10 Windows 10 Education, version 1607 Windows 10 Professional version 1607 Windows 10 Enterprise, version 1607 Windows 10 Enterprise version 1607 Windows 10 Enterprise, version 1809 Windows 10 Professional Education version 1607 Windows 10 Pro Education, version 1607 Windows Server 2019 Windows Server 2022 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2

Summary

Windows updates dated on or after December 14, 2021 add support for packet-level privacy on Encrypting File System (EFS) clients. It is required that both Windows and non-Windows EFS clients use packet-level privacy when connecting to EFS servers that have the Windows updates dated on or after December 14, 2021 installed.

Take action

To help protect your environment to avoid outages, follow these steps:

  1. Update all EFS clients and then servers by installing the Windows updates dated on or after December 14, 2021.

  2. Starting with the March 8, 2022, Enforcement Phase update, Enforcement mode will be required and enabled on all Windows EFS servers.

Timing of Windows updates

The EFS Windows updates will be released in two phases:

  1. Initial Deployment: Introduction of the update on December 14, 2021.

  2. Enforcement Phase: Enforcement mode is enabled. Removal of AllowAllCliAuth registry key.

December 14, 2021: Initial deployment phase

The initial deployment phase starts with the Windows updates released on December 14, 2021.

This release:

  • Applying the Windows updates dated on or after December 14, 2021 addresses the issue outlined in CVE-2021-43217.

The update includes the Enforcement Mode AllowAllCliAuth registry key to help in the deployment of the updates.

EFS on Network: For environments where EFS is used to encrypt files over the network, from a client to a server hosting the files, we recommend that the client is updated first and then the server. Updating servers before clients will cause EFS connection errors.

For environments in which updating EFS clients before servers is not possible, we have provided a registry key named AllowAllCliAuth that can be set on the server to enable non-updated EFS clients to continue connecting until the client update is complete. After clients are updated, we recommend removing the AllowAllCliAuth registry key, or setting it to 0 to make sure that the fix is enforced on all clients.

March 8, 2022: Enforcement phase

The second deployment phase starts with the Windows update to be released on March 8, 2022. In this release:

  • Support for the AllowAllCliAuth registry key will be removed to make sure that enforcement of the fix for CVE-2021-43217 occurs on all clients and servers updated with the March 8, 2022 Windows update.

Registry key information

The AllowAllCliAuth registry setting control enforces whether EFS clients must use packet level privacy when connecting to an EFS Server that has installed Windows updates released between December 14, 2021, and February 22, 2022.

The AllowAllCliAuth setting will be ignored by EFS servers that install the March 8, 2022 and later Windows updates.

Registry subkey

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EFS

Value

AllowAllCliAuth

Data type

REG_DWORD

Data

1: The EFS server will not enforce packet level privacy on the EFS server.

0: EFS clients must support packet level privacy to connect to an EFS server that has this registry key set. This is Enforcement Mode.

Note If the registry key does not exist on a server, then the Default setting is used.

Default

0 (when registry key is not set)

Is a restart required?

No

Auditing events

The December 14, 2021 Windows updates adds two new event logs. Note that these events may be logged only once during a session after a restart if the Enforcement mode registry setting is changed.

Event 1

This event is logged when an non-updated EFS client that does not support packet level privacy attempts to connect to an EFS server that has Windows updates dated on or after December 14, 2021.

Event Log

Application

Event Type

Error

Event Source

EFS

Event ID

4420

Event Text

A client attempted to call an EFS service API without privacy level authentication. Error code: <errorCode>. See https://go.microsoft.com/fwlink/?linkid=2181030

Event 2

This event is logged when an EFS client attempts to connect to an EFS server that has installed Windows updates dated on or after December 14, 2021 and set the AllowAllCliAuth registry setting to 1.

Event Log

Application

Event Type

Warning

Event Source

EFS

Event ID

4421

Event Text

A client that called an EFS service API without privacy level authentication was allowed. See https://go.microsoft.com/fwlink/?linkid=2181030.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders