A vulnerable connection is a Netlogon secure channel connection that does not use secure RPC. Learn how to update DCs, and address vulnerable connections and non-compliant devices, to protect against the Netlogon vulnerability CVE-2020-1472.

The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain , and relationships among domain controllers (DCs) and domains. This update protects Windows devices from CVE-2022-38023 by default.

Fixes an issue in which the Net Logon service does not start in Windows Server 2003 or in Windows Server 2008 after you restart the computer.

The script available in this article is a companion to the information in How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. It is provided as-is.

By default in Windows 8, Windows 7, Windows Vista, and Windows XP, the Fast Logon Optimization feature is set for domain and workgroup members. Policy settings apply asynchronously when the computer starts and when the user signs in.

Describes an issue that prevents the Netlogon service on domain controllers from starting automatically after you upgrade to Windows Server 2016 or Windows Server 2019. Provides a resolution.

To help secure your environment, install this Windows update to all devices, including Windows domain controllers. All domain controllers in your domain must be updated first before switching the update to Enforced mode. To learn more about this vulnerabilities, see CVE-2022-37967. Take Action.

The vulnerability could allow remote code execution if an attacker with access to a primary domain controller (PDC) on a target network runs a specially crafted application to establish a secure channel to the PDC as a replica domain controller.

Resolves a vulnerability in Windows that could allow spoofing if an attacker who is logged on to a domain-joined system runs a specially crafted application that could establish a connection with other domain-joined systems as the impersonated user or system.

A Kerberos source event is logged in the System log of application servers. This event indicates that Kerberos PAC validation is failing. The event resembles the following: Text in Netlogon service debug logs (Netlogon.log) matches the text "NlpUserValidateHigher: Can't allocate Client API slot."