Summary

The December 14, 2021 Windows updates add support for packet-level privacy on Encrypting File System (EFS) clients. It is required that both Windows and non-Windows EFS clients use packet-level privacy when connecting to EFS servers that have the December 14, 2021 and later Windows updates installed.

Take action

To help protect your environment to avoid outages, follow these steps:

  1. Update all EFS clients and then servers by installing the December 14, 2021 Windows updates or later Windows updates.

  2. Starting with the March 8, 2022, Enforcement Phase update, Enforcement mode will be required and enabled on all Windows EFS servers.

Timing of Windows updates

The EFS Windows updates will be released in two phases:

  1. Initial Deployment: Introduction of the update on December 14, 2021.

  2. Enforcement Phase: Enforcement mode is enabled. Removal of AllowAllCliAuth registry key.

December 14, 2021: Initial deployment phase

The initial deployment phase starts with the Windows updates released on December 14, 2021.

This release:

  • Applying the December 14, 2021 Windows updates addresses the issue outlined in CVE-2021-43217.

The update includes the Enforcement Mode AllowAllCliAuth registry key to help in the deployment of the updates.

EFS on Network: For environments where EFS is used to encrypt files over the network, from a client to a server hosting the files, we recommend that the client is updated first and then the server. Updating servers before clients will cause EFS connection errors.

For environments in which updating EFS clients before servers is not possible, we have provided a registry key named AllowAllCliAuth that can be set on the server to enable non-updated EFS clients to continue connecting until the client update is complete. After clients are updated, we recommend removing the AllowAllCliAuth registry key, or setting it to 0 to make sure that the fix is enforced on all clients.

March 8, 2022: Enforcement phase

The second deployment phase starts with the Windows update to be released on March 8, 2022. In this release:

  • Support for the AllowAllCliAuth registry key will be removed to make sure that enforcement of the fix for CVE-2021-43217 occurs on all clients and servers updated with the March 8, 2022 Windows update.

Registry key information

The AllowAllCliAuth registry setting control enforces whether EFS clients must use packet level privacy when connecting to an EFS Server that has installed Windows updates released between December 14, 2021, and February 22, 2022.

The AllowAllCliAuth setting will be ignored by EFS servers that install the March 8, 2022 and later Windows updates.

Registry subkey

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EFS

Value

AllowAllCliAuth

Data type

REG_DWORD

Data

1: The EFS server will not enforce packet level privacy on the EFS server.

0: EFS clients must support packet level privacy to connect to an EFS server that has this registry key set. This is Enforcement Mode.

Note If the registry key does not exist on a server, then the Default setting is used.

Default

0 (when registry key is not set)

Is a restart required?

No

Auditing events

The December 14, 2021 Windows updates adds two new event logs. Note that these events may be logged only once during a session after a restart if the Enforcement mode registry setting is changed.

Event 1

This event is logged when an non-updated EFS client that does not support packet level privacy attempts to connect to an EFS server that has installed the December 14, 2021, or a later Windows update.

Event Log

Application

Event Type

Error

Event Source

EFS

Event ID

4420

Event Text

A client attempted to call an EFS service API without privacy level authentication. Error code: <errorCode>. See https://go.microsoft.com/fwlink/?linkid=2181030

Event 2

This event is logged when an EFS client attempts to connect to an EFS server that has installed the December 14, 2021 Windows update or a later Windows update and set the AllowAllCliAuth registry setting to 1.

Event Log

Application

Event Type

Warning

Event Source

EFS

Event ID

4421

Event Text

A client that called an EFS service API without privacy level authentication was allowed. See https://go.microsoft.com/fwlink/?linkid=2181030.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×