You have multiple accounts
Choose the account you want to sign in with.

In this article

Summary

The November 8, 2022 and later Windows updates address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing. More information can be found in CVE-2022-38023.

The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain, and relationships among domain controllers (DCs) and domains.

This update protects Windows devices from CVE-2022-38023 by default.  For third-party clients and third-party domain controllers, update is in Compatibility mode by default and allows vulnerable connections from such clients. Refer to the Registry Key settings section for steps to move to Enforcement mode.

To help secure your environment, install the Windows update that is dated November 8, 2022 or a later Windows update to all devices, including domain controllers.

Important Starting April 2023, Enforcement mode will be enabled on all Windows domain controllers and will block vulnerable connections from non-compliant devices.  At that time, you will not be able to disable the update, but may move back to the Compatibility mode setting. Compatibility mode will be removed in July 2023, as outlined in the Timing of updates to address Netlogon vulnerability CVE-2022-38023 section.

Timing of updates to address CVE-2022-38023

Updates will be released in several phases: the initial phase for updates released on or after November 8, 2022 and the Enforcement phase for updates released on or after July 11, 2023.

The initial deployment phase starts with the updates released on November 8, 2022 and continues with later Windows updates until the Enforcement phase. Windows updates on or after November 8, 2022 address security bypass vulnerability of CVE-2022-38023 by enforcing RPC sealing on all Windows clients.

By default, devices will be set in Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC seal if they are running Windows, or if they are acting as either domain controllers or as trust accounts.

The Windows updates released on or after April 11, 2023 will remove the ability to disable RPC sealing by setting value 0 to the RequireSeal

RequireSeal will be moved to Enforced mode unless Administrators explicitly configure to be under Compatibility mode. Vulnerable connections from all clients including third-parties will be denied authentication.

The Windows updates released on July 11, 2023 will remove the ability to set value 1 to the RequireSeal subkey. This enables the Enforcement phase of CVE-2022-38023.

Registry Key settings

After the Windows updates that are dated on or after November 8, 2022 Windows updates are installed, the following registry key is available for the Netlogon protocol on Windows domain controllers: 

RequireSeal

Registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Value

RequireSeal

Data type

REG_DWORD

Data

0 – Disabled  

1 – Compatibility mode. Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows, or if they are acting as either domain controllers or Trust accounts.

2 - Enforcement mode. All clients are required to use RPC Seal, unless they are added to the "Domain Controller: Allow vulnerable Netlogon secure channel connections” group policy object (GPO).

Restart required?

No

Windows events related to CVE-2022-38023

Event Log 

System 

Event Type 

Error 

Event Source 

NETLOGON 

Event ID 

5838 

Event Text 

The Netlogon service encountered a client using RPC signing instead of RPC sealing. 

If you find this error message in your event logs, you must take the following actions to resolve the system error:

Event Log 

System 

Event Type 

Error 

Event Source 

NETLOGON 

Event ID 

5839 

Event Text 

The Netlogon service encountered a trust using RPC signing instead of RPC sealing.  

Event Log 

System 

Event Type 

Warning 

Event Source 

NETLOGON 

Event ID 

5840 

Event Text 

The Netlogon service created a secure channel with a client with RC4.  

If you find Event 5840, this is a sign that a client in your domain is using weak cryptography.

Event Log 

System 

Event Type 

Error 

Event Source 

NETLOGON 

Event ID 

5841 

Event Text 

The Netlogon service denied a client using RC4 due to the ‘RejectMd5Clients’ setting.  

 If you find Event 5841, this is a sign that the RejectMD5Clients value is set to TRUE.


The RejectMD5Clients key is an pre-existing key in the Netlogon service. For more information, see the RejectMD5Clients description of the Abstract Data Model.

Frequently Asked Questions (FAQ)

All domain-joined, machine accounts are affected by this CVE. Events will show who is most impacted by this issue after the November 8, 2022 or later Windows updates are installed, please review the Event Log errors section to address the issues.

To help detect older clients that are not using the strongest available crypto, this update introduces event logs for clients that are using RC4.

RPC signing is when the Netlogon protocol uses RPC to sign the messages it sends over the wire. RPC sealing is when the Netlogon protocol both signs and encrypts the messages it sends over the wire.

Glossary

Advanced Encryption Standard (AES) is a block cipher that supersedes the Data Encryption Standard (DES). AES can be used to protect electronic data. The AES algorithm can be used to encrypt (encipher) and decrypt (decipher) information. Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data back into its original form, called plaintext. AES is used in symmetric-key cryptography, meaning that the same key is used for the encryption and decryption operations. It is also a block cipher, meaning that it operates on fixed-size blocks of plaintext and ciphertext, and requires the size of the plaintext as well as the ciphertext to be an exact multiple of this block size. AES is also known as the Rijndael symmetric encryption algorithm [FIPS197].

In a Windows NT operating system-compatible network security environment, the component responsible for synchronization and maintenance functions between a primary domain controller (PDC) and backup domain controllers (BDC). Netlogon is a precursor to the directory replication server (DRS) protocol.The Netlogon Remote Protocol remote procedure call (RPC) interface is primarily used to maintain the relationship between a device and its domain, and relationships among domain controllers (DCs) and domains. For more information, see Netlogon Remote Protocol.

RC4-HMAC (RC4) is a variable key-length symmetric encryption algorithm. For more information, see [SCHNEIER] section 17.1.

An authenticated remote procedure call (RPC) connection between two machines in a domain with an established security context used for signing and encrypting RPC packets.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×