CVE-2026-56155: AD FS Distributed Key Manager container ACL hardening

Se aplica a
Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server, version 23H2 Windows Server 2025

Note

Original publish date: July 14, 2026
KB ID: 5121391

Summary

The Access Control List (ACL) on the Distributed Key Manager (DKM) container enters its first hardening phase starting with the July 14, 2026 Windows security update. This hardening effort addresses an elevation of privilege (EOP) that can arise from the vulnerability documented in CVE-2026-56155.

In summary, Active Directory Federation Services (AD FS) relies on the DKM container to store the symmetric keys used to protect token-signing and token-encryption certificates for private keys. If the container's ACL is overly permissive, an attacker with read access to the DKM key material can decrypt the token-signing private keys.

Hardening against this vulnerability begins with the Audit mode, which introduces automatic detection of insecure DKM container ACL configurations. An additional opt-in remediation mechanism helps administrators strengthen DKM container permissions. Further hardening will follow in future updates.

Take action

To protect your environment, complete the following steps:

  1. Install the July 14, 2026 security update or a later Windows update on all AD FS servers.

  2. After installing, the AD FS service will audit the DKM container ACL each time the service starts and every 24 hours thereafter. Review the AD FS Admin event log for Event ID 1132, which indicates that the DKM container permissions require attention. Note that no changes are made automatically.

  3. If Event ID 1132 appears, follow the platform specific steps as appropriate for your Windows Server version.

Windows Server 2016 and later
  1. Opt-in to remediation by setting the RemediateDkmAcl registry key to 1. See the Windows Server 2016 and later topic in the Opt-in remediation section for more information.

  2. By October 13, 2026, if the registry key is not configured, the update will automatically remediate insecure ACLs. To opt out of automatic remediation, set the registry key to 0.

Windows Server 2012 and Windows Server 2012 R2
  1. Grant AD FS service account permissions to remediate, see the Windows Server 2012 and Windows Server 2012 R2 topic in the Opt-in remediation section.

  2. After that, opt-in to remediation by setting the RemediateDkmAcl registry key to 1.

Expected secure state changes

After remediation, only the following principals will have access to the DKM container:

Principal Access Rights
Domain Admins Generic All (Full Control)
Enterprise Admins Generic All (Full Control)
System Generic All (Full Control)
AD FS Service Account Read, Write, Create Child, Write Owner, Delete Tree

Note Inheritance is disabled and all inherited ACEs are discarded. Any other explicit Allow ACEs not in the list above are removed

How to manage this change

Audit mode (July 2026)

After installing the July 2026 update, detection automatically runs one minute after the AD FS service starts and then every 24 hours thereafter. Check the AD FS/Admin event log for the following events.

Event ID Level Meaning
1132 Warning DKM container ACL does not match the expected secure state. Review the ACL.
1133 Information DKM container ACL is in the expected secure state. No action is needed.
1134 Error The detection task encountered an error (such as a LDAP connectivity failure).

Note No automatic changes are made to the ACL during Audit Mode.

Opt-in remediation

Important

This section, method, or task contains information about how to change the registry. However, serious problems might occur if you change the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you change it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

Use the platform-specific remediation guidance below.

Windows Server 2016 and later

We strongly recommend that administrators remediate during the Audit Mode phase to identify and resolve any compatibility issues before enforcement begins in October 2026. To enable remediation, set the following registry key on any one AD FS server in the farm.

Information Details
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS
Value: RemediateDkmAcl
Type: DWORD
Data: 1

After setting the registry key, either:

  • Wait up to 24 hours for the next detection cycle, or

  • Restart the AD FS service to trigger remediation sooner

On successful remediation, event 1135 (Information) is logged with the previous ACL in SDDL format.

Windows Server 2012 and Windows Server 2012 R2

For these platforms, grant the required permissions to the AD FS service account by following the steps below on any one AD FS server in the farm before enabling the RemediateDkmAcl registry. Otherwise, remediation attempts will fail.

  1. Identify the DKM container DN:

    $dkmContainerDn = (Get-AdfsProperties).CertificateSharingContaine
    $dkmContainerDn
    
  2. Identify the AD FS service account:

    $serviceAccount = (Get-CimInstance Win32_Service -Filter "Name='adfssrv'").StartName
    $serviceAccount
    
  3. Grant explicit Allow ACEs for WriteOwner and WriteDacl:

    $sid = (New-Object System.Security.Principal.NTAccount($serviceAccount)).Translate([System.Security.Principal.SecurityIdentifier]) 
    $entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$dkmContainerDn") 
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule( 
     $sid, 
     ([System.DirectoryServices.ActiveDirectoryRights]::WriteOwner -bor [System.DirectoryServices.ActiveDirectoryRights]::WriteDacl), 
     [System.Security.AccessControl.AccessControlType]::Allow, 
     [System.DirectoryServices.ActiveDirectorySecurityInheritance]::All 
    ) 
    $entry.ObjectSecurity.AddAccessRule($rule) 
    $entry.CommitChanges() 
    $entry.Close() 
    
  4. After the required permissions are granted, set the following registry key on any one AD FS server in the farm to enable remediation.

    Information Details
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS
    Value: RemediateDkmAcl
    Type: DWORD
    Data: 1
    Note If "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS" is not present, create the "ADFS" key first, then set RemediateDkmAcl under that key.
  5. After setting the registry key, either:

  • Wait up to 24 hours for the next detection cycle, or

  • Restart the AD FS service to trigger remediation sooner

On successful remediation, event 1135 (Information) is logged with the previous ACL in SDDL format.

Save the previous SDDL (Recommended)

As a precautionary measure, we recommend saving the previous ACL (SDDL) from event 1135 after successful remediation. While the previous ACL is not expected to be needed in most cases (since the original permissions were insecure), having it available provides a safety net for any unforeseen compatibility issues.

Note Event logs can roll over due to size limits. If you need the previous SDDL in the future and the event has been overwritten, it will be permanently lost.

To save the SDDL to a file:

# Run this on the AD FS server immediately after remediation (event 1135) 
$event = Get-WinEvent -FilterHashtable @{LogName='AD FS/Admin'; Id=1135} -MaxEvents 1 
$event.Message | Out-File "C:\ADFSBackup\dkm-acl-previous-sddl.txt

How to restore the previous ACL

If you experience issues after remediation and need to revert to the previous ACL:


# Restore the full security descriptor (DACL + Owner + SACL) from the saved SDDL 
$dn = "<Container DN from event 1135 or C:\ADFSBackup\dkm-acl-previous-sddl.txt>" 
$sddl = "<Previous ACL (SDDL) value from event 1135 or C:\ADFSBackup\dkm-acl-previous-sddl.txt>” 
 
$entry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$dn") 
$entry.ObjectSecurity.SetSecurityDescriptorSddlForm($sddl, [System.Security.AccessControl.AccessControlSections]::All) 
$entry.CommitChanges() 
$entry.Close() 

Note This command requires the account running it to have SeSecurityPrivilege (typically Domain Admins have this). Run this from an elevated PowerShell session on a domain-joined machine.


Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\ADFS" -Name "RemediateDkmAcl" -Value 0 -Type DWord 

After restoring, set RemediateDkmAcl = 0 to prevent the service from re-remediating on the next cycle.

Enforcement mode (October 2026)

Starting with the October 2026 update, remediation runs by default without requiring the registry key. The behavior is equivalent to having RemediateDkmAcl = 1 set.

Enforcement auto-remediation does not apply to Windows Server 2012 or Windows Server 2012 R2. For these platforms, remediate manually by following the steps in the Windows Server 2012 and Windows Server 2012 R2 topic in the Opt-in remediation section.

Opting out of Enforcement mode (October 2026)

Important

This section, method, or task contains information about how to change the registry. However, serious problems might occur if you change the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you change it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, see How to back up and restore the registry in Windows.

If you need to disable automatic remediation after the October 2026 update, set the RemediateDkmAcl value in the registry.

Information Details
Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS
Value: RemediateDkmAcl
Type: DWORD
Data: 0

This explicitly disables remediation. Detection (event 1132) continues to fire so admins are aware of the insecure state.

Important Opting out leaves your DKM container vulnerable. Only use this if you have a specific compatibility requirement and plan to manually harden the ACL.

Event reference

Event ID: 1132 — DKM container ACL requires review
Information Details
Event log AD FS/Admin
Event type Warning
Event source AD FS
Event ID 1132
Event text AD FS detected that the Distributed Key Manager (DKM) container ACL does not match the expected secure state. The DKM container stores symmetric keys used to protect token-signing key material.

Container DN:
<DN>

The expected secure state is inheritance disabled, and only Domain Admins, Enterprise Admins, SYSTEM, and the AD FS service account have access.

User Action
To remediate, set the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS\RemediateDkmAcl (DWORD) to 1. The service will harden the ACL on the next detection cycle (within 24 hours) or restart the service to trigger remediation sooner. For guidance, see https://go.microsoft.com/fwlink/?linkid=2369796.

Additional Data

Inheritance Disabled: <Yes/No>

Current ACL (SDDL):
<SDDL>
Event ID: 1133 — DKM container ACL is healthy
Information Details
Event log AD FS/Admin
Event type Information
Event source AD FS
Event ID 1133
Event text The DKM ACL background task reviewed the container ACL for security hardening.
The container has the correct settings, and no further action is required.

Container DN:
<DN>
Event ID: 1134 — Detection error
Information Details
Event log AD FS/Admin
Event type Error
Event source AD FS
Event ID 1134
Event text The AD FS DKM container ACL check background task encountered an error.

Container DN:
<DN>

Additional Data
Exception details:
<exception>

User Action
Review the AD FS debug logs for more details. Ensure the AD FS service account has access to the DKM group container in Active Directory.
Event ID: 1135 — Remediation successful
Information Details
Event log AD FS/Admin
Event type Information
Event source AD FS
Event ID 1135
Event text AD FS successfully hardened the Distributed Key Manager (DKM) container ACL.

Container DN:
<DN>

The container ACL now grants access only to Domain Admins, Enterprise Admins, SYSTEM, and the AD FS service account. Inheritance has been blocked, and all other permissions have been removed.

Note: Autoremediation will not run again while the ACL matches the baseline. If you want to permanently opt out of autoremediation even if the ACL drifts in the future, set HKLM\SOFTWARE\Microsoft\ADFS\RemediateDkmAcl (DWORD) to 0.

The previous ACL is included in the SDDL format below. If you need to restore the original permissions, see https://go.microsoft.com/fwlink/?linkid=2369796

Previous ACL (SDDL):
<SDDL>
Event ID: 1136 — Remediation failed
Information Details
Event log AD FS/Admin
Event type Error
Event source AD FS
Event ID 1136
Event text AD FS attempted to remediate the DKM container ACL but encountered an error.

Container DN:
<DN>

User Action
The service will retry remediation on the next detection cycle (within 24 hours). If this error persists, you can manually harden the ACL using ADSI Edit or PowerShell. To disable autoremediation, set HKLM\SOFTWARE\Microsoft\ADFS\RemediateDkmAcl (DWORD) to 0. For guidance, see https://go.microsoft.com/fwlink/?linkid=2369796

Current ACL (SDDL):
<SDDL>

Exception details:
<exception>