Hello @SecurechannelIT ,
Thank you for posting here.
Here are the answers for your references.
**Q1:**Should we just create registry DWORD below ?
**A1:**For the registry, the function with value 1 of this registry is the same as February 9, 2021 updates, that is make DC to enforcement mode.
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
Value: FullSecureChannelProtection
Data type: REG_DWORD
Value:1
If we want to moving to enforcement mode in advance of the February 2021 enforcement phase, then after all non-compliant devices have been addressed, either by enabling secure RPC or by allowing vulnerable connections with the "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, we can set the FullSecureChannelProtection registry key to 1.
**Q2:**it advises installing SUU - Service stack update before applying any cumulative patch. Is this the approach before we apply cumulative update for domain controllers that don't get regular security updates?
**A2:**Yes, you are right. It is recommended we install SSU before installing cumulative update .
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou