Please excuse if my question should have been answered by https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc or any of the other sites dealing with CVE-2020-1472, but I could not figure it out.
On our domain, we (unfortunately) have some clients with out-of-date OS (Windows 7, Windows 8, Windows 10 Pro 1703) and also some clients, who do not connect to the domain regularly and therefore are always behind the update schedule. Will these machines, that did not/will not/cannot receive the august and following updates, be able to connect to our DCs, if these (the DCs) are patched regularly and secure RPC will be enforced? My question is quite simple: what is the minimum version/build and patch level required for Windows clients to use secure RPC with Netlogon secure channel? Or, in other words, will a Windows client, that has received his latest patches in i.e. February, use a vulnerable Netlogon secure channel connection and will not be able to log on any more?
Everywhere I read, I could only find the advice to patch the DC and then use the eventlog to monitor for non-compliant log on attempts. But I nowhere found a word regarding Windows clients.
Help is very much appreciated. I know that we must take care of our unsecure and outdated clients, but this is not all in our hands. A clarification on the above question would help to evaluate our situation.
Thanks in advance
Lars Bremer