ZEROLOGON/CVE-2020-1472: can/will Windows clients use secure RPC, even if they are not properly patched?

Lars Bremer 21 Reputation points
2020-09-25T19:11:09.81+00:00

Please excuse if my question should have been answered by https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc or any of the other sites dealing with CVE-2020-1472, but I could not figure it out.

On our domain, we (unfortunately) have some clients with out-of-date OS (Windows 7, Windows 8, Windows 10 Pro 1703) and also some clients, who do not connect to the domain regularly and therefore are always behind the update schedule. Will these machines, that did not/will not/cannot receive the august and following updates, be able to connect to our DCs, if these (the DCs) are patched regularly and secure RPC will be enforced? My question is quite simple: what is the minimum version/build and patch level required for Windows clients to use secure RPC with Netlogon secure channel? Or, in other words, will a Windows client, that has received his latest patches in i.e. February, use a vulnerable Netlogon secure channel connection and will not be able to log on any more?

Everywhere I read, I could only find the advice to patch the DC and then use the eventlog to monitor for non-compliant log on attempts. But I nowhere found a word regarding Windows clients.

Help is very much appreciated. I know that we must take care of our unsecure and outdated clients, but this is not all in our hands. A clarification on the above question would help to evaluate our situation.

Thanks in advance
Lars Bremer

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,866 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,738 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,956 questions
{count} votes

Accepted answer
  1. Anonymous
    2020-09-27T12:15:11.083+00:00

    On the problem member you can check it from PowerShell
    Test-ComputerSecureChannel
    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

6 additional answers

Sort by: Most helpful
  1. Anonymous
    2020-09-25T20:00:47.73+00:00

    The February 9, 2021 update transitions into the enforcement phase. The DCs will now be in enforcement mode regardless of the enforcement mode registry key. This requires all Windows and non-Windows devices to use secure RPC with Netlogon secure channel or explicitly allow the account by adding an exception for the non-compliant device. 

    --please don't forget to Accept as answer if the reply is helpful--

    1 person found this answer helpful.

  2. Aaron Margosis 26 Reputation points
    2020-10-01T02:10:13.547+00:00

    From what I've observed, unless Windows clients explicitly disable signing/encryption, they won't get blocked. In informal testing, we've observed NT4, Windows 2000, and XP SP2 successfully logging on to patched DCs, even with the full-enforcement registry value applied.

    Aaron Margosis (Tanium)

    1 person found this answer helpful.
    0 comments No comments

  3. Anonymous
    2020-09-26T12:39:55.823+00:00

    Windows should already be capable of using it.
    https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f

    --please don't forget to Accept as answer if the reply is helpful--


  4. DonPick 1,266 Reputation points
    2020-09-27T12:47:22.373+00:00

    Win7 & Win10-1703 are out of support, so are not included in the scope of this fix

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.