This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 31%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
Hello.
This article:
https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb explains how to prepare for the Kerberos changes that will strengthen Windows Domain Controller security. I discovered this article today.
Addtional tasks described in the article include setting the registry key:
HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc\KrbtgtFullPacSignature value to 2 which places the machine in Audit mode after the first update deployment. I was unaware of this requirement at that time.
The article also explains that after the second deployment phase which occurred December 13 all devices will be in Audit mode by default. Our Domain Controllers (we have two running on Windows Server 2019 Standard - single domain, single subnet, basic setup), do not have KrbtgtFullPacSignature as a registry key at the location mentioned.
My question is do I need to create the key manually or has the December update done this via another method?
I'm a little confused over what is required, so any help will be appreciated very much. If it is simply a matter of creating the key that is fine.
Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
You'll only add the **KrbtgtFullPacSignature **dword if you wanted something other than the default. The default (no dword in registry) value changes over time.
11/8/22 New signatures are added, but not verified. (Default setting)
12/13/22 Audit mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is allowed and audit logs are created.
4/11/23 Disabled via registry is no longer possible
7/11/23 defaults to Enforcement mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is denied and audit logs are created. but Audit mode is still possible
10/10/23 full Enforcement mode
-
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Thank you so much for your help.
You're welcome.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 40%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETT%3C/text%3E%3C/svg%3E)
I was confused also. My Tenable scan would not clear until I added the value of 3 to the registry key, which I added. Now I'm waiting to see what I broke. Thanks for your post. Good luck.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 93%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Tommy,
Did you experience any issues setting it to 3? We manually created the value back in November and set it to 0 to remediate issues with KB5019966 and now have this finding ourselves. Articles seem to indicate there may be some pre-req settings that need to be done before simply setting this to 3, but I am uncertain that we need it ourselves. It seems to be related to RC4, which we don't use as far as I can tell.
Duplicate, please ignore.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 99%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
I have applied the recommended patch (KB5019966) to address CVE-20222-37967, but Nessus is still reporting it as a finding. It seems that the patch does not create the registry key HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc\KrbtgtFullPacSignatureKrbtgt, which Nessus expects to see. Is this a false positive that we can safely ignore, or do we need to take additional steps to resolve it? Please advise.