kb5020805 and KrbtgtFullPacSignature key

PK Player 71 Reputation points


This article:

https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb explains how to prepare for the Kerberos changes that will strengthen Windows Domain Controller security. I discovered this article today.

Addtional tasks described in the article include setting the registry key:

HKEY_LOCAL_MACHINE\System\currentcontrolset\services\kdc\KrbtgtFullPacSignature value to 2 which places the machine in Audit mode after the first update deployment. I was unaware of this requirement at that time.

The article also explains that after the second deployment phase which occurred December 13 all devices will be in Audit mode by default. Our Domain Controllers (we have two running on Windows Server 2019 Standard - single domain, single subnet, basic setup), do not have KrbtgtFullPacSignature as a registry key at the location mentioned.

My question is do I need to create the key manually or has the December update done this via another method?

I'm a little confused over what is required, so any help will be appreciated very much. If it is simply a matter of creating the key that is fine.

Thank you.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,737 questions
0 comments No comments
{count} votes

Accepted answer
  1. Dave Patrick 426.2K Reputation points MVP

    You'll only add the **KrbtgtFullPacSignature **dword if you wanted something other than the default. The default (no dword in registry) value changes over time.

    11/8/22 New signatures are added, but not verified. (Default setting)

    12/13/22 Audit mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is allowed and audit logs are created.

    4/11/23 Disabled via registry is no longer possible

    7/11/23 defaults to Enforcement mode. New signatures are added, and verified if present. If the signature is either missing or invalid, authentication is denied and audit logs are created. but Audit mode is still possible

    10/10/23 full Enforcement mode


    --please don't forget to upvote and Accept as answer if the reply is helpful--

    3 people found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Tommy Tiller 0 Reputation points

    I was confused also. My Tenable scan would not clear until I added the value of 3 to the registry key, which I added. Now I'm waiting to see what I broke. Thanks for your post. Good luck.