This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 43%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
POSSIBLE BUG: On Server 2012 R2, When the Policy "Domain controller: Allow vulnerable Netlogon secure channel connections"* is set to NOT DEFINED, this registry key STILL contains old PREVIOUSLY set entries (security descriptors) in the list!
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"vulnerablechannelallowlist"
Details: When you enable the policy "Domain controller: Allow vulnerable Netlogon secure channel connections" and add a user account or security group and then later disable the policy by setting it to Not Defined, the associated registry key is NOT cleared.
*Reference: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
See Section Section 3b
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
Why can't I leave this open so others can comment on it? Maybe they have the same issue or it's not a bug and they will explain why...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anyone can comment regardless, Marking answers just points users to more relevant info.
Much appreciated!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 57.00000000000001%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
Same here, also on Windows Server 2012 R2 Domain Controllers...
The Key AND Value is not removed when GPO is set to "not configured", had to remove the Key manually...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 47%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETF%3C/text%3E%3C/svg%3E)
Just delete REG_SZ "vulnerablecanallowlist". Some GPOs retain their value even after their removal.
You can report here on uservoice.
https://windowsserver.uservoice.com/forums/304618-installation-and-patching
or optionally start a case here with product support. A card is required to secure the incident contract but confirmed bugs are never charged.
https://support.serviceshub.microsoft.com/supportforbusiness
--please don't forget to Accept as answer if the reply is helpful--
Thanks DSPatrick
You're quite welcome.
--please don't forget to Accept as answer if the reply is helpful--
Update: The bug has been fixed.
