CVE-2020-1472 Netlogon Secure clarifications

Arun Bhavnani 1 Reputation point


Unfortunately, our environment is a mix bag of Windows 7, 8 , 8.1 and 10 systems. Ever since we have updated the Aug patch, we are observing number of events for 5827, 5828 and 5829. Request if below can be clarified:

  1. Are the events 5827 and 5828 being generated for the outdated versions of the system i.e. Win 7, 8 and 8.1. Also whether monitoring of these events is required or just monitoring for 5829?
  2. How can we configure these Operating systems to prevent such deny connection from DC.
    1. Post Feb upgrade, will these devices be not able to connect to DC even though the above settings have been applied


Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,584 questions
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,726 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,824 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,718 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Dave Patrick 426K Reputation points MVP

    You can test from the client end

    You can put them in an OU, then add the OU here on each domain controller.


    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. Arun Bhavnani 1 Reputation point

    Thanks Patrick, however is there any other way to mitigate or lower the RISK rather than create a OU.

    Also, there as per the article the secure channel will be enforced irrespective of the bit in registry. In such a case, having an separate OU will work?


    0 comments No comments

  3. Dave Patrick 426K Reputation points MVP

    The desktop operating systems Windows 8 and higher you mentioned should support secure channel. I'd check they're patched fully. Then use
    to confirm.

    For any that are non-compliant you'll need to explicitly allow by adding an exception for the non-compliant device

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  4. Vicky Wang 2,646 Reputation points

    To learn more about the vulnerability, see CVE-2020-1472.

    Take Action

    To protect your environment and prevent outages, you must do the following:

    UPDATE your Domain Controllers with an update released August 11, 2020 or later.
    FIND which devices are making vulnerable connections by monitoring event logs.
    ADDRESS non-compliant devices making vulnerable connections.
    ENABLE enforcement mode to address CVE-2020-1472 in your environment.
    Note Step 1 of installing updates released August 11, 2020 or later will address security issue in CVE-2020-1472 for Active Directory domains and trusts, as well as Windows devices. To fully mitigate the security issue for third-party devices, you will need to complete all the steps.

    Warning Starting February 2021, enforcement mode will be enabled on all Windows Domain Controllers and will block vulnerable connections from non-compliant devices. At that time, you will not be able to disable enforcement mode.


    Hope this information can help you
    Best wishes

    0 comments No comments

  5. Axel Rouy 1 Reputation point

    Hi ,

    I have some question about this patch
    My customer did the august patch on their 90 000 devices and DC but on their 90 000 , 1000 of these devices have not the following registry key : FullSecureChannelProtection
    Why ? after some explaination it seems this registry key is not mandatory (but mu question, the registry key is set automatically after the august patch ?

    I'm sorry if it's not clear..

    0 comments No comments