This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 46%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)
Hi mates,
I have a lot of DC patched Sep 2020 patch to monitor events related to Zerologon. My graylog showed PCs got the EventID 5827 and I updated for those PCs and enabled 3 policies:
-Domain member: Digitally encrypt or sign secure channel data (always)
-Domain member: Digitally encrypt secure channel data (when possible)
-Domain member: Digitally sign secure channel data (when possible)
as Microsoft's instruction. But those PCs still logged on graylog with EventID "5827 The Netlogon service denied a vulnerable Netlogon secure channel connection from a machine account." and make lots of confuse to my team if everything work fine.
Could you please explain for me about those cases when we enabled the policies but still got the alerts?
Thanks & Regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
Thank you so much for posting here.
Deploy the August 11th updates to all applicable domain controllers (DCs) in the forest, including read-only domain controllers (RODCs). After deploying this update patched DCs will:
Log event IDs 5827 and 5828 in the System event log, if connections are denied.
By default, supported versions of Windows that have been fully updated should not be using vulnerable Netlogon secure channel connections. If an event ID 5827 is logged in the system event log for a Windows device:
1.Confirm that the device is running a supported versions of Windows.
2.Ensure the device is fully updated from Windows Update.
3.Check to ensure that Domain member: Digitally encrypt or sign secure channel data (always) is set to Enabled in a GPO linked to the OU for all your DCs, such as the default domain controllers GPO.
For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for your answer.
Hi Hannah Xiong,
After we deploy the GPO and appy to all OU, we still got the Event ID 5827 from some devices. Could we have any other explaination?
Thanks & Regards
Hi,
Thank you so much for your feedback.
Have we check the below two points:
1.Confirm that the device is running a supported versions of Windows.
2.Ensure the device is fully updated from Windows Update.
Best regards,
Hannah Xiong
Hi,
All the devices is up to date and running supported versions of Windows.
Thanks & Best Regards