Share via

Empty TGT Failed Logs on My Domain Controller - Event Id 4768

Anonymous
2024-12-21T11:38:59+00:00

Hi Dears,

On a Windows Server 2022 with Active Directory installed, following on receiving Event ID 1108 logs saying there is a problem with event logging service, we figured out that Event ID 4768 Logs with Audit_Failure has a problem, in Event Viewer they are stored as an empty template, and the log contains no data such as the user account, domain, etc. Therefore we are not able to detect Brute Force attacks which is a serious security concern.

The problem persists after updating to the latest version of Windows Server 2022.

I would appreciate it if you provided some insights on how to resolve the matter.

Windows for business | Windows Server | Directory services | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2024-12-23T01:43:09+00:00

    Hello,

    Thank you for posting in the Microsoft Community Forums.

    The issue with Event ID 4768 logs containing empty templates on Windows Server 2022 is due to a regression introduced by the July 9, 2024 update (KB5040437). This regression causes security audit event ID 4768 to be logged without any metadata and event ID 1108 to be logged excessively on domain controllers.

    To resolve this issue, you need to install KB5041160, which was released on August 13, 2024. KB5041160, released August 13, 2024 shipped a disabled-by-default (DBD) fix for OS Bug 48443116 that allows the July 9, 2024 Windows Update KB5040437 to remain installed.

    August 13, 2024—KB5041160 (OS Build 20348.2655) - Microsoft Support

    I hope the information above is helpful.

    Best regards

    Yanhong Liu

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest