Hello @Jason L ,
Thank you for posting here.
If we install updates of phase one (August 11, 2020 - Initial Deployment Phase).
For event 5829
If there is non-compliant user account or non-compliant devices account to perform Netlogon secure channel connections, event ID 5829 will be logged.
If there is no any non-compliant user account or non-compliant devices account to perform Netlogon secure channel connections, event ID 5829 will be not logged.
If all domain controllers are in force mode (February 9, 2021 - Enforcement Phase).
For event 5827 and event 5828
Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are not configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5827 and event ID 5828 will be logged.
For event 5830 and event 5831
Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5830 and event ID 5831 will be logged.
What versions of windows will need to have the security bypass enabled, 2003 and 2008 only?
A: If you do not see any 5827,5828 and 5829 currently, you do not need to add these machine in GPO setting.
Also where do I get the patch from? Will it come via WSUS?
A:We only want to install the two updates on all DCs. You can download them from Microsoft Catalog update website or via other way (such as WSUS).
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Reference
How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
https://support.microsoft.com/en-us/topic/how-to-manage-the-changes-in-netlogon-secure-channel-connections-associated-with-cve-2020-1472-f7e8cc17-0309-1d6a-304e-5ba73cd1a11e
Best Regards,
Daisy Zhou