KB5008380—Authentication updates (CVE-2021-42287)

Andreas 1,011 Reputation points


I have some questions regarding KB5008380—Authentication updates (CVE-2021-42287)

From the documentation, November patch,

"After the November 9, 2021 update has been installed on all Active Directory domain controllers for at least 7 days, we strongly suggest that you enable Enforcement mode on all Active Directory domain controllers."

Do I understand correctly that we should do the following on the domain controllers that are patched... or could I just leave it since we have control on updating our domain controllers

  1. Add registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc\PacRequestorEnforcement with REG_DWORD and value 2

What have you done ? :)

Thanks for reply.


Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
10,575 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,851 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,547 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Leon Laude 85,411 Reputation points

    Hi @Andreas ,

    It is not mandatory to do, only strongly suggested, also according to Microsoft's assessment on the CVE-2021-42287, the exploitation is considered "less likely", so it's not something I would worry about as it will also be automatically patched in the future.

    But if you do choose to proceed with the enforcement, then yes, you will have to create the registry key (DWORD) PacRequestorEnforcement with the value of 2 under the location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc.


    If the reply was helpful please don't forget to upvote and/or accept as answer, thank you!

    Best regards,

  2. Limitless Technology 38,451 Reputation points

    In the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout
    Create a new DWORD value IgnoreRemoteKeyboardLayout and give it the value 1.

    That should be sufficient to solve your problem.

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments