Windows Server 2016 Securityupdates

FelixHk 1 Reputation point
2021-12-29T13:38:32.093+00:00

Greetings!

So, this is about Securityupdates on Windows Server 2016 - DCs. It is especially about the following CVEs/Securitypatches
https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e
... and ...
https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

The DCs received the latest updates.

When i reviewed the above article regarding CVE-2021-42287 that the fix should create a new Registrykey (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc -> PacRequestorEnforcement).
After updating i did not see any new key there, so i rechecked the securityupdates.

These are the installed Securityupdates:
KB4535680, KB4540726, KB4566426, KB4577038, KB5001401, KB5008277

If i am right this should be the correct Securityupdate:
https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=127a668d-ced5-407a-976c-e6296ffab056

Why is it only available in Microsoft Update-Catalog and not through Windows Update?
After manual installation of said Update the registrykey was still not available.
Am i missing something?

Thanks in advance,
Felix

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,555 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,880 questions
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Anonymous
    2021-12-29T13:54:55.323+00:00

    Patch all the domain controllers as first step. Then each user will get the new improved authentication information PACs of Kerberos Ticket-Granting Tickets. (TGT) described in the KB

    Then it looks like you may get one warning for every user.

    https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
    Adds the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. Anonymous
    2021-12-29T14:55:48.637+00:00

    the PacRequestorEnforcement registry value's only function is to allow you to transition to the Enforcement phase early. Otherwise not needed.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  3. Anonymous
    2021-12-30T13:58:47.55+00:00

    Sounds like you only install security-only updates? Security-only updates are one of the few non-cumulative updates that Microsoft still distributes so you may just need to try installing them.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  4. Limitless Technology 39,771 Reputation points
    2021-12-30T15:26:01.143+00:00

    Hi @FelixHk

    You need not worry as the registry will be removed at the Enforcement phase.

    Initial deployment – Introduction of the update, as well as the PacRequestorEnforcement registry key

    Second deployment – Removal of PacRequestorEnforcement value of 0 (ability to disable the registry key)

    Enforcement phase – Enforcement mode is enabled. Removal of PacRequestorEnforcement registry key

    Here is a thread as well which discusses the same issue and you can get some insight into this
    https://learn.microsoft.com/en-us/answers/questions/632804/november-2021-updates-events-35-37-on-dcs-pacreque.html

    Hope this resolves your Query!!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.