Share via

Windows Server 2016 Securityupdates

FelixHk 1 Reputation point
2021-12-29T13:38:32.093+00:00

Greetings!

So, this is about Securityupdates on Windows Server 2016 - DCs. It is especially about the following CVEs/Securitypatches
https://support.microsoft.com/en-us/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e
... and ...
https://support.microsoft.com/en-gb/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041

The DCs received the latest updates.

When i reviewed the above article regarding CVE-2021-42287 that the fix should create a new Registrykey (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc -> PacRequestorEnforcement).
After updating i did not see any new key there, so i rechecked the securityupdates.

These are the installed Securityupdates:
KB4535680, KB4540726, KB4566426, KB4577038, KB5001401, KB5008277

If i am right this should be the correct Securityupdate:
https://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=127a668d-ced5-407a-976c-e6296ffab056

Why is it only available in Microsoft Update-Catalog and not through Windows Update?
After manual installation of said Update the registrykey was still not available.
Am i missing something?

Thanks in advance,
Felix

Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 40,106 Reputation points
    2021-12-30T15:26:01.143+00:00

    Hi @FelixHk

    You need not worry as the registry will be removed at the Enforcement phase.

    Initial deployment – Introduction of the update, as well as the PacRequestorEnforcement registry key

    Second deployment – Removal of PacRequestorEnforcement value of 0 (ability to disable the registry key)

    Enforcement phase – Enforcement mode is enabled. Removal of PacRequestorEnforcement registry key

    Here is a thread as well which discusses the same issue and you can get some insight into this
    https://learn.microsoft.com/en-us/answers/questions/632804/november-2021-updates-events-35-37-on-dcs-pacreque.html

    Hope this resolves your Query!!

    --If the reply is helpful, please Upvote and Accept it as an answer--

    Was this answer helpful?

    0 comments
  2. Anonymous
    2021-12-30T13:58:47.55+00:00

    Sounds like you only install security-only updates? Security-only updates are one of the few non-cumulative updates that Microsoft still distributes so you may just need to try installing them.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    Was this answer helpful?

  3. Anonymous
    2021-12-29T14:55:48.637+00:00

    the PacRequestorEnforcement registry value's only function is to allow you to transition to the Enforcement phase early. Otherwise not needed.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    Was this answer helpful?

  4. Anonymous
    2021-12-29T13:54:55.323+00:00

    Patch all the domain controllers as first step. Then each user will get the new improved authentication information PACs of Kerberos Ticket-Granting Tickets. (TGT) described in the KB

    Then it looks like you may get one warning for every user.

    https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
    Adds the new PAC to users who authenticated using an Active Directory domain controller that has the November 9, 2021 or later updates installed. When authenticating, if the user has the new PAC, the PAC is validated.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.