Check my earlier reply. From cmd.exe run gpedit.msc then navigate to;
--please don't forget to Accept as answer if the reply is helpful--
"Domain controller: Allow vulnerable Netlogon secure channel connections" Group Policy
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 10%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Jason Leidy
21
Reputation points
I am trying to create a GPO to address the netlogon secure channel vulnerability, so that certain things won't be impacted in February. However, the instructions contained in the article "https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc" aren't working for me. I log onto my 2016 DC and open up Group Policy management. When I go to create the new GPO, per the instructions, I do not have Computer Configuration\Windows Settings\Security Settings\Security Options. Instead, I have Computer Configuration\Policies\Windows Settings\Security Settings
Windows for business | Windows Client for IT Pros | User experience | Other
Answer accepted by question author
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2020-09-14T20:02:56.797+00:00
12 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 53%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
JPB 1 Reputation point2020-09-23T19:28:14.25+00:00 FYI,
I found that I only see the option when I RDP into one of the DC's and look with GPMC there. If I use an admin server with the tools installed and check remotely I do not see the setting.
Thanks,
JPB -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 18%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Daniel Camilo Quinchanegua Pulido 1 Reputation point2020-09-30T21:23:08.687+00:00 Hi everyone,
In my case I updated my domain controller (Windows Server 2016) with 2020-08 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4571694). The same thing happens to me as several of you, it is installed and appears in the installed updates, but when I look in the group policy management console, I cannot find the option "Domain controller: Allow vulnerable Netlogon secure channel connections". I have already restarted the server but that setting still does not appear in the GPO, does anyone know what this depends on in order to have the option to add exceptions while identifying vulnerable cases when they arise?Best regards,
Daniel.-
Anonymous
2020-09-30T21:25:10.48+00:00 I'd start a new thread since already answered and you have no control over thread.
-
Daniel Camilo Quinchanegua Pulido 1 Reputation point
2020-09-30T21:33:22.457+00:00 Hi DSPatrick,
I don't use these spaces much but right now it is the only place where I see talk about these updates and I see that since I am not the only one with the same question, I hope we can find guidance to correctly apply both the updates and the GPO settings.Thanks,
Daniel. -
Anonymous
2020-09-30T21:34:52.487+00:00 Sounds good.
Sign in to comment -
-
ChrisDz 26 Reputation points2020-10-01T09:44:45.38+00:00 is it possible that another domain controller overwrite the sysvol folder of my patched domain controller during sysvol frs synchronization/replication ?
and it overwrites with older admx files ?
thanks -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 43%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
INTREPID 41 Reputation points2020-11-01T17:14:49.443+00:00 POSSIBLE BUG: On Server 2012 R2, When the Policy "Domain controller: Allow vulnerable Netlogon secure channel connections" is set to NOT DEFINED, this registry key STILL contains old PREVIOUSLY set entries (security descriptors) in the list!!!!
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"vulnerablechannelallowlist"