This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 94%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
In reference to August's changes with "How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472",
I am not seeing any 5829 events in the System logs on my DCs. The DC's are Server 2012 and I have Windows 7 clients out there so I thought I would start seeing these events, logging that a vulnerable Netlogon secure channel connection was allowed. Am I missing something?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @MISAdmin ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I too have Win7 SP1 systems that we are still trying to remove and ZERO Event IDs 5829. This month marks enforcement and it is just baffling to me... I cannot believe this does not impact Win7 since it is out of support.
It may be you've had no unsecure connections. On the problem member you can test from PowerShell.
Test-ComputerSecureChannel
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
--please don't forget to Accept as answer if the reply is helpful--
On the suspect members I'd test it from PowerShell.
Test-ComputerSecureChannel
--please don't forget to Accept as answer if the reply is helpful--
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 39%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAY%3C/text%3E%3C/svg%3E)
ty I edited my previous post :)
Sounds good,
--please don't forget to Accept as answer if the reply is helpful--
Hello @MISAdmin ,
Thank you for posting here.
If we does not see any event 5829 on any DC (Windows DCs and non-Windows DCs if we have in our domain), it means all the trust accounts and domain devices (Windows deveices and non-Windows deveices if we have in our domain) are compliant currently.
From the link we mentioned above, we can see:
By default, supported versions of Windows that have been fully updated should not be using vulnerable Netlogon secure channel connections. If one of these events is logged in the system event log for a Windows device:
1.Confirm that the device is running a supported versions of Windows.
2.Ensure the device is fully updated.
3.Check to ensure that Domain member: Digitally encrypt or sign secure channel data (always) is set to Enabled.
Maybe it will not affect the old operating system version machines (such as Windows 7), in your case, then there is no 5829 on any DC.
If you have non-Windows DCs or non-Windows devices, it may log event 5829.
So we can keep monitoring in the later days until February 9, 2021 - Enforcement Phase.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi Daisy. Thank you for the reply but I would like a confirmation about Windows 7 SP1 clients. It was my understanding that these are vulnerable. Can anyone confirm or clarify this?