This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 94%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
In reference to August's changes with "How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472",
I am not seeing any 5829 events in the System logs on my DCs. The DC's are Server 2012 and I have Windows 7 clients out there so I thought I would start seeing these events, logging that a vulnerable Netlogon secure channel connection was allowed. Am I missing something?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @MISAdmin ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I too have Win7 SP1 systems that we are still trying to remove and ZERO Event IDs 5829. This month marks enforcement and it is just baffling to me... I cannot believe this does not impact Win7 since it is out of support.
Hello @MISAdmin ,
Thank you for your update.
If we do not see the 5829 event related to Windows 7 SP1 clients on any domain controller currently, then Windows 7 SP1 clients should not be affected. I have seen in other forums that some people have mentioned that the lower version of the clients are not affected currently, too.
However, Windows 7 SP1 clients are no longer supported by Microsoft. It is recommended that you consider replacing Windows 7 SP1 clients with Windows 10 clients.
Thank you for your understanding and support.
Best Regards,
Daisy Zhou
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 57.00000000000001%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hello Guys,
I've the same problem, after installing August's update. There is no events in the system logs between 5827-5831. Even if I try to exploit the DC. Is it correct? I think no. Is there any other audit level prerequisites to see these events in the logs?
Thanks,
Andrew
I'm also interested in this answer.
I've tested an exploit against an unpatched 2016 Lab DC and saw the 4742 Event (a computer account was changed) which stated the machine password was set.
Regards
Philipp
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 32%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello, I agree with the others on this thread. I applied the patch to our Domain Controllers but see no logs with event ID 5827-31 anywhere in the event viewer. I also tried exporting the logs and running the Powershell script against them that automatically checks for those Event ID's. I have at least one Server 2003 machine that I'm sure is using the old protocol, and several non-Windows appliances that I'm sure have the same issues, so this makes no sense. Can you please provide some additional guidance on how we can find these events in the logs? It seems like some switch or registry modification is missing from the official documentation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 39%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAY%3C/text%3E%3C/svg%3E)
same issue here on Windows 2019 DCs. Not seeing anything, although the registry key is there for me to enable it when ready...
Is it possible that the "Allow Vulnerable Netlogon Secure Channel Connections" GPO needs to be configured for these events to show up? Based on the details around the August patches, I assumed the event viewer would log those incidents automatically after they were installed, but maybe the GPO needs to be enabled and configured first?
Please correct me if I'm wrong: (I think BSPatrick had the real answer)
Based on some investigation. It seems like the answer is, it is a normal behavior.
Most current Clients (not sure yet the scope of current, but I tested Windows 10 & Windows 7) are already capable & are using secured RPC without any recent published patches… In other words, we can “Assume” that all our current connections are using Secured RPC already…
this page describes the way to test it via PowerShell:
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1
pretty much: from the suspected client run the PowerShell cmd: Test-ComputerSecureChannel
If you want to delve in the “fun” of RPC background, feel free to read:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f
so in summary, I believe we are patched, & should visit the Event Log\System every few week/s and search for event 5827-5831 (most likely 5829)
I have tested our legacy Win7 clients and they do not seem to trigger the event ID on the domain controller...very confusing since I expect to see log entries from these unsupported systems.