This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 94%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
In reference to August's changes with "How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472",
I am not seeing any 5829 events in the System logs on my DCs. The DC's are Server 2012 and I have Windows 7 clients out there so I thought I would start seeing these events, logging that a vulnerable Netlogon secure channel connection was allowed. Am I missing something?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello @MISAdmin ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I too have Win7 SP1 systems that we are still trying to remove and ZERO Event IDs 5829. This month marks enforcement and it is just baffling to me... I cannot believe this does not impact Win7 since it is out of support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 32%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I'd rather be sure than just assume that all my devices are using Secure-RPC. As I mentioned, we have at least one Server 2003 machine on our domain. Is there any confirmation of which operating systems would be using Secure-RPC by default? I've had the patches installed for a couple weeks and haven't seen anything in the logs yet, so either my entire domain is fully protected (including out of support OS and non-Windows devices), or I'm missing something. Running that cmdlet is not as easy as it sounds, you need to install RSAT tools first and then import the active directory module in Powershell, so it will be quite difficult to run it on my Server 2003 machine.
I'd start a new thread since you have no control over this one.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 79%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hello,
I also have problems reprducing the warninngs in Windows Event-Log, on client side, I have moved back to even systems with Windows XP Build 2600 (no service pack), and even these really old systems do not generate any warnings on my DC, which is of course updated to the current state as of January 11 2020.
So my question is: which Operating systems do produce the event-id 5829 at all? Which other prerequisites must the domain controller meet in order for this to happen?
I read the answer stating that you can use Test-ComputerSecureChannel in powershell, so if this command returns true, does that mean that the system is really safe and does not produce event-id 5829?
I would really like to get more details about that topic, so any information especially on how to intentionally produce this behaviour would be really helpful. Thanks.