When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft shares DCOM, Kerberos, Netlogon, Azure hardening timeline till 2024

Neowin · · Hot! with 0 comments

A blue band aid with a Windows logo on it

Microsoft has been making hardening changes to several protocols over the last couple of years. These are being put in place to combat security vulnerabilities that were discovered recently. Earlier this year in February, Microsoft made DCOM hardening mandatory. Later in March, the tech giant shared additional resources to facilitate. Soon after, the company reminded IT admins and system admins about the third-phase of Kerberos hardening.

In order to remind IT administrators about upcoming changes to be made, the tech giant generally publishes updates to its support article. Today, the company has shared a helpful roadmap that outlines all the upcoming hardening changes all the way up to 2024. They also link back to the corresponding knowledge base (KB) support articles where users can learn more about the changes.

Hardening changes by month

Consult the details for all upcoming hardening changes by month to help you plan for each phase and final enforcement.

April 2023

  • Netlogon protocol changes KB5021130 | Phase 2
    Initial enforcement; removes the ability to disable RPC sealing by setting value 0 to the RequireSeal registry subkey.
  • Certificate-based authentication KB5014754 | Phase 2
    Removes Disabled mode.

June 2023

  • Netlogon protocol changes KB5021130 | Phase 3
    Enforcement by default. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode.
  • Kerberos PAC Signatures KB5020805 | Phase 3
    Removes the ability to disable PAC signature addition by setting the KrbtgtFullPacSignature subkey to a value of 0.

July 2023

  • Netlogon protocol changes KB5021130 | Phase 4
    Final enforcement. RequireSeal subkey will be moved to Enforcement mode unless you explicitly configure it to be under Compatibility mode.
  • Kerberos PAC Signatures KB5020805 | Phase 4
    Enforcement mode as default (KrbtgtFullPacSignature = 3), which you can override with an explicit Audit setting.

October 2023

  • Kerberos PAC Signatures KB5020805 | Phase 5
    Final, full enforcement.

November 2023

  • Certificate-based authentication KB5014754 | Phase 3
    Final, full enforcement.

January 2024

  • Active Directory (AD) permissions issue KB5008383 | Phase 5
    Final enforcement.

The blog post was penned by Namrata Bachwani, who is a Principal Program Manager Lead at Microsoft. You can find it here.

Report a problem with article
WingetUI discover packages page
Next Article

Latest WingetUI gets new UI, faster loading performance, and lots more

A Microsoft logo in front of a flag of Russia
Previous Article

Microsoft decides to continue to work with Russian private companies not under sanctions

Join the conversation!

Login or Sign Up to read and post a comment.

0 Comments - Add comment