MicrosoftMicrosoftAlanLaPietraCould you link to the official KB? If you are talking about this (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023), nothing new on the horizon.
In my lab, on Windows Server 2019, the following GPO is defined out of the box:
Default Domain Controllers Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options - Domain controller: LDAP server signing requirements
While I can change the registry key ldapserverintegrity to 0, the GPO automatically changes it back to 1. The obvious solution here is to uncheck the Define this policy setting box in the Default Domain Controllers Policy which effectively change the ldapserverintegrity registry key to 0, so no need to change the registry key manually.
Hence, changing the ldapserverintegrity registry key to 0 does not protect you of those upcoming changes on Windows Server 2019 since the Default Domain Controllers Policy will, out of the box, revert the registry key to 1. If you need to delay this change, the only solution seems to set the Domain controller: LDAP server signing requirements GPO status to Not Defined.
Can you confirm what will be the exact behaviour of the patch? Will it change the GPO configuration or the registry key value? If it changes the GPO configuration, is there any way to force said GPO to keep its Not Defined status?
Also, can you specify if Windows Server 2012R2 has the Domain controller: LDAP server signing requirements GPO defined, like Windows Server 2019? Only Windows Server 2008 seems to be working with your proposed fix.
Thanks,
FrenezOrg
