Microsoft@ZappBrannigan145 , KB5023788 is just the 14th of March 2023 update for Windows Server 2016. If you were already up to date with all other patches, all it should have done in this DCOM context is disable the ability to turn off the hardening and promotion features via registry keys. The two registry settings that are no longer used are defined or were defined in https://support.microsoft.com/en-gb/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c (hardening, controlled using registry key RequireIntegrityActivationAuthenticationLevel) and (promotion, controlled using registry key RaiseActivationAuthenticationLevel). The documentation for RequireIntegrityActivationAuthenticationLevel still exists, but there is no longer any mention of RaiseActivationAuthenticationLevel. Google links the term to the page for KB5004442 above, and I am sure it used to list both. The two registry keys were in the same location, being: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
When you say you can't apply KB's, I assume that means you can't apply registry changes as the patch has obviously been applied and then removed. From the behaviour, there must be a registry key involved. Have you checked the registry for the presence of either key? If RaiseActivationAuthenticationLevel is defined, it is likely doing more harm than good as it would be disabling the feature promotes activation requests automatically.
The general steps you need to take are scan your systems for the registry keys, check if you have any DCOM communication with a legacy system (one that can't be patched with the hardening and promotion changes). Also inspect the event log for occurrences of the new events that are generated when requests are sent or received that do not comply with the new requirements. They may help you to identify unexpected DCOM endpoints that you need to check for complete application of patching and/or state of registry keys. In general, I would remove any definitions of RaiseActivationAuthenticationLevel. If patching upto 8 November 2022 has been applied, promotion will be applied by default and to the best of my knowledge is harmless. Changes to the registry key values require a reboot to be effective. Also remove RaiseActivationAuthenticationLevel registry key. If you are not allowed to apply KB, I assume this should not be set anywhere, but it seems to me that one of these two keys is set, or you have a mixed environment. So when things are not working and patching as at least upto 8 November 2022 level, examine the event logs as described in KB5004442 and see if any of those systems are ones you have checked, then repeat on that system. It is complex and interrelated, but if you are on patched modern OSs, and promotion is in effect, there should be no problems left, at least problems that I am aware of.
