Microsoft Defender report - Stop weak cipher usage report

New Contributor
Spoiler
Spoiler

Hi,

This report "Stop weak cipher usage"
Based on which EventID he brings the data?

2 Replies

What do you see in weak cipher report details? If this is related to weak encryption (RC4, DES) that AD accounts are using then you would need to look for events related to kerberos protocol (4766-4768).

A fix for that is by going to AD account -> Properties -> Account -> Account options and tick 2 boxes "This account supports Kerberos AES 128/256 bit encryption". This would default account to use AES encryption rather than RC4. 

What does it say in the usage report? If it is related to accounts using weak encryption protocol, you should look for kerberos authentication event id. I had similar on MCAS where users reported using RC4 encryption. There is a setting under ADUC account properties to set to use 128/256 AES encryption. Then it defaults to using AES over RC4.