Beyond RC4 for Windows authentication - Question regarding KB5073381
In KB5021131 MS recommends setting the value for DefaultDomainSupportedEncTypes to 0x38, in the new KB 5073381 it's 0x18. This removes the setting that forces "AES Session Keys" which should be fine if Kerberos Tickets can only use AES Encryption. But what about accounts that have RC4 enabled in their msds-supportedEncryptionTypes attribute? They could still use RC4 for Kerberos ticket encryption and would then also fallback to RC4 session ticket encryption. As far as I believe the DefaultDomainSupportedEncTypes was explicitly introduced to avoid this scenario. Or is there now some hard-coded mechanism that always ensures that Session Keys are AES encrypted?
Lots of DNS Server events 5504 on AD DNS server from Cloudflare etc
Hi! I'm getting about 18 events with id 5504 while trying to resolve some DNS names, like fullfiles.xyz. The DNS server is configured to use provider DNS and root hints. I can suppress these messages by disabling root hints or by disabling EDNS0 with dnscmd /config /enablednsprobes 0. I tried to use packet capture on the DC and on the router, and analyzed the results with AI, which answered: "You receive malformed patterns on the WAN interface." Can anybody explain the cause of this problem? Any ideas to fix it? Thanks!Force user to reset password in hybrid
Hi, we work in a hybrid environment at the moment, and it has been discovered that if you are using classic AD and reset a user's password and leave the tick-box saying user must change password at next logon, the password reset works! But, if you were to select the tick-box with the intention to make the user change their password, the password does not get reset and the user never gets asked to reset their password? Also, if you try and reset the user's password on AAD, you get the following error message: Because we cannot force the user to reset their password by AD or AAD, we have to tell the user to do it themselves by the classic Ctrl-Alt-Del method or set their personal password for them over the phone. So, what my question is, is why can I not force the user to change their password from either AD or AAD?
Add support for sha-2 and sha3 in Supported Kerberos Encryption Types
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797 https://web.mit.edu/kerberos/krb5-devel/doc/admin/enctypes.html#enctype-compatibility It seems like `aes128-cts-hmac-sha256-128` and `aes256-cts-hmac-sha384-192` are supported by other Kerberos implimentations, but not yet supported by Windows Server. Can those be added to Windows Server? Also can you please think about adding sha-3 based ones too?
Securing ldap in WIndows AD
Hello everyone. I would like to secure the use of LDAP within an Active Directory domain. My domain has three Windows 2022 DCs. Searching online, I found these suggestions: Enforce LDAPS (LDAP over SSL/TLS) Disable Plain-text LDAP Bindings Block or Restrict Port 389 (Optional but Recommended) Enable Channel Binding Tokens (CBT) Does it make sense to only allow certain users to browse LDAP? Could limiting LDAP browsing to certain users cause problems? ThanksWindows 11 automatically restarting after install security Update — With GPO and WSUS.
Hi everyone, I’m facing a strange behavior with Windows 11 devices that receive updates through WSUS and are fully managed via Group Policy. Here’s the scenario: We have a GPO configured as follows: -Configure Automatic Updates → 4 (Auto download and schedule the install) -Scheduled installation every day at 10:00 -Install during automatic maintenance → disabled -Active Hours configured -Turn off auto-restart for updates during active hours → Enabled -Update deadlines set to 0 (to avoid any forced restart) -No other restart-related policies set in the domain Even with this configuration, after updates are installed, Windows 11 shows the following message: “Your organization manages update settings. We will restart and install this update at X minutes.” And then the device automatically restarts, even when: -a user is logged in -it is outside Active Hours -deadlines are disabled -no-auto-restart is enabled This behavior does not happen on Windows 10 — only on Windows 11.
Breaking Certutil changes in WS2025
I noticed yesterday that a certutil command I thought I could always rely on no longer works in Server 2025: >certutil -cainfo xchg CertUtil: -CAInfo command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) CertUtil: The parameter is incorrect. Executing certutil -cainfo xchg was a handy command which would ask the local certificate authority to output it's current CA Exchange certificate in Base64 format. If the CA didn't have a valid exchange cert at the time, it would immediately create a new one. Think of a CA Exchange certificate as a short-lived TLS cert which the CA provides clients when they need to upload private key material for archival. Anyway, looking at the help for certutil, the command still exists, however, it requires a new parameter: xchg [Index] -- CA exchange cert So, I figured [Index] had to refer to the CA certificate index. When you initially deploy an ADCS certification authority, the CA's initial certificate is at index 0. When you renew/re-key the CA, the new CA cert is at index 1. I tried using 0 for the [Index] parameter. No dice: >certutil -cainfo xchg 0 CertUtil: -CAInfo command FAILED: 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER) CertUtil: The parameter is incorrect. I can't think of what else that parameter would be. Has anyone been able to successfully used this command on WS2025? If so, please share how!Volume Activation role questions
We have a DC, running Server 2016 to decommission (call it old server). One of the roles it had was Volume Activation (VA). This is Active Directory based and the keys AD holds are both for clients (Win11) and servers (2016/19/22/25). I have removed the VA role from the server and tested with a server which I added to the domain and the OS activated successfully, so it looks like it is working. I noticed the _vlmcs SRV DNS record was not deleted and is still pointing to the old server. Since the old server is no longer having the VA role, is it safe to delete the DNS record for the _vlmcs SRV record? What else do I need to take into account? Thanks in advance
