A list of updates addressed in a phased rollout (aka. enforcements) on Windows/ActiveDirectory that I am aware of. Microsoft usually chooses this approach if they know, that the final implementation of the update will likely break stuff. That's why there's always one or more inital phases
that introduce new events or audit capabilities to let you check for potential impact before the final enforcement phase
.
The first table is a list of update phases which are currently running. The second table is a list of once planned but then postponed enforcements (so they will reappear in the future I guess).
Name | CVE | Initial Phases | Enforcement Phase | Event Log | EventCodes | Link |
---|---|---|---|---|---|---|
LDAP Permission changes | CVE-2021-42291 | Phase 1: 9.11.2021 | 09.01.2024 | Directory Services | 3050,3051,3052,3053 3054,3055,3047,3048 3049,3056,3044,3045 3046 |
https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1 |
Certificate-based authentication changes | CVE-2022-26923 - CVE-2022-26931 |
Phase 1: 10.05.2022 Phase 2: 11.04.2023 |
14.11.2023 | System (source is Kdcsvc) | 39,40,41 | https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 - https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4 |
New PAC signature | CVE-2022-37967 | Phase 1: 08.11.2022 Phase 2: 13.12.2022 Phase 3: 11.06.2023 |
Initial Enforcement: 11.07.2023 Full Enforcement: 10.10.2023 |
System (source is Kdcsvc) | 43,44 | https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb |
Netlogon - RPC Signing | CVE-2022-38023 | Phase 1: 08.11.2022 Phase 2: 11.04.2023 Phase 3: 13.06.2023 |
11.07.2023 | System (source is NETLOGON) | 5838,5839,5840,5841 | https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25 |
Name | CVE | Initial Phases | Enforcement Phase | Event Log | EventCodes | Link |
---|---|---|---|---|---|---|
LDAP Channel Binding and LDAP Signing | ADV190023 | August 2019 | Planed for 10.03.2020 but was then postponed | DirectoryService | 2889,3039, 3040,3041 | https://msrc.microsoft.com/update-guide/vulnerability/ADV190023 - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server - https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/configure-ad-and-lds-event-logging |