MSEnforcement.md

Windows Updates with phased rollout

A list of updates addressed in a phased rollout (aka. enforcements) on Windows/ActiveDirectory that I am aware of. Microsoft usually chooses this approach if they know, that the final implementation of the update will likely break stuff. That's why there's always one or more inital phases that introduce new events or audit capabilities to let you check for potential impact before the final enforcement phase.

The first table is a list of update phases which are currently running. The second table is a list of once planned but then postponed enforcements (so they will reappear in the future I guess).

Active enforcements

Name	CVE	Initial Phases	Enforcement Phase	Event Log	EventCodes	Link
LDAP Permission changes	CVE-2021-42291	Phase 1: 9.11.2021	09.01.2024	Directory Services	3050,3051,3052,3053 3054,3055,3047,3048 3049,3056,3044,3045 3046	https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
Certificate-based authentication changes	CVE-2022-26923 - CVE-2022-26931	Phase 1: 10.05.2022 Phase 2: 11.04.2023	14.11.2023	System (source is Kdcsvc)	39,40,41	https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16 - https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4
New PAC signature	CVE-2022-37967	Phase 1: 08.11.2022 Phase 2: 13.12.2022 Phase 3: 11.06.2023	Initial Enforcement: 11.07.2023 Full Enforcement: 10.10.2023	System (source is Kdcsvc)	43,44	https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb
Netlogon - RPC Signing	CVE-2022-38023	Phase 1: 08.11.2022 Phase 2: 11.04.2023 Phase 3: 13.06.2023	11.07.2023	System (source is NETLOGON)	5838,5839,5840,5841	https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25

Postponed enforcements

Name	CVE	Initial Phases	Enforcement Phase	Event Log	EventCodes	Link
LDAP Channel Binding and LDAP Signing	ADV190023	August 2019	Planed for 10.03.2020 but was then postponed	DirectoryService	2889,3039, 3040,3041	https://msrc.microsoft.com/update-guide/vulnerability/ADV190023 - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server - https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/configure-ad-and-lds-event-logging

Completed enforcements

Name	CVE	Initial Phases	Enforcement Phase	Event Log	EventCodes	Link
EFS Security Hardening aka. PetitPotam - finally!!!	CVE-2021-43217	Phase 1: 14.12.2021	08.03.2022	Application	4420,4421	https://support.microsoft.com/en-us/topic/kb5009763-efs-security-hardening-changes-in-cve-2021-43217-719fbc9d-ad9b-4f90-a964-0afe40338002
Kerberos PAC requestor enforcement	CVE-2021-42287	Phase 1: 9.11.2021 Phase 2: 12.07.2022	11.10.2022	System (source is Kdcsvc)	35,36,37,38	https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
Office Macro hardening	-	-	Early April 2022	-	-	https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805 - https://admin.microsoft.com/Adminportal/Home?#/MessageCenter/:/messages/MC322553
Windows DCOM Server Security Feature Bypass	CVE-2021-26414	Phase 1: 08.06.2021 Phase 2: 14.06.2022	14.03.2023	System	10036,10037,10038	https://support.microsoft.com/en-us/topic/kb5004442-manage-changes-for-windows-dcom-server-security-feature-bypass-cve-2021-26414-f1400b52-c141-43d2-941e-37ed901c769c