-
mcbsys
AskWoody PlusCorrect syntax (if WordPress doesn’t mess up the quotation marks):
reg delete "HKLM\System\CurrentControlSet\services\KDC" /v "KrbtgtFullPacSignature"
-
mcbsys
AskWoody PlusSo now that December patches have been installed successfully (“Resolved KB5021235“), are we good to remove the temporary registry value? This should work, right?
reg delete “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature”
-
mcbsys
AskWoody PlusSeems like 2012R2 updates may not be cumulative (as they are with 2016+). Might need to install November before December, but you could still wait until December. The machine should tell you what’s applicable.
-
mcbsys
AskWoody PlusThanks for the heads-up. I’m going the regedit route on four DCs to which I applied November updates and OOB fixes in the past week. Notes:
- Two Server 2016 machines show lsass.exe using about 72K of memory on each machine. The registry key did not exist on either. Adding.
- Two Server 2012R2 machines shows lasss.exe using 100K and 161K of memory. The registry key did not exist on either. Adding.
I don’t see any reboot requirement for applying this fix?
-
mcbsys
AskWoody PlusBusiness patcher here. I installed November updates Monday night. No issues reported. Just deployed a script to check these two events in the System log:
Microsoft-Windows-Kerberos-Key-Distribution-Center – 14 – Error
Kdcsvc – 42 – ErrorNo reports coming back. In fact, on one DC that I checked, Kdcsvc isn’t even registered as an Event Source. I wondered if they meant KdsSvc.
What I’m unclear on, even if there were issues, would installing the applicable out-of-band updates fix the issues, or do I have to go through all the steps and scripts in those two DirTeam articles to mitigate manually?
[Insert another gripe about frequent OOB updates and long mitigation articles. How is one supposed to manage a few small servers in this break-now-fix-later environment? Synology? Azure?]
-
mcbsys
AskWoody PlusComing back to this. I may have figured it out for my case.
I discovered that if you run Wireshark on the server, you can filter on “dcom” and see the Auth level requested and in use. I’ve added AuthenticationHint and Auth level as columns (isystemactivator.properties,scmresp.authhint and dcercp.authlevel, respectively). Here we see “Packet integrity” is in use, but only on the initial connection (in the RemoteCreateInstance requests and responses):
Per this reference that AuthenticationHint=2 corresponds to RPC_C_AUTHN_LEVEL_CONNECT. So I’m requesting Connect and getting Packet Integrity, but only during the initial connection.After increasing my DCOM proxy on the client to specify Packet Integrity, the AuthenticationHint increases to 5 (RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). More importantly, all the packets carry that Auth level = Packet integrity. So that is apparently what Packet integrity means, that every single packet has authentication info.
The thing that still seems odd to me is that even with the server set to enforce RequireIntegrityActivationAuthenticationLevel, it still wasn’t complaining (raising errors) when Auth level was set to Connect–maybe because that connection uses Packet integrity? I guess I could try setting the Authentication level to None to see if it would fail.
-
mcbsys
AskWoody PlusAugust 9, 2022 at 11:34 am in reply to: Essentials 2016 connector without static DNS override? #2468764Okay Robert, gold star for you! Poking around in the client registry, I found
HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ServerDiscovery\SkipAutoDNSServerDetection
With that name, I was able to backtrack to
also archived as KB2862551:
https://mskb.pkisolutions.com/kb/2862551
which talks about disabling DNS detection for a single client or at the server level for all clients (HKLM\SOFTWARE\Microsoft\Windows Server\Networking\ClientDns\SkipAutoDnsConfig).
That article is about Rollup 3 for Essentials 2012. It’s not clear if that will work on 2016. The server key isn’t there on 2016. But I don’t see it on a 2012R2 Essentials box either.
This thread suggests that the registry “hacks” work on 2016 but only if you uninstall and reinstall the connector:
Well it’s worth a try!
Thanks everyone for your thoughts and suggestions.
-
mcbsys
AskWoody PlusAugust 9, 2022 at 11:11 am in reply to: Essentials 2016 connector without static DNS override? #2468761Robert,
Thanks very much for chiming in.
Wasn’t there a registry key you could set to stop it doing that?
Would love for it to be that simple!
As I’m writing I’m remembering something about that needing to be set at connector install time.
I don’t recall seeing any related options in the setup wizard.
What do you mean it doesn’t always work setting it back to DHCP? That the service kicks in and sets it back to static?
The other way around: it’s already static because you’re on site, but when you leave the LAN, it doesn’t revert to DHCP; it’s stuck on static. Which prevents the user from resolving anything on the Internet. So the service should detect that it’s off the LAN (maybe a failed ping to the IP of the server?), but it doesn’t.
Remind me, is there a service called WSS LAN Configuration on the client?
Not that I see. You mention the Windows Server LAN Configuration Service at the end of this article, but I guess that’s for 2012 R2 Essentials only?
-
mcbsys
AskWoody PlusAugust 8, 2022 at 11:33 pm in reply to: Essentials 2016 connector without static DNS override? #2468667I see this in one of the connected desktop’s ClientOperator.log:
[7912] 220808.212521.1989: ClientSetup: NetGetJoinInformation (server = [], …)
If I have time, I might try to take a laptop off site and check the logs for errors.
-
mcbsys
AskWoody PlusAugust 8, 2022 at 10:33 pm in reply to: Essentials 2016 connector without static DNS override? #2468654I posted on server-essentials.com about a week ago. The post showed awaiting moderation for a few days, then disappeared. Is that forum still active?
-
mcbsys
AskWoody PlusAugust 8, 2022 at 6:59 pm in reply to: Essentials 2016 connector without static DNS override? #2468620Thanks. Yeah workgroup mode might make it leave DNS alone in the NIC, but I do use the domain for Group Policy etc. so I want the laptop on the domain.
-
mcbsys
AskWoody PlusRe. remote updates, when you manage critical systems far away, employ remote power control. WattBox has saved my bacon on more than one occasion. Sometimes it’s the Windows box running the PBX software that fails to reboot. Sometimes a long power outage throws off the whole network because modem, router, and switches don’t come back up in a nice sequence. A tech might make a change to a switch that takes the whole switch offline. As long as the startup config isn’t saved, a reboot can fix it. And so on.
Of course, things, or you, can still mess up in ways that power won’t fix. And there are more options, like out-of-band failover routers that connect to the cellular network and give you serial port access to equipment. But I’ve found that the remote power cycle covers most issues.
For smaller, less-critical systems like a desktop, the inexpensive TP-Link Kasa outlets could work. Not as reliable, but at four for $25, it could give you more time for weekend baking.
-
mcbsys
AskWoody Plus@EricB, thanks for the suggestion. Interesting that you found your app using packet privacy in spite of the Connect specification.
Mine is a VB6 app, so getting down to those low-level functions would not be easy. It’s set up as a COM+ proxy, with DCOM configured as described in (archived) KB268550. I found KB926098 about tracing COM, but it requires Microsoft support to interpret the etl files.
I tried raising the auth level on the server to Packet Integrity and re-exporting the proxy. Once I uninstalled the old proxy on the client, I was able to install the new with with Auth Level = Packet Integrity. My app can still read and write records, so at least in an initial test, it’s unaffected by Packet Integrity. Whether there are issues with larger recordsets etc. remains to be seen.
I still don’t understand why I’m not seeing event log errors with Packet Integrity turned off!
-
mcbsys
AskWoody PlusSusan,
Thanks for the heads-up/reminder. I use COM in a custom program I developed so I wanted to test this.
The server is 2012R2, so per this article, I need patch KB5006714. I can see that my update history but oddly it’s not in the WMI list of applied hotfixes. Maybe it was superseded? I do see the 2022-06 rollup KB5014738 as installed.
My program uses Connect level authentication but even with hardening explicitly enabled in the server’s registry, I can’t get it to fail or create event log warnings.
Is there a test app, or a known failing app, that will confirm the hardening is working?
-
mcbsys
AskWoody PlusSusan, thanks for this. Motivated by your CSO Online post, as a start, I’m setting up a group policy to
Block Office applications from creating child processes D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block Office applications from creating executable content 3B576869-A4EC-4529-8536-B80A7769E899
Block Office applications from injecting into other processes 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84It’s hard for me to imagine a scenario in which any of these would ever be a good thing. I guess maybe if a customer were using custom Office scripts but 99% of small businesses won’t even know that is possible.
As usual, this is a vast subject covered by half a dozen Microsoft articles. The most helpful, succinct resource is this test bed: https://demo.wd.microsoft.com/Page/ASR. Too bad that’s going away in four days. Download the samples now! I was able to successfully test that child process creation is blocked.
BTW your video talks about looking for 1122 events in Microsoft-Windows-Security-Mitigations/KernelMode. From this article, that log may have other relevant events (2-23, 260), but the 1121 and 1122 events are in Microsoft-Windows-Windows Defender/Operational or Microsoft-Windows-Windows Defender/WHC. My test threw 1121:
Log Name: Microsoft-Windows-Windows Defender/Operational Source: Microsoft-Windows-Windows Defender Date: 6/11/2022 8:59:40 AM Event ID: 1121 Task Category: None Level: Warning User: SYSTEM Description: Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A Detection time: 2022-06-11T15:59:40.180Z User: (unknown user) Path: \\SERVER\Reference\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE Target Commandline: Parent Commandline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "M:\Reference\IT Admin\2022.06 - Windows Defender Attack Surface Reduction\TestFile_Block_Office_applications_from_creating_executable_content_3B576869-A4EC-4529-8536-B80A7769E899.docm" /o "" Involved File: Inheritance Flags: 0x00000000 Security intelligence Version: 1.367.1391.0 Engine Version: 1.1.19200.6 Product Version: 4.18.2203.5
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
It is possible to convert old ANSI to Unicode PST files with MS Outlook 2010? (Awaiting moderation)
by
crachjonyan
1 hour, 40 minutes ago -
Another Windows media creation tool? Sure, why not.
by
Alex5723
14 hours, 14 minutes ago -
Microsoft Defender : Legit URLs marked as malicious
by
Alex5723
14 hours, 22 minutes ago -
Refurbished HP ProBook
by
Kathy Stevens
17 hours, 14 minutes ago -
Microsoft PC Manager (beta) updates
by
Alex5723
9 hours, 46 minutes ago -
Ubuntu Cinnamon becomes an official flavor, making Linux Mint obsolete
by
Alex5723
21 hours, 8 minutes ago -
HDMI KVM switch for DP
by
freelab23
1 day, 4 hours ago -
My Experience with Win 11 ver 22H2
by
agoldhammer
1 day, 11 hours ago -
Email from Mail on my iPhone to Gmail address failed
by
DrRon
9 hours, 16 minutes ago -
Can’t Update Win 10 past 21H2
by
cmndo97
1 day, 13 hours ago -
Revo Uninstaller (freeware) Updates
by
Microfix
1 day, 5 hours ago -
The Third deployment phase for CVE-2022-37967 starts April 11, 2023
by
Alex5723
1 day, 13 hours ago -
Firefox to support Windows 7 and 8 systems well into 2024 at least
by
Alex5723
22 hours, 21 minutes ago -
Microsoft 365 Personal – Repeated Free Two Month Extensions
by
BarryEB
13 hours, 2 minutes ago -
KB5023702 for Server 2019 – Defer as of MPL March 27
by
Aviel
21 hours, 22 minutes ago -
eSIM out, iSIM in?
by
Alex5723
1 day, 23 hours ago -
MS-DEFCON 4: Win11 22H2 not ready for prime time
by
Susan Bradley
10 hours, 21 minutes ago -
Email from Mail on my iPhone to Gmail address failed
by
DrRon
2 days, 1 hour ago -
Microsoft Edge Remover
by
Alex5723
1 day, 12 hours ago -
Windows Desktop refreshes repeatedly every few seconds
by
JimT777
20 hours, 50 minutes ago -
Apple zero days fixed today
by
Susan Bradley
1 day, 21 hours ago -
W10 22H2 Desktop rogue icon won’t allow me to rename, delete, or replace it
by
lanshark
11 hours, 56 minutes ago -
Footnote separators not deleting
by
Ursula
2 days, 10 hours ago -
Should I Go Beyond Version 21H2
by
kstephens43
1 day, 2 hours ago -
MacStealer: New macOS-based Stealer Malware Identified
by
Alex5723
2 days, 9 hours ago -
PowerShell – Testers Needed
by
RetiredGeek
10 hours, 41 minutes ago -
Audio from www.whenradiowas.com stops playing after 7-20 minutes
by
David Pressman
1 day, 17 hours ago -
KB4023057: Update for Windows Update Service components
by
RetiredGeek
1 day, 12 hours ago -
win 12 as BORG?
by
krism
2 days, 10 hours ago -
Windows 11 — should I stay on Windows 10?
by
DDR
1 day, 13 hours ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.