This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 78%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMO%3C/text%3E%3C/svg%3E)
Hi there Microsoft!
I have an AD Domain running 2 x 2016 Domain Controllers (virtual) - FFL & DFL are both 2012R2 and were uplifted recently from 2008R2.
The single domain in a single forest has recently been uplifted from 2008R2, the old 2008r2 DCs were retired gracefully using DCPROMO.
Schema version is 87.
The 2016 DCs are both patched fully up to date too and the following reg key is present indicating that the patches have been applied successfully:-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"FullSecureChannelProtection"=dword:00000000
My question is this:-
In the Group Policy Console, within a brand new GPO - this configuration item is missing:-
"Domain Controller: Allow vulnerable Netlogon secure channel connections"
I can confirm that all ADMX Files are up to date.
Any help would be fantastic - i need to set some exceptions using this GPO before i can fix the ZEROLOGON issue.
I'd check that this one has been installed.
August 11, 2020—KB4571694 (OS Build 14393.3866)
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4571694
--please don't forget to Accept as answer if the reply is helpful--
Hi guys - these has now been resolved for me - so thanks for the help.
Theres a good learning point here which has only become apparent through this exercise:-
As mentioned in the OP - The forest in question for 2008r2 and has been uplifted to FFL 2012R2. At the start of the uplift - all DCs were fully patched.
KB4577015 is a red herring and just complicated the situation - remove it if you have to until Microsoft resolve the issue.
KB4571694 need to be installed manually on both 2016 DCs in order to reveal the - "Domain Controller: Allow vulnerable Netlogon secure channel connections" configuration item
I think that KB4571694 wasnt showing as being needed in WSUS because there were 2008R2 Domain Controllers kicking around. Even after the 2008R2 boxes were demoted, and the FFL & DFL raised - the DCs still wouldnt pick this up in WSUS.
Anyways - all is good now. So thank you very much.
Mike
I'd look for it in local security policy gpedit.msc Also note if you have installed the September 8, 2020—KB4577015 then this dialog was broken by the update.
--please don't forget to Accept as answer if the reply is helpful--
Hiya,
Local and Domain group policy editors both crash the MMC when trying to access that function since the Sep20 patch went on.
I have built a spare 2012r2 server to access the Domain GP Console which works fine - BUT the features within the GPO are still missing and im not sure how to enable them.
Any ideas?
I'd look for it in local security policy gpedit.msc As mentioned if you have installed the September 8, 2020—KB4577015 then this dialog was broken by the update so for now the only option is to uninstall KB4577015.
--please don't forget to Accept as answer if the reply is helpful--