This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 78%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMO%3C/text%3E%3C/svg%3E)
Hi there Microsoft!
I have an AD Domain running 2 x 2016 Domain Controllers (virtual) - FFL & DFL are both 2012R2 and were uplifted recently from 2008R2.
The single domain in a single forest has recently been uplifted from 2008R2, the old 2008r2 DCs were retired gracefully using DCPROMO.
Schema version is 87.
The 2016 DCs are both patched fully up to date too and the following reg key is present indicating that the patches have been applied successfully:-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"FullSecureChannelProtection"=dword:00000000
My question is this:-
In the Group Policy Console, within a brand new GPO - this configuration item is missing:-
"Domain Controller: Allow vulnerable Netlogon secure channel connections"
I can confirm that all ADMX Files are up to date.
Any help would be fantastic - i need to set some exceptions using this GPO before i can fix the ZEROLOGON issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
I'd check that this one has been installed.
August 11, 2020—KB4571694 (OS Build 14393.3866)
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4571694
--please don't forget to Accept as answer if the reply is helpful--
Ok - i have removed the offending KB and have rebooted. I can now access that particular portion of the mmc without it crashing.
BUT
When looking at either the local group policy console, or the domain one - i still cant see this missing configuration item:-
"Domain Controller: Allow vulnerable Netlogon secure channel connections"
Any ideas?
Hello,
I have the same issue :
"Domain Controller: Allow vulnerable Netlogon secure channel connections" is missing !!
Is it possible that the patched server wasn't PDC emulator, and that another DC server overwrite policydefinitions folder with older admx files (in patched server 's SYSVOL) during FRS replication ?
thanks
Glad to hear, you're welcome.
--please don't forget to Accept as answer if the reply is helpful--
thanks for your answer !!
KB4571694 need to be installed manually on both 2016 DCs in order to reveal the - "Domain Controller: Allow vulnerable Netlogon secure channel connections" configuration item
What is the mechanism behind that ? just by curiosity
regards