Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472

Microsoft addressed a Critical RCE vulnerability affecting the Netlogon protocol (CVE-2020-1472) on August 11, 2020.  We are reminding our customers that beginning with the February 9, 2021 Security Update release we will be enabling Domain Controller enforcement mode by default.  This will block vulnerable connections from non-compliant devices.  DC enforcement mode requires that all Windows and non-Windows devices use secure RPC with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device.  

Customers should review the updated FAQs guidance from August to provide further clarity on this upcoming change.  

  • UPDATE your Domain Controllers with an update released August 11, 2020 or later. 
  • FIND which devices are making vulnerable connections by monitoring event logs. 
  • ADDRESS non-compliant devices making vulnerable connections. 
  • ENABLE Domain Controller enforcement mode to address CVE-2020-1472 in your environment. 

Organizations that deploy Microsoft Defender for Identity (previously Azure Advanced Threat Protection) or Microsoft 365 Defender (previously Microsoft Threat Protection) are able to detect adversaries as they try to exploit this specific vulnerability against their domain controllers. 

Aanchal Gupta 
VP Engineering, MSRC