Security hardening changes needed on domain controllers in IT environments to address CVE-2022-37967 will enter the Third deployment phase, as outlined in KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967 on June 13, 2023. Previous announcements had listed this change as taking place in April, however, that date has changed.

Security Hardening Changes Needed on Domain Controllers

Microsoft has announced that security hardening changes needed on domain controllers in IT environments to address CVE-2022-37967 will enter the Third deployment phase on June 13, 2023. This change was previously listed as taking place in April, however, that date has changed.

Bypassing Security Hardening Requirements

At this time, it is still possible to bypass security hardening requirements using the guidance provided in KB5020805. However, beginning with the June 13, 2023 updates, the ability to bypass hardening measures will be reduced. To help protect your environment and prevent outages, Microsoft recommends updating Windows domain controllers with a Windows update released on or after November 8, 2022, moving Windows domain controllers to Audit mode by using the Registry Key setting, and enabling enforcement mode as soon as possible.

Additional Deployment Phases

Additional deployment phases in July 2023 and October 2023 will raise the default minimum for the security hardening changes for CVE-2022-37967, and environments must be compliant before installing updates for each phase onto your domain controller. Microsoft recommends moving to enforcement mode as soon as possible.

“To help protect your environment and prevent outages, we recommend that you update your Windows domain controllers with a Windows update released on or after November 8, 2022, move your Windows domain controllers to Audit mode by using the Registry Key setting, and enable enforcement mode as soon as possible.”

Key points from the article:

From the Microsoft Windows Message Center

---