Overview

Note:  This process requires Network Administrator level access.  The November 8, 2022 and later Windows updates address weaknesses in the Netlogon protocol when RPC signing is used instead of RPC sealing More information can be found in CVE-2022-38023, see  Related Content.  Follow the steps to ensure SMTP NTLMv1 continuity on Windows 2012 after deployment of Windows updates to address CVE-2022-38023; November 2022 and later Windows updates; and prior to the Enforcement Phase; July 11, 2023—deployment of: KB5028223. Refer to KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023, see  Related Content . Prior to deployment of Windows updates (KB5028223) that would initiate Enforcement Phase for CVE-2022-38023, set the RequireSeal registry key to 1, for Compatibility mode, as detailed in the link at step 1. If needed, manually create and set the “RequireSeal” registry key, see  Related Content . RequireSeal subkey: Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Value RequireSeal Data Type REG_DWORD Data: 0  – Disabled 1  – Compatibility mode Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows, or if they are acting as either domain controllers or Trust accounts. 2  – Enforcement mode All clients are required to use RPC Seal. Restart Required? No “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters” Right-click on the  right window , from the context menu, choose  New , and then  DWORD (32-bit) Value. On the new DWORD, type “RequireSeal” and click  Enter . Note:  It is very important to ensure that the R and S is capitalized and there is no space, if not, the key will not be recognized Next, double-click the key to open the key editor, from the editor, set the value under Value data: to 1, and then click  OK. If needed, manually create and set the “RequireSeal” registry key, see  Related Content . RequireSeal subkey: Registry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Value RequireSeal Data Type REG_DWORD Data: 0  – Disabled 1  – Compatibility mode Windows domain controllers will require that Netlogon clients use RPC Seal if they are running Windows, or if they are acting as either domain controllers or Trust accounts. 2  – Enforcement mode All clients are required to use RPC Seal. Restart Required? No “Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters” Right-click on the  right window , from the context menu, choose  New , and then  DWORD (32-bit) Value. On the new DWORD, type “RequireSeal” and click  Enter . Note:  It is very important to ensure that the R and S is capitalized and there is no space, if not, the key will not be recognized Next, double-click the key to open the key editor, from the editor, set the value under Value data: to 1, and then click  OK. Right-click on the  right window , from the context menu, choose  New , and then  DWORD (32-bit) Value. On the new DWORD, type “RequireSeal” and click  Enter . Note:  It is very important to ensure that the R and S is capitalized and there is no space, if not, the key will not be recognized Note:  It is very important to ensure that the R and S is capitalized and there is no space, if not, the key will not be recognized Next, double-click the key to open the key editor, from the editor, set the value under Value data: to 1, and then click  OK. After Compatibility Mode is set, it will remain configured through future Windows updates beyond the Enforcement Phase, allowing the continued functionality of NTLMv1 for SMTP. CVE-2022-38023 KB5021130 Create and Set the "Required Seal" Registry Key Manually