Search

MC354543 – Reminder: Windows Distributed Component Object Model (DCOM) Hardening changes coming June 14 (archived)

cloudscout.one Icon

check before: 2022-06-14

Product:

Office 365 general

Platform:

World tenant, Online

Status:

Change type:

Admin impact

Links:

Details:

In 2021, CVE-2021-26414 was created to track a security vulnerability discovered in the Windows Distributed Component Object Model (DCOM) Remote Protocol. The Windows updates that were released in September 2021 and later address this vulnerability by including changes that will progressively increase security hardening in DCOM. We recommended that you verify if client or server applications that use DCOM or RPC work as expected with the hardening changes enabled. Some configurations might require action by June 14, 2022, to ensure normal operations.


When will this happen:
Refer to the below timeline to understand the progressive hardening coming to DCOM in 2022.


June 8, 2021: Hardening changes disabled by default but with the ability to enable them using a registry key.
June 14, 2022: Hardening changes enabled by default but with the ability to disable them using a registry key.
March 14, 2023: Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

Change Category:
XXXXXXX ...

Scope:
XXXXXXX ...

Release Phase:

Created:
2022-04-08

updated:
2022-08-27

the free basic plan is required to see all details. Sign up here

A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.

Login
Get a Plan

changes*

DatePropertyoldnew
2022-09-15MC prepareDuring the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:


Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround.


Additional Information:
It is important to ensure proper testing for this change. Please review the below documentation.


KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
ps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-26414&data=04%7C01%7CMabel.Gomes%40microsoft.com%7C502abf7ef93c484d785108d9fb12f0dc%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637816881046259912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5ab3ltoii45jKILARgQxIbzYtP1hrSTrL4qVdNt%2FdJg%3D&reserved
ps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5004442&data=04%7C01%7CMabel.Gomes%40microsoft.com%7C502abf7ef93c484d785108d9fb12f0dc%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637816881046259912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZvEM51z9%2BpIs6kwmQnxei2WvCBGCEKSxzj7TuSuN7sM%3D&reserved		During the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:


Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround.


Additional Information:
It is important to ensure proper testing for this change. Please review the below documentation.


KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-26414&data=04%7C01%7CMabel.Gomes%40microsoft.com%7C502abf7ef93c484d785108d9fb12f0dc%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637816881046259912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5ab3ltoii45jKILARgQxIbzYtP1hrSTrL4qVdNt%2FdJg%3D&reserved=0
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5004442&data=04%7C01%7CMabel.Gomes%40microsoft.com%7C502abf7ef93c484d785108d9fb12f0dc%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637816881046259912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZvEM51z9%2BpIs6kwmQnxei2WvCBGCEKSxzj7TuSuN7sM%3D&reserved=0
2022-08-27MC prepareDuring the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:


Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround.


Additional Information:
It is important to ensure proper testing for this change. Please review the below documentation.


KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-26414&data=04%7C01%7CMabel.Gomes%40microsoft.com%7C502abf7ef93c484d785108d9fb12f0dc%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637816881046259912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5ab3ltoii45jKILARgQxIbzYtP1hrSTrL4qVdNt%2FdJg%3D&reserved=0
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5004442&data=04%7C01%7CMabel.Gomes%40microsoft.com%7C502abf7ef93c484d785108d9fb12f0dc%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637816881046259912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZvEM51z9%2BpIs6kwmQnxei2WvCBGCEKSxzj7TuSuN7sM%3D&reserved=0		During the timeline phases in which hardening changes can be enabled or disabled (prior to March 14, 2023), users can use the following registry key:


Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat
Value Name: "RequireIntegrityActivationAuthenticationLevel"
Type: dword
Value Data: default = 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to disabled. You must enter Value Data in hexadecimal format.


Devices must be restarted after setting this registry key, for it to take effect. Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation.


To help identify applications that might have compatibility issues after DCOM security hardening changes are enabled, new DCOM error events were added in the System log, and can be found with Message IDs 10036, 10037 and 10038.


If issues are encountered during testing, contact the vendor for the affected client or server software for an update or workaround.


Additional Information:
It is important to ensure proper testing for this change. Please review the below documentation.


KB5004442: Manage changes for Windows DCOM Server Security Feature Bypass (CVE-2021-26414)
CVE-2021-26414: Windows DCOM Server Security Feature Bypass
ps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-26414&data=04%7C01%7CMabel.Gomes%40microsoft.com%7C502abf7ef93c484d785108d9fb12f0dc%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637816881046259912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5ab3ltoii45jKILARgQxIbzYtP1hrSTrL4qVdNt%2FdJg%3D&reserved
ps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fhelp%2F5004442&data=04%7C01%7CMabel.Gomes%40microsoft.com%7C502abf7ef93c484d785108d9fb12f0dc%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637816881046259912%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ZvEM51z9%2BpIs6kwmQnxei2WvCBGCEKSxzj7TuSuN7sM%3D&reserved

*starting April 2022

Last updated 12 months ago

Related Posts:

  • cloudscout.one Icon
    MC708249 - Reminder: Changes to Windows Boot Manager…     19. January 2024 Administration check before: 2024-04-09 Product: Office 365 general, Windows Platform: Windows Desktop, World tenant Status: Change type: Admin impact Links: Details: Windows updates released July 11, 2023 and later include security measures which protect against a…
  • Microsoft Teams logo
    MC761226 - Microsoft Copilot with Graph-grounded…     29. March 2024 Administration check before: 2024-04-12 Product: Copilot, Microsoft Search, Teams Platform: Developer, World tenant Status: Change type: Feature update, User impact Links: Details: Microsoft Copilot's "work" scope is being upgraded to GPT-4 Turbo model, resulting in faster…
  • Outlook logo
    386905 - Microsoft Viva: Viva Engage navigation…     6. March 2024 General Availability *For this entry exists the more relevant or more recent entry MC732105 check before: 2024-03-01 Product: Microsoft Viva, Microsoft Viva Engage, Outlook, Teams Platform: Web, World tenant Status: Launched Change type: Links: MC732105 Details: Updates…
  • cloudscout.one Icon
    MC711011 - Plan for Change Reminder: Windows 365…     30. January 2024 Administration check before: 2024-02-13 Product: Windows 365 Platform: Windows Desktop, World tenant Status: Change type: Admin impact Links: MC681883 Details: As previously mentioned in MC681883, Windows 365 will streamline its network requirements by eliminating various endpoints…
  • cloudscout.one Icon
    MC735745 - 90-Day Reminder: Windows 10, version 21H2…     14. March 2024 Administration check before: 2024-03-27 Product: Windows Platform: Education, Windows Desktop, World tenant Status: Change type: Admin impact Links: Details: On June 11, 2024, Enterprise, Education, and IoT Enterprise editions of Windows 10, version 21H2 will reach…
  • OneDrive for Business logo
    MC703758 - Reminder: Stream (Classic) retires on…     4. January 2024 Administration check before: 2024-01-18 Product: eDiscovery, Microsoft 365 Apps, Microsoft Graph, Microsoft Viva Connections, Microsoft Viva Engage, OneDrive, SharePoint, Stream, Teams Platform: Developer, Multi-Geo, Web, World tenant Status: Change type: User impact, Admin impact, Retirement Links:…

Leave a Reply

Share to MS Teams

cloudscout.one

Consolidated Microsoft 365 Roadmap and Message Center analysis for Office 365 operations and change management.

Support

Schierding.one GmbH

Alleenstraße 16
78549 Spaichingen
Phone: +49 (0)7424 60899-09
E-Mail: info@schierding.one
Amtsgericht Stuttgart (HRB 767585)
USt-ID DE321821109

Legal:

Privacy Policy

Imprint

FAQ

Login to your account

Welcome Back, We Missed You!