(Updated) Security hardening for Microsoft RPC Netlogon protocol

Message Center ID: MC1113050
Windows
Plan for Change
Admin impact
May 2025 July 2025 August 2025

Details

(Update: This post was updated to clarify that the change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.) 

Microsoft has introduced a hardening change to strengthen the Microsoft RPC Netlogon protocol by blocking RPC anonymous requests used to locate domain controllers. This change was Enabled by Default in the May 2025 Windows security update for Windows Server 2025, and in the July 2025 Windows security update for all supported versions from Windows Server 2008 SP2 through Windows Server 2022. This change is configurable by policy after installing the August 2025 Windows security update. See the article, KB5066014—Netlogon RPC Hardening (CVE-2025-49716), for details. 
 
After applying these updates and subsequent updates, Active Directory domain controllers will reject certain anonymous RPC requests. This may affect interoperability with services like Samba unless they are updated to meet the new access requirements.
 
To prepare for this update, review your environment for any dependencies on anonymous Netlogon RPC requests. If your organization uses Samba, refer to the Samba release notes for guidance on compatibility. It is also recommended to test the update in a staging environment to identify and address any potential disruptions before full deployment.
 
For more information, see the May or July KB update article that matches your server version’s security update.

Change History

Published: August 14, 2025
Last Updated: August 14, 2025
August 14, 2025 at 6:31 AM Updated
Last Updated Date
Previous
2025-08-13T22:12:10.317Z
New
2025-08-14T04:22:22.983Z
Body Content
Previous
(Update: This post was updated to clarify that the change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.) 

Microsoft has introduced a hardening change to strengthen the Microsoft RPC Netlogon protocol by blocking RPC anonymous requests used to locate domain controllers. This change was Enabled by Default in the May 2025 Windows security update for Windows Server 2025, and in the July 2025 Windows security update for all supported versions from Windows Server 2008 R2 through Windows Server 2022. This change is configurable by policy after installing the August 2025 Windows security update. See the article, KB5066014—Netlogon RPC Hardening (CVE-2025-49716), for details. 
 
After applying these updates and subsequent updates, Active Directory domain controllers will reject certain anonymous RPC requests. This may affect interoperability with services like Samba unless they are updated to meet the new access requirements.
 
To prepare for this update, review your environment for any dependencies on anonymous Netlogon RPC requests. If your organization uses Samba, refer to the Samba release notes for guidance on compatibility. It is also recommended to test the update in a staging environment to identify and address any potential disruptions before full deployment.
 
For more information, see the May or July KB update article that matches your server version’s security update.
New
(Update: This post was updated to clarify that the change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.) 

Microsoft has introduced a hardening change to strengthen the Microsoft RPC Netlogon protocol by blocking RPC anonymous requests used to locate domain controllers. This change was Enabled by Default in the May 2025 Windows security update for Windows Server 2025, and in the July 2025 Windows security update for all supported versions from Windows Server 2008 SP2 through Windows Server 2022. This change is configurable by policy after installing the August 2025 Windows security update. See the article, KB5066014—Netlogon RPC Hardening (CVE-2025-49716), for details. 
 
After applying these updates and subsequent updates, Active Directory domain controllers will reject certain anonymous RPC requests. This may affect interoperability with services like Samba unless they are updated to meet the new access requirements.
 
To prepare for this update, review your environment for any dependencies on anonymous Netlogon RPC requests. If your organization uses Samba, refer to the Samba release notes for guidance on compatibility. It is also recommended to test the update in a staging environment to identify and address any potential disruptions before full deployment.
 
For more information, see the May or July KB update article that matches your server version’s security update.
Is Major Change
Previous
true
New
N/A
August 14, 2025 at 2:30 AM Updated
Title
Previous
Security hardening for Microsoft RPC Netlogon protocol
New
(Updated) Security hardening for Microsoft RPC Netlogon protocol
Summary
Previous
As part of our ongoing commitment to security, we’re introducing a hardening change to the Microsoft RPC Netlogon protocol. This update strengthens access controls by blocking anonymous RPC requests that could previously be used to locate domain controllers. This change is not configurable and cannot be reverted via policy. When this will happenThis change was introduced in the July 2025 Windows security update for all supported versions of Windows Server from Windows Server 2008 R2 through Wind...
New
(Update: This post was updated to clarify that the change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.) Microsoft has introduced a hardening change to strengthen the Microsoft RPC Netlogon protocol by blocking RPC anonymous requests used to locate domain controllers. This change was Enabled by Default in the May 2025 Windows security update for Windows Server 2025, and in the July 2025 Windows security update for all support...
Last Updated Date
Previous
2025-07-10T18:46:01.733Z
New
2025-08-13T22:12:10.317Z
Body Content
Previous
As part of our ongoing commitment to security, we’re introducing a hardening change to the Microsoft RPC Netlogon protocol. This update strengthens access controls by blocking anonymous RPC requests that could previously be used to locate domain controllers. This change is not configurable and cannot be reverted via policy.
 
When this will happen
  • This change was introduced in the July 2025 Windows security update for all supported versions of Windows Server from Windows Server 2008 R2 through Window Server 2022.
  • For Windows Server 2025, the change was included in the February 2025 Windows security update and subsequent updates.

How this affects your organization
After installing the applicable Windows security update, Active Directory domain controllers will reject certain anonymous RPC requests made through the Netlogon RPC server. These requests are typically used for domain controller location and may impact interoperability with some third-party file and print services, including Samba.
 
If your organization uses Samba or similar services, you may experience disruptions unless those services are updated to comply with the new access requirements. 

What you can do to prepare
  • Review your environment for dependencies on anonymous Netlogon RPC requests.
  • If your organization uses Samba, please refer to the Samba release notes ​​​​​​for guidance on compatibility.
  • Test the update in a staging environment before broad deployment to identify any potential service disruptions.
 
Additional information
This change has been documented in the KB articles associated to the updates introducing the new security hardening:
 
New
(Update: This post was updated to clarify that the change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.) 

Microsoft has introduced a hardening change to strengthen the Microsoft RPC Netlogon protocol by blocking RPC anonymous requests used to locate domain controllers. This change was Enabled by Default in the May 2025 Windows security update for Windows Server 2025, and in the July 2025 Windows security update for all supported versions from Windows Server 2008 R2 through Windows Server 2022. This change is configurable by policy after installing the August 2025 Windows security update. See the article, KB5066014—Netlogon RPC Hardening (CVE-2025-49716), for details. 
 
After applying these updates and subsequent updates, Active Directory domain controllers will reject certain anonymous RPC requests. This may affect interoperability with services like Samba unless they are updated to meet the new access requirements.
 
To prepare for this update, review your environment for any dependencies on anonymous Netlogon RPC requests. If your organization uses Samba, refer to the Samba release notes for guidance on compatibility. It is also recommended to test the update in a staging environment to identify and address any potential disruptions before full deployment.
 
For more information, see the May or July KB update article that matches your server version’s security update.

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

View Full Details Sign Up Free