Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

(Updated) Security hardening for Microsoft RPC Netlogon protocol

Message ID
MC1113050
View in Message Center
Service
Windows
Category
Plan for Change
Tag
Admin impact
Rollout
May 2025July 2025August 2025

Details

(Update: This post was updated to clarify that the change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.) 

Microsoft has introduced a hardening change to strengthen the Microsoft RPC Netlogon protocol by blocking RPC anonymous requests used to locate domain controllers. This change was Enabled by Default in the May 2025 Windows security update for Windows Server 2025, and in the July 2025 Windows security update for all supported versions from Windows Server 2008 SP2 through Windows Server 2022. This change is configurable by policy after installing the August 2025 Windows security update. See the article, KB5066014—Netlogon RPC Hardening (CVE-2025-49716), for details. 
 
After applying these updates and subsequent updates, Active Directory domain controllers will reject certain anonymous RPC requests. This may affect interoperability with services like Samba unless they are updated to meet the new access requirements.
 
To prepare for this update, review your environment for any dependencies on anonymous Netlogon RPC requests. If your organization uses Samba, refer to the Samba release notes for guidance on compatibility. It is also recommended to test the update in a staging environment to identify and address any potential disruptions before full deployment.
 
For more information, see the May or July KB update article that matches your server version’s security update.

Change History

Show
August 14, 2025 at 6:31 AM Updated
Last Updated Date
Previous
2025-08-13T22:12:10.317Z
New
2025-08-14T04:22:22.983Z
Body Content
Previous
<div><em>(Update: This post was updated to clarify that the&nbsp;change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.)&nbsp;</em></div><div><br></div><div>Microsoft has introduced a hardening change to strengthen the&nbsp;<a href="https://learn.microsoft.com/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f" rel="noopener noreferrer" target="_blank"><u>Microsoft RPC Netlogon protocol</u></a>&nbsp;by blocking RPC anonymous requests used to locate domain controllers. This change&nbsp;was&nbsp;Enabled by Default in the&nbsp;<a href="https://support.microsoft.com/topic/may-13-2025-kb5058411-os-build-26100-4061-57181688-a692-49e5-b6cd-6e3919da12ca" rel="noopener noreferrer" target="_blank"><u>May 2025 Windows security update</u></a> for Windows Server 2025, and in the&nbsp;<a href="https://support.microsoft.com/topic/july-8-2025-kb5062572-os-build-20348-3932-d78a2b2a-1ce8-45ee-85a0-e51a897ec67f" rel="noopener noreferrer" target="_blank"><u>July 2025 Windows security update</u></a>&nbsp;for all supported versions from Windows Server 2008 R2 through Windows Server 2022.&nbsp;This change is configurable by policy after installing the August 2025 Windows security update.&nbsp;See the article,&nbsp;<a href="https://support.microsoft.com/topic/kb5066014-netlogon-rpc-hardening-cve-2025-49716-38a0bc06-507c-47d4-be0f-ca1acab02c68" rel="noopener noreferrer" target="_blank">KB5066014—Netlogon RPC Hardening (CVE-2025-49716)</a>,&nbsp;for details.&nbsp;</div><div>&nbsp;</div><div>After applying these updates and subsequent updates, Active Directory domain controllers will reject certain anonymous RPC requests. This may affect interoperability with services like Samba unless they are updated to meet the new access requirements.</div><div>&nbsp;</div><div>To prepare for this update, review your environment for any dependencies on anonymous Netlogon RPC requests. If your organization uses Samba, refer to the&nbsp;<a href="https://www.samba.org/samba/history/samba-4.22.3.html" rel="noopener noreferrer" target="_blank"><u>Samba release notes</u></a>&nbsp;for guidance on compatibility. It is also recommended to test the update in a staging environment to identify and address any potential disruptions before full deployment.</div><div>&nbsp;</div><div>For more information, see the&nbsp;May&nbsp;or July KB update article that matches your server version’s security update.</div>
New
<div><em>(Update: This post was updated to clarify that the&nbsp;change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.)&nbsp;</em></div><div><br></div><div>Microsoft has introduced a hardening change to strengthen the&nbsp;<a href="https://learn.microsoft.com/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f" rel="noopener noreferrer" target="_blank"><u>Microsoft RPC Netlogon protocol</u></a>&nbsp;by blocking RPC anonymous requests used to locate domain controllers. This change&nbsp;was&nbsp;Enabled by Default in the&nbsp;<a href="https://support.microsoft.com/topic/may-13-2025-kb5058411-os-build-26100-4061-57181688-a692-49e5-b6cd-6e3919da12ca" rel="noopener noreferrer" target="_blank"><u>May 2025 Windows security update</u></a> for Windows Server 2025, and in the&nbsp;<a href="https://support.microsoft.com/topic/july-8-2025-kb5062572-os-build-20348-3932-d78a2b2a-1ce8-45ee-85a0-e51a897ec67f" rel="noopener noreferrer" target="_blank"><u>July 2025 Windows security update</u></a>&nbsp;for all supported versions from Windows Server 2008 SP2 through Windows Server 2022.&nbsp;This change is configurable by policy after installing the August 2025 Windows security update.&nbsp;See the article,&nbsp;<a href="https://support.microsoft.com/topic/kb5066014-netlogon-rpc-hardening-cve-2025-49716-38a0bc06-507c-47d4-be0f-ca1acab02c68" rel="noopener noreferrer" target="_blank">KB5066014—Netlogon RPC Hardening (CVE-2025-49716)</a>,&nbsp;for details.&nbsp;</div><div>&nbsp;</div><div>After applying these updates and subsequent updates, Active Directory domain controllers will reject certain anonymous RPC requests. This may affect interoperability with services like Samba unless they are updated to meet the new access requirements.</div><div>&nbsp;</div><div>To prepare for this update, review your environment for any dependencies on anonymous Netlogon RPC requests. If your organization uses Samba, refer to the&nbsp;<a href="https://www.samba.org/samba/history/samba-4.22.3.html" rel="noopener noreferrer" target="_blank"><u>Samba release notes</u></a>&nbsp;for guidance on compatibility. It is also recommended to test the update in a staging environment to identify and address any potential disruptions before full deployment.</div><div>&nbsp;</div><div>For more information, see the&nbsp;May&nbsp;or July KB update article that matches your server version’s security update.</div>
Is Major Change
Previous
true
New
false
August 14, 2025 at 2:30 AM Updated
Title
Previous
Security hardening for Microsoft RPC Netlogon protocol
New
(Updated) Security hardening for Microsoft RPC Netlogon protocol
Summary
Previous
As part of our ongoing commitment to security, we’re introducing a hardening change to the Microsoft RPC Netlogon protocol. This update strengthens access controls by blocking anonymous RPC requests that could previously be used to locate domain controllers. This change is not configurable and cannot be reverted via policy. When this will happenThis change was introduced in the July 2025 Windows security update for all supported versions of Windows Server from Windows Server 2008 R2 through Wind...
New
(Update: This post was updated to clarify that the change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.) Microsoft has introduced a hardening change to strengthen the Microsoft RPC Netlogon protocol by blocking RPC anonymous requests used to locate domain controllers. This change was Enabled by Default in the May 2025 Windows security update for Windows Server 2025, and in the July 2025 Windows security update for all support...
Last Updated Date
Previous
2025-07-10T18:46:01.733Z
New
2025-08-13T22:12:10.317Z
Body Content
Previous
<div>As part of our ongoing commitment to security, we’re introducing a hardening change to the <a href="https://learn.microsoft.com/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f" rel="noopener noreferrer" target="_blank">Microsoft RPC Netlogon protocol</a>.&nbsp;This update strengthens access controls by blocking anonymous RPC requests that could previously be used to locate domain controllers.&nbsp;This change is&nbsp;<b>not configurable</b>&nbsp;and&nbsp;<b>cannot be reverted</b>&nbsp;via policy.</div><div>&nbsp;</div><div><b>When this will happen</b></div><ul><li>This change was introduced in the&nbsp;<b>July 2025 Windows security update</b>&nbsp;for all supported versions of Windows Server from Windows Server&nbsp;2008 R2 through Window Server 2022.</li><li>For&nbsp;<b>Windows Server 2025</b>, the change was included in the&nbsp;<b>February 2025 Windows security update </b>and subsequent updates.</li></ul><div><br></div><div><b>How this affects your organization</b></div><div>After installing the applicable Windows security update,&nbsp;<b>Active Directory domain controllers will reject certain anonymous RPC requests</b>&nbsp;made through the Netlogon RPC server.&nbsp;These requests are typically used for domain controller location and may impact interoperability with some third-party file and print services, including&nbsp;<b>Samba</b>.</div><div>&nbsp;</div><div>If your organization uses Samba or similar services, you may experience disruptions unless those services are updated to comply with the new access requirements.&nbsp;</div><div><br></div><div><b>What you can do to prepare</b></div><ul><li>Review your environment for dependencies on anonymous Netlogon RPC requests.</li><li>If your organization uses Samba, please refer to the&nbsp;<a href="https://www.samba.org/samba/history/samba-4.22.3.html" rel="noopener noreferrer" target="_blank">Samba release notes</a>&nbsp;​​​​​​for guidance on compatibility.</li><li>Test the update in a staging environment before broad deployment to identify any potential service disruptions.</li></ul><div>&nbsp;</div><div><b>Additional information</b></div><div>This change has been documented in the KB articles associated to the updates introducing the new security hardening:</div><div>&nbsp;</div><ul><li><b>Windows Server 2025</b>:&nbsp;<a href="https://support.microsoft.com/help/5051987" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5051987</a></li><li><b>Windows Server 2025 Datacenter: Azure Edition (Hotpatch Baseline)</b>:&nbsp;<a href="https://support.microsoft.com/help/5051987" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5051987</a></li><li><b>Windows Server 2022</b>:&nbsp;<a href="https://support.microsoft.com/help/5062572" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5062572</a></li><li><b>Windows Server 2022 Datacenter: Azure Edition (Hotpatch Baseline)</b>:&nbsp;<a href="https://support.microsoft.com/help/5062572" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5062572</a></li><li><b>Windows Server 2012 R2</b>:&nbsp;<a href="https://support.microsoft.com/help/5062597" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5062597</a></li><li><b>Windows Server 2012</b>:&nbsp;<a href="https://support.microsoft.com/help/5062592" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5062592</a></li><li><b>Windows Server 2008 R2 SP1</b>:&nbsp;<a href="https://support.microsoft.com/topic/july-8-2025-kb5062632-monthly-rollup-6b00fd29-2f8e-4167-8633-bd081870d49e" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5062632</a> /&nbsp;<a href="https://support.microsoft.com/topic/july-8-2025-kb5062619-security-only-update-3bde872d-c66a-45e5-8d3c-a1e2608ccfde" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5062619</a></li><li><b>Windows Server 2008: SP2</b>:&nbsp;<a href="https://support.microsoft.com/topic/july-8-2025-kb5062624-monthly-rollup-ef8674af-85d1-49dd-8ba0-9535c77bfff1" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5062624</a> /&nbsp;<a href="https://support.microsoft.com/topic/july-8-2025-kb5062618-security-only-update-34a3726e-1e9b-4f72-a61b-b2d6f8c59835" rel="noopener noreferrer" target="_blank">https://support.microsoft.com/help/5062618</a></li></ul>
New
<div><em>(Update: This post was updated to clarify that the&nbsp;change was Enabled by Default on Windows Server 2025 in May 2025 and to add information about how to configure this change.)&nbsp;</em></div><div><br></div><div>Microsoft has introduced a hardening change to strengthen the&nbsp;<a href="https://learn.microsoft.com/openspecs/windows_protocols/ms-nrpc/ff8f970f-3e37-40f7-bd4b-af7336e4792f" rel="noopener noreferrer" target="_blank"><u>Microsoft RPC Netlogon protocol</u></a>&nbsp;by blocking RPC anonymous requests used to locate domain controllers. This change&nbsp;was&nbsp;Enabled by Default in the&nbsp;<a href="https://support.microsoft.com/topic/may-13-2025-kb5058411-os-build-26100-4061-57181688-a692-49e5-b6cd-6e3919da12ca" rel="noopener noreferrer" target="_blank"><u>May 2025 Windows security update</u></a> for Windows Server 2025, and in the&nbsp;<a href="https://support.microsoft.com/topic/july-8-2025-kb5062572-os-build-20348-3932-d78a2b2a-1ce8-45ee-85a0-e51a897ec67f" rel="noopener noreferrer" target="_blank"><u>July 2025 Windows security update</u></a>&nbsp;for all supported versions from Windows Server 2008 R2 through Windows Server 2022.&nbsp;This change is configurable by policy after installing the August 2025 Windows security update.&nbsp;See the article,&nbsp;<a href="https://support.microsoft.com/topic/kb5066014-netlogon-rpc-hardening-cve-2025-49716-38a0bc06-507c-47d4-be0f-ca1acab02c68" rel="noopener noreferrer" target="_blank">KB5066014—Netlogon RPC Hardening (CVE-2025-49716)</a>,&nbsp;for details.&nbsp;</div><div>&nbsp;</div><div>After applying these updates and subsequent updates, Active Directory domain controllers will reject certain anonymous RPC requests. This may affect interoperability with services like Samba unless they are updated to meet the new access requirements.</div><div>&nbsp;</div><div>To prepare for this update, review your environment for any dependencies on anonymous Netlogon RPC requests. If your organization uses Samba, refer to the&nbsp;<a href="https://www.samba.org/samba/history/samba-4.22.3.html" rel="noopener noreferrer" target="_blank"><u>Samba release notes</u></a>&nbsp;for guidance on compatibility. It is also recommended to test the update in a staging environment to identify and address any potential disruptions before full deployment.</div><div>&nbsp;</div><div>For more information, see the&nbsp;May&nbsp;or July KB update article that matches your server version’s security update.</div>

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.