How do I know if my AD environment is impacted by the November 8th 2022 patch?

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

Q: How can I determine if objects in my AD environment are impacted by the November 8th 2022 patch?

A: Use a couple of queries I wrote specifically for that purpose.

 

November 8th, 2022 brought us a patch that caused some clients extra headaches because when the patch is installed on Domain Controllers Kerberos authentication can break for AD objects. If you want details about the problem patches or the out of band patch to replace the problem patches check the links below. Now that a non-breaking patch has been released this extra investigation isn’t necessary but may help you develop useful techniques for the future. This is how I helped clients immediately investigate if their environments would be impacted by the patch by using a little PowerShell.

For information about the out of band patch:

 

For information on the problematic patch that we’re addressing in the investigation for the rest of the article:

 

I’m almost ready to start writing some PowerShell, first let’s make the lawyers happy.

 

Disclaimer

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

For a quick answer without me rambling anymore just grab code here or run the following command to find impacted objects:

 

Get-ADObject -Filter * -Properties msDS-SupportedEncryptionTypes | ` select name,objectClass,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes')}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString}} | ` select name,objectClass,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}} | ` Where{-not $_.HasRC4OrIsBlank}

 

 

Phew, a page into this article and now we’re ready to get started. The problematic patch caused problems if it was installed on domain controllers in environments with recommended improvements to Kerberos encryption. There are 3 main types of encryption that Kerberos can currently be configured to use: DES, RC4, and AES. DES is easily brute forced and hasn’t been considered secure since the 90s, RC4 is more common, and AES is currently the most secure of the three options. Objects that did not allow RC4 for Kerberos authentication stopped working after the patch. Security conscious folks that only allowed AES ran into problems with things like ADFS, gMSAs, RDP, accessing file shares, and even printing. My clients wanted to be up to date with the latest patches, but also didn’t want to break their environments so this is a quick investigation of if their environments would break.

To determine if AD objects in your environment will be impacted by applying the November 8th 2022 rollup you need to parse information about the msDS-SupportedEncryptionTypes property of AD objects that could be impacted and analyze them. The msDS-SupportedEncryptionTypes property defines which encryption types are supported, however it is not easy to read since it is encoded. I know when someone says msDS-SupportedEncryptionTypes of 8 I immediately think of AES 128, but to make it easy, let’s use a PowerShell function.

 

There is a great article on understanding encryption types here: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

 

The main takeaway I got from the article was the following table:

Decimal Value

Hex Value

Supported Encryption Types

0

0x0

Not defined - defaults to RC4_HMAC_MD5

1

0x1

DES_CBC_CRC

2

0x2

DES_CBC_MD5

3

0x3

DES_CBC_CRC, DES_CBC_MD5

4

0x4

RC4

5

0x5

DES_CBC_CRC, RC4

6

0x6

DES_CBC_MD5, RC4

7

0x7

DES_CBC_CRC, DES_CBC_MD5, RC4

8

0x8

AES 128

9

0x9

DES_CBC_CRC, AES 128

10

0xA

DES_CBC_MD5, AES 128

11

0xB

DES_CBC_CRC, DES_CBC_MD5, AES 128

12

0xC

RC4, AES 128

13

0xD

DES_CBC_CRC, RC4, AES 128

14

0xE

DES_CBC_MD5, RC4, AES 128

15

0xF

DES_CBC_CBC, DES_CBC_MD5, RC4, AES 128

16

0x10

AES 256

17

0x11

DES_CBC_CRC, AES 256

18

0x12

DES_CBC_MD5, AES 256

19

0x13

DES_CBC_CRC, DES_CBC_MD5, AES 256

20

0x14

RC4, AES 256

21

0x15

DES_CBC_CRC, RC4, AES 256

22

0x16

DES_CBC_MD5, RC4, AES 256

23

0x17

DES_CBC_CRC, DES_CBC_MD5, RC4, AES 256

24

0x18

AES 128, AES 256

25

0x19

DES_CBC_CRC, AES 128, AES 256

26

0x1A

DES_CBC_MD5, AES 128, AES 256

27

0x1B

DES_CBC_MD5, DES_CBC_MD5, AES 128, AES 256

28

0x1C

RC4, AES 128, AES 256

29

0x1D

DES_CBC_CRC, RC4, AES 128, AES 256

30

0x1E

DES_CBC_MD5, RC4, AES 128, AES 256

31

0x1F

DES+A1:C33_CBC_MD5, DES_CBC_MD5, RC4, AES 128, AES 256

 

As a human, when I’m viewing my AD objects, I would much rather see the right column than the left column of the table above. If you consider the msDS-SupportedEncryptionNumber as binary the following table is a little easier to read.

msDS-SupportedEncryptionType

Definition

1

DES_DBC_CRC

2

DES_CBC_MD5

4

RC4

8

AES 128

16

AES 256

 

As an example, an object has a msDS-SupportedEncryptionNumber of 13 defined. 13 in binary is 01101. 01101 has a 1 in the 1, 4, and 8 positions to add up to 13 so DES_DBC_CRC, RC4, and AES 128 are supported encryption types. The following function does the same process.

 

<# .Synopsis Turns the integer stored in msDS-SupportedEncryptionTypes into a human readable value .DESCRIPTION Turns the integer stored in msDS-SupportedEncryptionTypes into a human readable value For more info on the encryption types: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797 .EXAMPLE Get-ETypeDefiniton 7 .PARAMETER msDSSupportedEncryptionTypes Returns an array of results indicating the supported encryption types .PARAMETER AsString Returns the result as a comma delimited string #> function Get-ETypeDefinition { [CmdletBinding()] Param ( [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true, Position=0)] $msDSSupportedEncryptionTypes, [switch] $AsString ) Begin { $ETypes = [HASHTABLE]@{ 0 = 'Not defined - defaults to RC4_HMAC_MD5' 1 = 'DES_CBC_CRC' 2 = 'DES_CBC_MD5' 4 = 'RC4' 8 = 'AES 128' 16 = 'AES 256' } } Process { $Types = $ETypes.keys | %{ If([int]($msDSSupportedEncryptionTypes -band [int]$_) -ne 0){ $ETypes[[int]$_] } } If($AsString){ $Types -join(',') }Else{ $Types } } End { } }

 

In the function above I made a hash table then compared the hash table to the msDS-SupportedEncryptionTypes. Some folks may not be familiar with -band. Band is a bitwise operator that returns bitwise and, so I know when both the number in my hash table and the number being tested are the same for a given binary value.

Example output:

 

PS C:\ [19]> Get-ETypeDefinition 13 AES 128 RC4 DES_CBC_CRC PS C:\ [6]> Get-ETypeDefinition 13 -AsString AES 128,RC4,DES_CBC_CRC PS C:\ [18]>

 

Now that we have an easy way to decode our msDS-SupportedEncryptionTypes want to know which objects have which encryption types. We want to inspect user objects, computer objects, and gMSA objects. I’ll work through computer objects as an example, then provide code for all of them.

Get-ADComputer is an old trusty cmdlet so let’s just get all computers including their encryption types and just get a handle on what we have.

 

$computers = Get-ADComputer -Filter * -Properties msDS-SupportedEncryptionTypes $computers | Group-Object msDS-SupportedEncryptionTypes | select count,name

 

George ran it in Contoso’s resources domain and got the following output.

 

PS C:\> $computers = Get-ADComputer -Filter * -Properties msDS-SupportedEncryptionTypes PS C:\> $computers | Group-Object msDS-SupportedEncryptionTypes | select count,name Count Name ----- ---- 20 28 1 1 30 1 31 1 8

 

That is interesting but means nothing to us humans. Now we can add in the Get-ETypeDefinition function to give readable output. By using named expressions, we can get some useful output.

 

$computers | ` group msDS-SupportedEncryptionTypes | ` select count,name,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name)}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) -AsString}} | ` select count,name,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}}

 

George ran this can got more useful output below:

 

PS C:\> $computers | ` group msDS-SupportedEncryptionTypes | ` select count,name,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name)}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.Name) -AsString}} | ` select count,name,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}} Count Name EncryptionTypes HasRC4OrIsBlank ----- ---- --------------- --------------- 20 28 {AES 128, AES 256, RC4} True 1 Not defined - defaults to RC4_HMAC_MD5 True 1 30 {AES 128, AES 256, RC4, DES_CBC_MD5} True 1 31 {AES 128, AES 256, RC4, DES_CBC_MD5...} True 2 8 AES 128 False

 

Now George knows that there are computers that will have a problem if the November 8th patches are applied. George wants to know which computers will be impacted so we generate a list using the query below.

 

$computers | ` select name,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes')}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString}} | ` select name,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}} | ` Where{-not $_.HasRC4OrIsBlank}

 

When George ran that query, he got:

 

PS C:\> $computers | ` select name,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes')}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString}} | ` select name,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}} | ` Where{-not $_.HasRC4OrIsBlank} name EncryptionTypes HasRC4OrIsBlank ---- --------------- --------------- test6 AES 128 False VeryImportantComputer AES 128 False

 

Now George knows that computers with the name ‘test6’ and ‘VeryImportantComputer’ will have problems if the November 8th patches are applied to DCs without performing the proper workaround.

There was a workaround that wasn’t officially published when clients first ran into this issue however it was available by opening a CSS case or contacting your Microsoft account manager. Now that it has been a few days the out of band patches are available at the top of this article.

Just like George and I did analysis on computers you can leverage the same Get-ETypeDefinition function above to help you analyze all objects, user objects or gMSAs. Be sure to define the ‘Get-ETypeDefinition’ function in the host you’re using before running these queries. All I’m doing is getting gMSA or user objects, then passing the same objects over the pipeline to be filtered and displayed.

 

Any AD object:

 

Get-ADObject -Filter * -Properties msDS-SupportedEncryptionTypes | ` select name,objectClass,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes')}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString}} | ` select name,objectClass,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}} | ` Where{-not $_.HasRC4OrIsBlank}

 

Computers:

 

Get-ADComputer -Filter * -Properties msDS-SupportedEncryptionTypes | ` select name,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes')}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString}} | ` select name,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}} | ` Where{-not $_.HasRC4OrIsBlank}

 

gMSAs:

 

Get-ADServiceAccount -Filter * -Properties msDS-SupportedEncryptionTypes | ` select name,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes')}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString}} | ` select name,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}} | ` Where{-not $_.HasRC4OrIsBlank}

 

Users:

 

Get-ADUser -Filter * -Properties msDS-SupportedEncryptionTypes | ` select name,'msDS-SupportedEncryptionTypes', @{N='EncryptionTypes';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes')}}, @{N='EncryptionTypesAsString';E={Get-ETypeDefinition -msDSSupportedEncryptionTypes ($_.'msDS-SupportedEncryptionTypes') -AsString}} | ` select name,EncryptionTypes,@{N='HasRC4OrIsBlank';E={$_.EncryptionTypesAsString -like "*RC4*"}} | ` Where{-not $_.HasRC4OrIsBlank}

 

 

A few PowerShell queries made it quick to verify that some of my clients are impacted by the November 8th patches, so they need to perform a workaround or not patch their DCs until the out-of-band patch is released. 

 

Have fun scripting!

 

References:

Decoding msDS-SupportedEncryptionTypes - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

Interpreting the Supported Encryption Types - https://learn.microsoft.com/en-us/archive/blogs/petergu/interpreting-the-supportedencryptiontypes-registry-key

Configure encryption types allowed for Kerberos: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj852180(v=ws.11)

Kerberos protocol registry entries and KDC configuration keys in Windows: https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.