Many 4653 security events during WinPE phase of task sequence RRS feed

  • Question

  • We've got a location where we're seeing a log of 4653 security events on all the domain controllers when a computer has WinPE loaded to start a MDT task sequence, even before MDT prompt for credentials. After image is applied and it boots into Windows, the events stop. The event looks like this:

    An IPsec main mode negotiation failed.
    Local Endpoint:
    	Local Principal Name:	-
    	Network Address:	<SERVER_IP>
    	Keying Module Port:	500
    Remote Endpoint:
    	Principal Name:		-
    	Network Address:	<CLIENT_IP>
    	Keying Module Port:	500
    Additional Information:
    	Keying Module Name:	AuthIP
    	Authentication Method:	Unknown authentication
    	Role:			Responder
    	Impersonation State:	Not enabled
    	Main Mode Filter ID:	0
    Failure Information:
    	Failure Point:		Local computer
    	Failure Reason:		No policy configured
    	State:			No state
    	Initiator Cookie:		76ac9bdb0c34a038
    	Responder Cookie:	87940d33be1dadff

    Does anyone have any thoughts on how to stop these events? Possibly IPSec settings on the DCs?

    Tuesday, March 27, 2018 2:36 PM