none
KB4012216 Issue with event ID 4768 RRS feed

  • Question

  • Hello,

    After installing KB4012216 on our DC with server 2012 R2, event logs for event ID 4768 stopped being updated in event viewer. 

    Is this a know issue? I tested on 2 servers and see the issue as soon as the patch is applied. 

    There are other users experiencing this. 

    https://www.reddit.com/r/sysadmin/comments/5zs0nc/heads_up_ms_kb4012213_andor_ms_kb4012216_disables/

    Thank you,

    Thursday, March 23, 2017 2:26 PM

All replies

  • I am experiencing the exact same issue on our 2012 R2 domain controllers.  Security event ID 4768 logged just fine until the install of KB4012213 (March, 2017 Security Only Quality Update).  I have an application that relies on that event ID being logged.  I hope Microsoft has a hotfix for this issue - otherwise my only other option is to uninstall the update.
    Thursday, March 23, 2017 3:12 PM
  • For what it's worth, I uninstalled KB4012213 from my domain controller and rebooted but the issue remains.  I do not believe uninstalling the update removes everything completely.  I have a ticket open with Microsoft and I am awaiting their reply.
    Thursday, March 23, 2017 7:41 PM
  • I have seen a few posts that Microsoft is working on a fix. 

    We also have an application that is not working because of this issue. 


    Thursday, March 23, 2017 8:11 PM
  • I hope they hurry up and create a hotfix.  We use Cisco's Context Delivery Agent for web authentication.  Without event ID 4768, IP to user mappings are not created which means users are not being filtered through our web security rules.
    Friday, March 24, 2017 1:10 PM
  • I was able to get event ID 4768 logging to the event viewer again.  I had both KB4012213 and KB4012216 installed on my domain controllers.  I uninstalled both of them in the past but the issue remained.  These are the steps I took that worked for me.

    Uninstall KB4012213 first.  When the uninstall is complete, DO NOT reboot and choose reboot later.

    Uninstall KB4012216 after KB4012213 is uninstalled.  After KB4012216 is uninstalled, reboot when prompted.

    In my environment, if I rebooted in between or uninstalled KB4012216 before KB4012213, I still would not get event ID 4768 to log in the event viewer.

    I hope this helps anyone who relies on event ID 4768.  This is not a fix - it is a work around until Microsoft comes up with a permanent solution.


    • Edited by _P_M_ Monday, March 27, 2017 2:16 PM
    Monday, March 27, 2017 2:16 PM
  • We are experiencing this issue as well. Has anyone opened a Premier case and if so what was the resolution?
    Thursday, March 30, 2017 6:09 PM
  • Anyone get confirmation form MS?
    Tuesday, April 4, 2017 1:53 PM
  • I was just abut to ask the same thing. Hope they have a fix. 


    Tuesday, April 4, 2017 8:02 PM
  • Hi Matt,

    I suggest you open a case with Microsoft, more in-depth investigation can be done so that you would get a more satisfying explanation and solution to this issue.
    Here is the link:
    https://support.microsoft.com/en-us/gp/support-options-for-business

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 5, 2017 1:55 AM
  • I've reached out to our MS support account manager o see if there is any noise internal;y about this one. 
    Wednesday, April 5, 2017 8:01 AM
  • Hello,

    Has anyone heard anything back?

    Thank you,

    Matt

    Tuesday, April 11, 2017 2:37 PM
  • I'm going to chase up my TAM today and revert here.
    • Proposed as answer by ToddT68 Monday, April 17, 2017 6:02 PM
    • Unproposed as answer by ToddT68 Monday, April 17, 2017 6:33 PM
    Wednesday, April 12, 2017 10:26 AM
  • 1. Enable “Audit Other Account Logon Events” in your “Default Domain Controllers Policy”. 

    2. [Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy -> Account Logon -> Audit Other Account Logon Events. Enable both “Success” and “Failure”]

    • Proposed as answer by John Lii Tuesday, April 18, 2017 2:01 AM
    Monday, April 17, 2017 6:03 PM
  • 1. Enable “Audit Other Account Logon Events” in your “Default Domain Controllers Policy”. 

    2. [Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy -> Account Logon -> Audit Other Account Logon Events. Enable both “Success” and “Failure”]


    these are Microsoft's recommended workaround, after I set these, QRadar and ADAudit started seeing the logs correctly and the DC's started showing the Kerberos logins in the event viewer.
    Monday, April 17, 2017 6:35 PM
  • Hi,

    Thanks for the reply. I am testing this now. 

    Thank you,

    Matt

    Monday, April 17, 2017 9:25 PM
  • 1. Enable “Audit Other Account Logon Events” in your “Default Domain Controllers Policy”. 

    2. [Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy -> Account Logon -> Audit Other Account Logon Events. Enable both “Success” and “Failure”]

    ToddT68, This is working

    Thank you so much for the info.


    Monday, April 17, 2017 11:27 PM