Applies ToWindows 10, version 2004, all editions Windows Server version 2004 Windows 10, version 20H2, all editions Windows Server, version 20H2, all editions Windows 10, version 21H1, all editions Windows 10 Enterprise, version 1909 Windows 10 Enterprise and Education, version 1909 Windows 10 IoT Enterprise, version 1909 Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows Server 2019 Windows 10, version 1607, all editions Windows Server 2016, all editions Windows 10 Windows 8.1 Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro Windows Server 2012 Windows Embedded 8 Standard Windows 7 Windows Server 2008 R2 Windows Embedded Standard 7 ESU Windows Embedded POSReady 7 ESU Windows Thin PC Windows Server 2008 Windows 11 Windows Server 2022 Windows 11 version 22H2, all editions

UPDATED March 20, 2023 - Availability section

Summary

The Distributed Component Object Model (DCOM) Remote Protocol is a protocol for exposing application objects using remote procedure calls (RPCs). DCOM is used for communication between the software components of networked devices. Hardening changes in DCOM were required for CVE-2021-26414. Therefore, we recommended that you verify if client or server applications in your environment that use DCOM or RPC work as expected with the hardening changes enabled.

Note We highly recommend that you install the latest security update available. They provide advanced protections from the latest security threats. They also provide capabilities that we have added to support migration. For more information and context about how we are hardening DCOM, see DCOM authentication hardening: what you need to know.

The first phase of DCOM updates was released on June 8, 2021. In that update, DCOM hardening was disabled by default. You can enable them by modifying the registry as described in the “Registry setting to enable or disable the hardening changes” section below. The second phase of DCOM updates was released on June 14, 2022. That changed the hardening to enabled by default but retained the ability to disable the changes using registry key settings. The final phase of DCOM updates will be released in March 2023. It will keep the DCOM hardening enabled and remove the ability to disable it.

Timeline

Update release

Behavior change

June 8, 2021

Phase 1 Release - Hardening changes disabled by default but with the ability to enable them using a registry key.

June 14, 2022

Phase 2 Release - Hardening changes enabled by default but with the ability to disable them using a registry key.

March 14, 2023

Phase 3 Release - Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

Testing for DCOM hardening compatibility

New DCOM Error Events

To help you identify the applications that might have compatibility issues after we enable DCOM security hardening changes, we added new DCOM error events in the System log. See the tables below. The system will log these events if it detects that a DCOM client application is trying to activate a DCOM server using an authentication level that is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. You can trace to the client device from the server-side event log and use client-side event logs to find the application.

Server Events - Indicate server is receiving lower-level requests

Event ID

Message

10036

"The server-side authentication level policy does not allow the user %1\%2 SID (%3) from address %4 to activate DCOM server. Please raise the activation authentication level at least to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY in client application."

(%1 – domain, %2 – user name, %3 – User SID, %4 – Client IP Address)

Client Events – Indicate which application is sending lower-level requests

Event ID

Message

10037

"Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with explicitly set authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor."

10038

"Application %1 with PID %2 is requesting to activate CLSID %3 on computer %4 with default activation authentication level at %5. The lowest activation authentication level required by DCOM is 5(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY). To raise the activation authentication level, please contact the application vendor."

(%1 – Application Path, %2 – Application PID, %3 – CLSID of the COM class the application is requesting to activate, %4 – Computer Name, %5 – Value of Authentication Level)

Availability

These error events are only available for a subset of Windows versions; see the table below.

Windows version

Available on or after these dates

Windows Server 2022

September 27, 2021

KB5005619

Windows 10, version 2004, Windows 10, version 20H2, Windows 10, version 21H1

September 1, 2021

KB5005101

Windows 10, version 1909

August 26, 2021

KB5005103

Windows Server 2019, Windows 10, version  1809

August 26, 2021

KB5005102

Windows Server 2016, Windows 10, version 1607

September 14, 2021

KB5005573

Windows Server 2012 R2 and Windows 8.1

October 12, 2021

KB5006714

Windows 11, version 22H2

September 30, 2022

KB5017389

Client-side request auto-elevation patch

Authentication level for all non-anonymous activation requests

To help reduce app compatibility issues, we have automatically raised the authentication level for all non-anonymous activation requests from Windows-based DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY at a minimum. With this change, most Windows-based DCOM client requests will be automatically accepted with DCOM hardening changes enabled on the server side without any further modification to the DCOM client. Additionally, most Windows DCOM clients will automatically work with DCOM hardening changes on the server side without any further modification to the DCOM client.

Note This patch will continue to be included in the cumulative updates.

Patch update timeline

Since the initial release in November 2022, the auto-elevate patch has had a few updates.

  • November 2022 update

    • This update automatically raised the activation authentication level to packet integrity. This change was disabled by default on Windows Server 2016 and Windows server 2019.

  • December 2022 update

    • The November change was enabled by default for Windows Server 2016 and Windows Server 2019.

    • This update also addressed an issue that affected anonymous activation on Windows Server 2016 and Windows Server 2019.

  • January 2023 update

    • This update addressed an issue that affected anonymous activation on platforms from Windows Server 2008 to Windows 10 (initial version released July 2015).

If you have installed the cumulative security updates as of January 2023 on your clients and servers, they will have the latest auto-elevate patch fully enabled.

Registry setting to enable or disable the hardening changes

During the timeline phases in which you can enable or disable the hardening changes for CVE-2021-26414, you can use the following registry key:

  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat

  • Value Name: "RequireIntegrityActivationAuthenticationLevel"

  • Type: dword

  • Value Data: default= 0x00000000 means disabled. 0x00000001 means enabled. If this value is not defined, it will default to enabled.

Note You must enter Value Data in hexadecimal format.

Important You must restart your device after setting this registry key for it to take effect.

Note Enabling the registry key above will make DCOM servers enforce an Authentication-Level of RPC_C_AUTHN_LEVEL_PKT_INTEGRITY or higher for activation. This does not affect anonymous activation (activation using authentication level RPC_C_AUTHN_LEVEL_NONE). If the DCOM server allows anonymous activation, it will still be allowed even with DCOM hardening changes are enabled.

Note This registry value does not exist by default; you must create it. Windows will read it if it exists and will not overwrite it.

Note Installation of later updates will neither change nor remove existing registry entries and settings.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.