7 Appendix B: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.
The following tables show the relationships between Microsoft product versions or supplemental software and the roles they perform.
|
Windows Client Releases |
Server Role |
Client Role |
|---|---|---|
|
Windows 2000 Professional operating system |
No |
Yes |
|
Windows XP operating system |
No |
Yes |
|
Windows Vista operating system |
No |
Yes |
|
Windows 7 operating system |
No |
Yes |
|
Windows 8 operating system |
No |
Yes |
|
Windows 8.1 operating system |
No |
Yes |
|
Windows 10 operating system |
No |
Yes |
|
Windows 11 operating system |
No |
Yes |
|
Windows Server Releases |
Server Role |
Client Role |
|---|---|---|
|
Windows 2000 Server operating system |
Yes |
Yes |
|
Windows Server 2003 operating system |
Yes |
Yes |
|
Windows Server 2008 operating system |
Yes |
Yes |
|
Windows Server 2008 R2 operating system |
Yes |
Yes |
|
Windows Server 2012 operating system |
Yes |
Yes |
|
Windows Server 2012 R2 operating system |
Yes |
Yes |
|
Windows Server 2016 operating system |
Yes |
Yes |
|
Windows Server operating system |
Yes |
Yes |
|
Windows Server 2019 operating system |
Yes |
Yes |
|
Windows Server 2022 operating system |
Yes |
Yes |
|
Windows Server 2025 operating system |
Yes |
Yes |
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 2.1: Windows 2000 Server does not listen on the \\pipe\protected_storage endpoint.
<2> Section 2.1: Windows 2000 Server and Windows Server 2003 listen on the \\pipe\ntsvcs endpoint. Windows Server 2008 and later do not listen on this endpoint by default, but will do so if the second-least-significant bit of the DWORD registry value HKLM\System\CurrentControlSet\Control\ProxyType is set to 1, and the DWORD registry value HKLM\System\CurrentControlSet\Control\DisableRemoteScmEndpoints is absent or set to zero.
<3> Section 2.1: Windows 2000 operating system clients only attempt to connect to the \\pipe\ntsvcs endpoint.
<4> Section 2.1: Applicable Windows Server releases register the Kerberos [MS-KILE] [RFC4120] and NTLM [MS-NLMP] security packages for negotiation with SPNEGO.
<5> Section 3.1: Windows 2000 (including all service packs) does not support retrieval of the server public key using BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID. However, Windows 2000 operating system Service Pack 3 (SP3) and later Windows 2000 service packs support unwrapping of client-side-wrapped secrets through BACKUPKEY_RESTORE_GUID. Microsoft Windows 2000 operating system Service Pack 2 (SP2) and earlier Windows 2000 versions do not support this operation.
<6> Section 3.1.3: Windows 2000 Server does not support the \\pipe\protected_storage endpoint.
<7> Section 3.1.3: Windows 2000 Server and Windows Server 2003 support the \\pipe\ntsvcs endpoint. Windows Server 2008 and later do not support it by default, but will do so if the second-least-significant bit of the DWORD registry value HKLM\System\CurrentControlSet\Control\ProxyType is set to "1", and the DWORD registry value HKLM\System\CurrentControlSet\Control\DisableRemoteScmEndpoints is absent or set to zero.
<8> Section 3.1.3: Windows 2000, Windows XP, and Windows Server 2003 implementations do not instruct the RPC runtime to reject unauthenticated connections.
<9> Section 3.1.4.1: Windows 2000 does not support BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID. However, Windows 2000 SP3 and later Windows 2000 service packs do support BACKUPKEY_RESTORE_GUID.
If the Domain Functional Level of the Windows domain is set to Windows 2000 Native, Windows Server 2003 and later will return an error when called with BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID unless the DWORD registry value HKLM\SOFTWARE\Microsoft\Cryptography\Protect\Provider\df9d8cd0-1501-11d1-8c7a-00c04fc297eb\DistributeBackupKey is set to 0x00000001.
<10> Section 3.1.4.1.2: Windows Server 2003 and later detect whether the wrapped secret is in the client-wrapped format and, if it is, continue processing as in section 3.1.4.1.4.
<11> Section 3.1.4.1.4: Windows 2000, Windows 2000 operating system Service Pack 1 (SP1), and Windows 2000 operating system Service Pack 2 (SP2) do not perform this check and return an error if the wrapped secret is not in the server-wrapped format.
<12> Section 3.1.4.1.4: Windows Server 2008 and earlier support only dwVersion = 0x00000002. Windows Server 2008 R2 and later support both dwVersion = 0x00000002 and dwVersion = 0x00000003.
<13> Section 3.1.4.1.4: Windows Server 2008 and later return ERROR_INVALID_DATA (0x0000000D). Windows Server 2003 returns ERROR_IO_PENDING (0x000003e5).
<14> Section 3.2.4: Windows 2000 clients only attempt to connect to the \\pipe\ntsvcs endpoint.
<15> Section 3.2.4: In client versions Windows 7 operating system with Service Pack 1 (SP1) through Windows 11, version 23H2 operating system, and server versions Windows Server 2008 R2 operating system through Windows Server 2022, 23H2 operating system without [MSFT-CVE-2023-36004], there is no error if the authentication level is lower than RPC_C_AUTHN_LEVEL_PKT_PRIVACY. Later and updated versions require the higher authentication level and return an error.
<16> Section 3.2.4: Windows 2000 clients do not request the use of mutual authentication.
<17> Section 3.2.4: Windows clients do not perform mutual authentication when the security context negotiated through the SPNEGO Protocol results in the use of NTLM authentication.
<18> Section 3.2.4: Windows 2000 does not support client-side wrapping.
<19> Section 3.2.4.1: The process of falling back to server-side wrapping using the BACKUPKEY_BACKUP_GUID when retrieval of the server's public key fails using the BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID is no longer available by default for the operating systems specified in [MSFT-CVE-2022-21925]. However, the fall back to server-side wrapping can be enabled by adding a registry key designed for this purpose.
In addition, as noted earlier, Windows clients always retry failing operations once. The resulting process is as follows: The client first tries the BACKUPKEY_RETRIEVE_BACKUP_KEY_GUID operation, and if it fails, the client performs DC (2) rediscovery and retries the same operation. If the retry fails, the client tries a BACKUPKEY_BACKUP_GUID operation. If this fails, the client performs DC rediscovery again and retries the BACKUPKEY_BACKUP_GUID operation. If this also fails, an error is returned to the caller.
<20> Section 3.2.4.1: Windows Vista and earlier and Windows Server 2008 and earlier always use version 2. Windows 7 and later and Windows Server 2008 R2 and later use version 2 by default but can be configured to use version 3 by setting the DWORD registry value "HKLM\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb\Recovery Version" to 3.