What’s New and Changed
Updated Documentation
Service Releases
The following documents were updated and have errata published for service releases after the May 2021 release for Windows 10 v2106. See Windows Protocols Errata.
|
Specification |
Description |
Release Date |
|---|---|---|
|
Specifies the core functionality of Active Directory. Active Directory extends and provides variations of the Lightweight Directory Access Protocol (LDAP).
This document has been updated as follows: These changes in processing are due to the security update [MSFT-CVE-2022-21857] for Windows Server 2008 and later. The update corrects a domain-admin EOP security vulnerability related to NTLM pass-through authentication in cross-forest trusts and read only DC secure channels. ● Added information about querying and persisting data about trusted forest to section 3.1.1.6, Background Tasks. ● Added new section, 3.1.6.4, PDC Forest Trust Update on querying trusted forests. ● Added new section, 3.1.6.4.1, Informative Overview, providing a brief summary of the forest trust update. ● Added new section, 3.1.6.4.2, Logical Processing, describing the processing steps in making a forest trust update. ● In section 6.1.5.4, PDC Emulator FMSO Role, added text about the need to periodically query state on trusted forests. ● Added new section, 6.1.6.9.6.2, PDC Forest Trust Scanning, about the need for periodic scanning. |
January 2022 |
|
|
Specifies the BackupKey Remote Protocol. This protocol encrypts secret values (such as cryptographic keys) so they can be backed up to storage that is not specially protected, and enables decryption of such values if recovery is necessary. This document has been updated as follows: Revised to disable the data protection API master key backup fallback by default, as the use of the RC4 algorithm to back up the data protection API master key is no longer available by default. The fallback to server-side wrapping can be enabled by adding a registry key designed for such purpose. |
January 2022 |
|
|
[MS-LSAD]: Local Security Authority (Domain Policy) Remote Protocol |
Specifies the Local Security Authority (Domain Policy) Remote Protocol. This protocol provides an RPC interface used for providing remote management for policy settings related to account objects, secret objects, trusted domain objects (TDOs), and other security-related policy settings. This document has been updated as follows: ● Updated encryption algorithm for private data sent over the wire from RC4 to the AES cipher. ● Updated to provide information about root and child domains in trusting Active Directory forests that are queried and stored in an existing Active Directory attribute; for later use in namespace filtering during NTLM pass-through authentications. |
January 2022 |
|
Specifies the Netlogon Remote Protocol, an RPC interface that is used for user and machine authentication on domain-based networks; to replicate the user account database for operating systems earlier than Windows 2000 backup domain controllers; to discover, manage, and maintain domain relationships of domain members and domain controllers across domains.
This document has been updated as follows: The update changes processing to mitigate security vulnerabilities. This functionality is only performed by the operating systems specified by security update [MSFT-CVE-2022-21857] with its related KB article installed. It excludes Windows Vista and earlier and Windows Server 2003 R2 operating system and earlier. ● Added new validation processing for server DC requests using NTLMv2 in section 3.5.4.5.1. ● Added new subsection 3.5.4.5.1.1 on processing pass-through domain name validation. ● Added new subsection 3.5.4.5.1.2 on processing RODC server cachability validation. |
January 2022 |
|
|
Specifies the Workstation Service Remote Protocol, which remotely queries and configures certain aspects of a Server Message Block network redirector on a remote computer.
This document has been updated as follows: ● Added new reference to Workstation Service Remote Protocol Security Feature Bypass Vulnerability" [MSFT-CVE-2022-21924]. ● Added new methods to use AES encryption when:
|
January 2022 |
|
|
Specifies the Encrypting File System Remote (EFSRPC) Protocol, which performs maintenance and management operations on encrypted data that is stored remotely and accessed over a network.
This document has been updated as follows: ● Added new reference to Windows Encrypting File System (EFS) Remote Code Execution Vulnerability [MSFT-CVE-2021-43893]. ● Added product notes with reference to Windows Encrypting File System (EFS) Remote Code Execution Vulnerability [MSFT-CVE-2021-43893] to indicate increased level of authorization required for RPC calls. |
December 2021 |
|
|
Specifies the core functionality of Active Directory. Active Directory extends and provides variations of the Lightweight Directory Access Protocol (LDAP).
This document has been updated as follows: ● LDAP Extended Controls, modified Extended Control 'LDAP_SERVER_SD_FLAGS_OID' description to indicate to the DC which portions of a Windows security descriptor to either retrieve during an LDAP search operation or to set during an LDAP modify operation. Added behavior note to specify the operating systems that are impacted by this change. ● LDAP_SERVER_SD_FLAGS_OID, revised to clarify that the 'LDAP_SERVER_SD_FLAGS_OID' control is used with LDAP Modify requests to control the portion of a Windows security descriptor to modify, while it is not used with LDAP Add requests. ● Uniqueness Constraints, updated the UPN and SPN uniqueness features and documented the new service principle name (SPN) alias uniqueness feature, as related to the corresponding DS Heuristic ‘DoNotVerifyUPNAndOrSPNUniqueness’. ● Security Considerations, updated to indicate that security considerations include satisfying the constraints specified in section 3.1.1.5.2.2. ● Per Attribute Authorization for Add Operation, created new topic to describe how to authorize attributes for the Add operation. ● Constraints, verified attributes assigned to the userAccountControl when a computer object is being created and specified the constraints that apply; includes setting the default bit to UF_WORKSTATION_TRUST_ACCOUNT and stating the userAccountControl bit value under which the Add method returns ERROR_DS_SECURITY_ILLEGAL_MODIFY. Also created new behavior note to specify the operating systems to which the new constraints apply. ● dSHeuristics, updated table heuristic character 21 'DoNotVerifyUPNAndOrSPNUniqueness' to specify how bit values of this heuristic determine whether UPN and SPN are checked for uniqueness in AD LDS and AD DS. Added new dsHeuristic Characters 'AttributeAuthorizationOnLDAPAdd' and 'BlockOwnerImplicitRights' and descriptions to the dsHeuristics table to support the procedure in section 3.1.1.5.2.1.1. ● Blocking Implicit Owner Rights, created new section to describe the conditions when implicitly granted rights are blocked to the owner of a security descriptor. ● Security Considerations, clarified requirements that MUST be satisfied when a DACL value is written according to SD flags. |
November 2021 |
|
|
Specifies the Microsoft implementation of the Kerberos Protocol Extensions, as specified in [RFC4120], by specifying any Windows behaviors that differ from the Kerberos Protocol, in addition to Windows extensions for interactive logon and the inclusion of authorization information expressed as group memberships and related information.
This document has been updated as follows: ● PAC Generation, replaced section previous rules on PAC generation with new rules. ● PAC_ATTRIBUTES_INFO Structure, added section on processing. ● PAC_REQUESTOR SID, added section on processing. ● TGS Exchange, added processing rules for when the PAC_REQUESTOR SID is present in the PAC. ● PAC Requestor and Attributes Info Structures, added section on processing a service ticket with Domain Local Group Membership.
|
November 2021
|
|
|
Specifies the Network Controller Protocol, which is used by tenants and network administrators to control data center networking. Common tasks that would use these APIs include designing and monitoring a virtual network in a data center.
This document has been updated as follows: ● Versioning and Capability Negotiation, added URI versions 3.1 and 3.2 ● Added failure scenario for when the portDefaultState property of the virtualSwitchManager resource is equal to AllowTraffic. ● Added network source rules for two or more frontendIPConfigurations resources. ● For inboundNatRules, changed frontendPort and backendPort minimum value from 1 to 0, zero and enableTcpReset URI version from v4 to v3.2. ● For outboundNatRules, changed enableTcpReset URI version from v4 to v3.2. ● Added previous and new processing rules for port numbers for frontendPort and backendPort for the inboundNatRules resource type. ● Added failure scenario for when the portDefaultState property of the virtualSwitchManager resource is equal to AllowTraffic. ● For virtualSwitchManager, changed PortDefaultState property URI from v4 to v3.1. Added numInterfacesHavingQos property for URI v1. |
November 2021
|
|
|
Specifies the Privilege Attribute Certificate Data Structure, which is used to encode authorization information. The Privilege Attribute Certificate also contains memberships, additional credential information, profile and policy information, and supporting security metadata.
This document has been updated as follows: ● UPN_DNS_INFO, added four new fields and a flag to the structure. ● PAC_ATTRIBUTES_INFO, added section with the structure description. ● PAC_REQUESTOR, added section with description on the structure that contains the SID. |
November 2021
|
|
|
[MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server) |
Specifies the Security Account Manager (SAM) Remote Protocol, which supports management functionality for an account store or directory containing users and groups. The goal of the protocol is to enable IT administrators and users to manage users, groups, and computers.
This document has been updated as follows: ● Added the constraint that the sAMAccountName for computer accounts with USER_WORKSTATION_TRUST_ACCOUNT flag must end with a single dollar sign ($). ● Required that the objectClass of a new account MUST match the sAMAccountType. |
November 2021 |
|
Specifies the Encrypting File System Remote (EFSRPC)
Protocol, which performs maintenance and management operations on encrypted
data that is stored remotely and accessed over a network. This document has been updated as follows: ● Added new reference to Windows LSA Spoofing Vulnerability [MSFT-CVE-2021-36942]. ● Added product note with reference to Windows LSA Spoofing Vulnerability [MSFT-CVE-2021-36942], return error code ERROR_ACCESS_DENIED for the EfsRpcOpenFileRaw method using the \pipe\lsarpc endpoint, and the list of applicable products. |
August 2021 |
|
|
Specifies version 2 of the Mobile Device Enrollment Protocol (MDE), which enables enrolling a device with the DMS through an Enrollment Service (ES). The protocol includes the discovery of the Management Enrollment Service (MES) and enrollment with the ES.
This document has been updated as follows: Updated product behavior notes with product version support for the following features: ● RequestSecurityToken using Federated Authentication ● RequestSecurityToken using Certificate Authentication ● RequestSecurityToken using On-Premise Authentication |
August 2021 |
|
|
[MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol |
Specifies the Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol. This protocol enables the use of public key cryptography in the initial authentication exchange of the Kerberos Protocol (PKINIT) and specifies the Windows implementation of PKINIT where it differs from [RFC4556].
This document has been updated as follows: ● Removed references to RC2 encryption mode rc2-cbc. ● Added reference to the security update Windows Key Distribution Center Information Disclosure Vulnerability [MSFT-CVE-2021-33764]. |
August 2021 |
|
Specifies the Windows Update Services: Client-Server Protocol, which enables machines to discover and download software updates over the Internet using the SOAP and HTTP protocols.
This document has been updated as follows: ● Updated ClientBehaviors element product applicability. ● Added the GeoId property to the Request XML as part of the GetExtendedUpdateInfo method. ● Provided definition of the GeoId property. ● Updated region information in the Metadata Table by adding the GeoId element and description to the Eula entry. ● Added and updated product behavior notes to indicate operating systems that support the GeoId property via feature backports to those systems. |
August 2021 |
|
|
[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients |
Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to [RFC6749] (The OAuth 2.0 Authorization Framework) that allows a broker client to obtain access tokens on behalf of calling clients.
This document has been updated as follows: ● Updated this protocol to support client use of KDFv2 version. ● Added server and client usage processing directions for KDFv2 version. ● Added behavior note with KDF Version 2 support with the Windows Azure AD Security Feature Bypass Vulnerability [MSFT-CVE-2021-33781] that contains the list of KB articles and operating systems. |
July 2021 |
|
Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider metadata that enable the discovery of the issuer of access tokens and give additional information about provider capabilities.
This document has been updated as follows: ● Updated to support server and client use of KDFv2 version. ● Added behavior note with KDF Version 2 support with the Windows ADFS Security Feature Bypass Vulnerability [MSFT-CVE-2021-33779] that contains the list of KB articles and operating systems. |
July 2021 |
|
|
[MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server) |
Specifies the Security Account Manager (SAM) Remote Protocol, which supports management functionality for an account store or directory containing users and groups. The goal of the protocol is to enable IT administrators and users to manage users, groups, and computers.
This document has been updated as follows: ● Updated document to provide support for recent AES encryption capabilities to the MS-SAMR protocol. ● Added behavior note with the Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability [MSFT-CVE-2021-33757] for multiple Windows operating systems to which the capability is backported. ● Added behavior note to indicate backported updates for the Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability [MSFT-CVE-2021-33757] that makes Advanced Encryption Standard (AES) encryption the preferred method when using the MS-SAMR protocol to change or set account passwords on Windows clients if AES encryption is supported by the SAM server. |
July 2021 |
|
[MS-DCOM]: Distributed Component Object Model (DCOM) Remote Protocol |
Specifies the Distributed Component Object Model (DCOM) Remote Protocol, which exposes application objects via remote procedure calls (RPCs) and consists of a set of extensions layered on the Microsoft Remote Procedure Call Extensions.
This document has been updated as follows: ● Replaced existing authentication level constant 'RPC_C_AUTHN_LEVEL_CONNECT' with higher authentication level constant 'RPC_C_AUTHN_LEVEL_PKT_INTEGRITY' in behavior notes. ● Created list of applicable products for which the updated feature is backported. |
June 2021 |
|
Specifies the EventLog Remoting Protocol, which exposes the RPC methods for reading events in both live and backup event logs on remote computers.
This document has been updated as follows: ● Updated authentication level description and processing for client and server. ● Added behavior note for Windows NTLM Elevation of Privilege Vulnerability security update June 2021 [MSFT-CVE-2021-31958] with product applicability list. |
June 2021 |
|
|
Specifies the EventLog Remoting Protocol Version 6.0 protocol, which exposes RPC methods for reading events in both live and backup event logs on remote computers. This protocol was originally made available for Windows Vista.
This document has been updated as follows: ● Updated authentication level description and processing for client and server. ● Added behavior note for Windows NTLM Elevation of Privilege Vulnerability security update June 2021 [MSFT-CVE-2021-31958] with product applicability list. |
June 2021 |
Overview Documents Release
The following overview documents were updated October 2021 for Windows 11.
|
Specification |
Description |
Release Date |
|---|---|---|
|
Provides an overview of the functionality and
relationship of the protocols in the Authentication Services protocols. The
Authentication Services protocols verify the identity of users, computers,
and services through the interactive logon and network logon authentication
processes. Once authenticated, these entities can be authorized to access
network resources securely. The Windows client and server operating systems
implement a set of authentication protocol standards, such as Kerberos
[RFC4120], and their extensions, such as [MS-KILE], as part of an extensible
architecture consisting of security support provider (SSP) security packages. This document has been updated as follows: ● Updated TLS diagram with RFCs for TLS 1.3, TLS extensions, elliptic curves, and cipher suites. ● Added TLS Version 1.3 with reference to [RFC8446]. ● Added Windows 11 to the applicability list. |
October 2021 |
|
|
Provides an overview of the Windows interoperability technologies and the protocols required for implementation. It also describes the intended functionality of the Windows interoperability protocols and technologies and provides examples of common user scenarios.
This document has been updated as follows: ● Added references to [RFC5246] TLS v1.2 and [RFC8446] TLS v1.3. ● Added Windows 11 to the applicability list. |
October 2021 |
Technical Document Release
The following technical document was updated in October 2021 for Windows 10 v21H2.
|
Specification |
Description |
Release Date |
|---|---|---|
|
Specifies the Print System Remote Protocol, which defines the communication of print job processing and print system management between a print client and a print server.
This document has been updated as follows: Updated to support server and client use of _DRIVER_INFO, _FORM_INFO, _JOB_INFO, _MONITOR_INFO, _PORT_INFO and _PRINTER_INFO for XcvData. |
October 2021 |
Reference Document Release
The following reference document was updated in November 2021.
|
Specification |
Description |
Release Date |
|---|---|---|
|
Describes the HRESULT values, Win32 error codes, and NTSTATUS values that are referenced in the protocol specifications throughout the Windows protocols documentation set. This document has been updated as follows: Expanded the description of the CERT_E_REVOKED error value to include information about device drivers with invalid certificates. |
November 2021 |
Content Updates
The following documents were updated in October 2021 to fix content issues.
|
Specification |
Content Updates |
|---|---|
|
[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3 |
|