What’s New and Changed
This section provides descriptions of and links to the Windows technical documents that have been revised to reflect the functionality of the latest product version.
New Documentation
|
Specification |
Description |
Release date |
|---|---|---|
|
[MS-RDPECI] Remote Desktop Protocol: Core Input Virtual Channel Extension |
Specifies the Remote Desktop Protocol: Core Input Virtual Channel Extension, which enables remoting of keyboard and mouse pointer input over the UDP transport. This is an extension to the Basic Connectivity and Graphics Remoting Protocol. |
September 20, 2023 |
|
[MS-RDPEL]: Remote Desktop Protocol: Location Virtual Channel Extension |
Specifies the Remote Desktop Protocol: Location Channel Extension, which adds the ability to redirect the client's location (latitude, longitude and altitude) to a server so that location-based services running in a user session can provide a more contextualized experience where possible. |
September 20, 2023 |
|
[MS-RDPEMSC]: Remote Desktop Protocol: Mouse Cursor Virtual Channel Extension |
Specifies the Remote Desktop Protocol: Mouse Cursor Virtual Channel Extension enables remoting of mouse cursor bitmap over the UDP transport. This is an extension to the Basic Connectivity and Graphics Remoting Protocol. |
September 20, 2023 |
Service Releases
The following documents were updated for service releases after the April 2022 release for Windows 11, version 22H2 operating system.
|
Specifications with service release updates |
Description |
Release date |
|---|---|---|
|
This document has been updated as follows: To specify client ticket validation to ensure its integrity: ● 2.2.2 Kerberos Ticket Validation Message Syntax: Added section to give NETLOGON_TICKET_LOGON_INFO Message usage. ● 2.2.2.1 NETLOGON_TICKET_LOGON_INFO Message: Added section to define structure used to begin the network ticket logon flow. ● 2.2.3 Kerberos Ticket Validation Response Message Syntax: Added section to give NETLOGON_VALIDATION_TICKET_LOGON message usage. ● 2.2.3.1 NETLOGON_VALIDATION_TICKET_LOGON message: Added section to define structure used to validate the logon ticket. ● 3.2 Kerberos PAC Validation Details: Changed from KERB_VERIFY_PAC_REQUEST to NETLOGON_TICKET_LOGON_INFO message to begin ticket verification. ● 3.2.5.1 Generating a NETLOGON_TICKET_LOGON_INFO Message: Added section to state the creation requirements. ● 3.2.5.2 Processing a NETLOGON_TICKET_LOGON_INFO Message: Added section to state the ticket verification process. |
April 9, 2024 |
|
|
For client ticket validation to ensure its integrity: ● Added to NETLOGON_LEVEL case NetlogonTicketLogonInformation, LogonTicket. ● Added to enum _NETLOGON_LOGON_INFO_CLASS value 8 NetlogonTicketLogonInformation. ● Added to NETLOGON_VALIDATION case NetlogonValidationTicketLogon, ValidationTicket. ● Added to enum _NETLOGON_VALIDATION_INFO_CLASS value 7 NetlogonValidationTicketLogon. |
April 9, 2024 |
|
|
[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3 |
This document has been updated as follows: The SMB2_GLOBAL_CAP_ENCRYPTION capability is only valid for SMB 3.0 and 3.02 dialects and when AES-128-CCM cipher is supported. |
April 8, 2024 |
|
[MS-RDPEAR]: Remote Desktop Protocol Authentication Redirection Virtual Channel |
This document has been updated as follows: Changed TGS-REP and AS-REP PDUs to zero in KERB_ASN1_DATA and UnpackKdcReplyBody structures for RemoteCallKerbUnpackKdcReplyBody messages. Added tables of previous values to product notes. |
March 25, 2024 |
|
[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3 |
This document has been updated as follows: The SMB2_GLOBAL_CAP_ENCRYPTION capability is only valid for SMB 3.0 and 3.02 dialects and when AES-128-CCM cipher is supported. |
March 25, 2024 |
|
[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3 |
This document has been updated as follows: Added mutual authentication and client access control for SMB over QUIC. Administrators can require SMB client to send its certificate to the server to be validated and can restrict which clients can access SMB over QUIC servers. Organizations can provide extra protection by restricting devices connecting to a trusted file server. |
March 11, 2024 |
|
[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3 |
This document has been updated as follows: Added mutual authentication and client access control for SMB over QUIC. Administrators can require SMB client to send its certificate to the server to be validated and can restrict which clients can access SMB over QUIC servers. Organizations can provide extra protection by restricting devices connecting to a trusted file server. |
February 26, 2024 |
|
This document has been updated as follows: Added information to section 2.2.9.3 about a new LinkedEnrollment node and child nodes that enable specification of a discovery endpoint. |
February 14, 2024 |
|
|
[MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server) |
This document has been updated as follows: In section 3.1.5.7.3, SamrDeleteUser (Opnum 35), expanded a processing rule to indicate a condition under which the server should stop processing and deny access. |
January 29, 2024 |
|
This document has been updated as follows: Body Opnum 28 in varBody VARIANT removed that VT_ARRAY can be combined with any of the other types and added VT_UI1 to the array type. |
January 9, 2024 |
|
|
[MS-LSAD]: Local Security Authority (Domain Policy) Remote Protocol |
This document has been updated as follows: Added a flag to indicate that the client should use AES encryption. Six methods and a structure added for using AES encryption in handling secret objects. |
January 9, 2024 |
|
This document has been updated as follows: Added a product behavior note about the RPC authentication level. In some client and server versions there is no error if the authentication level is less than RPC_C_AUTHN_LEVEL_PKT_PRIVACY. Applying [MSFT-CVE-2023-36004] raises the required authentication level and will return an error. |
December 12, 2023 |
|
|
This document has been updated as follows: ● Added version 6.0 to the RequestVersion. ● Added version 6.0 to the EnrollmentVersion. ● Added new GetPoliciesResponse nodes for attestationFailureBehavior, operationTimeout, nonce, relyingPartyId, and endpointUri. ● Added new RequestSecurityToken nodes for Name attribute and Value for Azure Attestation. ● Added new section 4 example for GetPolicies Response message with the fields required for Azure Attestation. ● Added new section 4 example to demonstrate the call to the RequestSecurityToken message. |
November 15, 2023 |
|
|
[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients |
This document has been updated as follows: Added two new optional HTTP headers "x-ms-SsoFlags" (2.2.1.3), and "x-ms-SsoFlagsSubstatus" (2.2.1.4) that provide information about the state of the automatic app sign in policy. |
November 15, 2023 |
|
This document has been updated as follows: In section 3.9.4.2 IMSMQTransaction2 Interface, removed from varTransaction VARIANTs VT_I4, VT_I4 | VT_BYREF, VT_I8, and VT_I8 | VT_BYREF with their processing. |
October 10, 2023 |
|
|
[MS-DRSR]: Directory Replication Service (DRS) Remote Protocol |
This document has been updated as follows: ● In section 5.115.3 ProcessDirSyncSearchRequest, In the procedure process moved the filter assignment above the access checks and added the filter parameter to the SecurityCheckForChanges method. ● In section 5.115.12 SecurityCheckForChanges, Added filter parameter, added an attrVecInFilter, and added procedure processing to handle attributes in filter. |
October 10, 2023 |
|
[MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol |
This document has been updated as follows: In section 3.1.5.2.1.6 SID, added Certificate SID mapping using a Subject Alternate Name with type URL in the literal format with a product note for applicability. |
September 25, 2023 |
|
This document has been updated as follows: In Section 2.2.10 Faults: Added a new CustomServerError message to the detail element table with product behavior note for applicability. |
June 12, 2023 |
|
|
This document has been updated as follows: Revised Event ID table to add missing EventIDs and descriptions, to revise certain other descriptions, and to deprecate outdated events. |
April 11, 2023 |
|
|
This document has been updated as follows: In section 3.2.5.1, updated product note that in March 2023 support for user sessions multi-session edition only in Windows Virtual Desktop (WVD) was backported to Windows 10 v2004 (21H1) and later. |
March 6, 2023 |
Technical Document Release
The following documents were updated in October 2023 for the Windows 11, version 23H2 operating system.
|
Specification |
Description |
Release date |
|---|---|---|
|
This document has been updated as follows: ● Added to the Common Header, MessageType value 7 Disconnect. ● Added to the Upgrade request and response messages processing for if the type of the device is Public to allow traffic over TCP. ● Added new section 2.2.2.5 Disconnect Message, an optional message to inform the other device to disconnect the connected session. |
October 9, 2023 |
|
|
[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients |
This document has been updated as follows: In sections 3.2.5.2.1.1.1 x-ms-RefreshTokenCredential HTTP header format and 3.2.5.2.1.1.2 x-ms-DeviceCredential HTTP header format, added JWT field values ua_client_id and ua_redirect_uri to inform the AAD/server. |
October 9, 2023 |
The following documents were updated for the Windows Server 2022 operating system.
|
Specification |
Description |
Release date |
|---|---|---|
|
This document has been updated as follows: Added new Active Directory schema attribute-elements to support new Local Administrator Password Solution (LAPS) feature in Windows. |
September 20, 2023 |
|
|
This document has been updated as follows: ● Section 3.1.1.3.2 rootDSE Attributes: Added msDS-PriorityBoost attribute to tables. ● Section 3.1.1.3.2.60 msDS-PriorityBoost: Added new section that explains attribute reading with an example. ● Section 3.1.1.3.3 rootDSE Modify Operations: Added msDS-PriorityBoost attribute to the table. ● Section 3.1.1.3.3.42 setPriorityBoost: Added new section that explains the type of modifications and requirements for use with a sample operation. |
September 20, 2023 |
|
|
This document has been updated as follows: Revised to disable the data protection API master key backup fallback by default, as the use of the RC4 algorithm to back up the data protection API master key is no longer available by default. |
September 20, 2023 |
|
|
[MS-CMRP]: Failover Cluster: Management API (ClusAPI) Protocol |
This document has been updated as follows: Section 2.2.3.3 CLUSTER_OPERATIONAL_VERSION_INFO: Added values to the dwClusterHighestVersion and dwClusterLowestVersion member tables with notes on the values' product applicability. |
November 28, 2023 |
|
This document has been updated as follows: Added a new enrollment-attribute flag CT_FLAG_NO_SECURITY_EXTENSION to the msPKI-Enrollment-Flag Attribute table, that when applied, instructs the CA to not include the security extension szOID_NTDS_CA_SECURITY_EXT (OID:1.3.6.1.4.1.311.25.2), as specified in [MS-WCCE] sections 2.2.2.7.7.4 and 3.2.2.6.2.1.4.5.9, in the issued certificate. A behavior note is added to indicate that this enrollment flag is supported by the operating systems specified in [MSFT-CVE-2022-26931], each with its related KB article download installed. |
September 20, 2023 |
|
|
[MS-CSRA]: Certificate Services Remote Administration Protocol |
This document has been updated as follows: Clients of Certificate Authority (CA) servers are now provided with a significantly higher level of security when connecting with CA servers, with the use of the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level. Clients must now use this authentication level, otherwise CA servers will not allow client connections to succeed. This feature is supported by the administrative component of CA servers. This issue is addressed in the Active Directory Certificates elevation of privilege issue that is described in [MSFT-CVE-2022-37976]. |
September 20, 2023 |
|
[MS-CSVP]: Failover Cluster: Setup and Validation Protocol (ClusPrep) |
This document has been updated as follows: ● 2.2.28 ClusterLogType: Added section for ClusterLogType enummeration ● 3.18.4 Message Processing Events and Sequencing Rules: Added methods GenerateClusterSetLog (opnum5), GenerateClusterNetworkLog (opnum6), ExportClusterPerfomanceHistory (opnum7), and GEnerateNetftLog (opnum 8). ● 3.18.4.3 GenerateClusterSetLog (Opnum 5): Added section for the method that generates the cluster set log file on cluster nodes. ● 3.18.4.4 GenerateClusterNetworkLog (Opnum 6): Added section for the method that generates the cluster network log file on cluster nodes. ● 3.18.4.5 ExportClusterPerformanceHistory (Opnum 7): Added section for the method that generates the health log file on cluster nodes. ● 3.18.4.6 GenerateNetftLog (Opnum 8): Added section for the method that generates the Netft log file on cluster nodes ● 3.19 IClusterLogEx2 Server Details: Added header section with sub sections. ● 3.19.1 Abstract Data Model: Added section as None. ● 3.19.2 Timers: Added section with no new timers. ● 3.19.3 Initialization: Added section that describes the initialization procedure. ● 3.19.4 Message Processing Events and Sequencing Rules:Added new section to indicate the RPC runtime requirements and lists the IClusterLogEx2 methods GenerateLogEx, GetCountLogs, and GetLogFilePath. ● 3.19.4.1 GenerateLogEx (Opnum 9): Added section for the method that writes a file that contains diagnostic information about failover clusters for the server on which it executes. ● 3.19.4.2 GetCountLogs (Opnum 10): Added section for the method that returns the number of log files that were generated by a preceding call to GenerateLogEx. ● 3.19.4.3 GetLogFilePath (Opnum 11): Added section for the method that returns the server-relative path of a log file that was generated by a preceding call to GenerateLogEx. ● 6 Appendix A: Full IDL: Added enum _ClusterLogType and methods GenerateClusterSetLog, GenerateClusterNetworkhLog, ExportClusterPerformanceHistory, and GenerateNetftLog. Added interface IClusterLogEx2 with methods GenerateLogEx, GetCountLogs, and GetLogFilePath. |
September 20, 2023 |
|
[MS-DCOM]: Distributed Component Object Model (DCOM) Remote Protocol |
This document has been updated as follows: Updated to indicate that on Windows, the client can raise the authentication level requested by the application to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, if it is less than that. Also specified the operating systems that support this behavior. |
September 20, 2023 |
|
This document has been updated as follows: ● In section 3.1.4.2, EFSRPC Interface, added a product behavior note describing change after applying [MSFTE-CVE-2022-26925]. ● In section 2.2.2.2.1, Protector List Structure, removed two fields from structure diagram. |
September 20, 2023 |
|
|
This document has been updated as follows: In section 2.1.2, Client, upated the packet-level authentication value as specified in [MS-RPCE] section 2.2.1.1.8. |
September 20, 2023 |
|
|
This document has been updated as follows: In section 2.1.2, Client, upated the packet-level authentication value as specified in [MS-RPCE] section 2.2.1.1.8. |
September 20, 2023 |
|
|
This document has been updated as follows: Updated definition of FW_QUERY_CONDITIONS struct. |
September 20, 2023 |
|
|
This document has been updated as follows: Updated changes in the FSCTL_SET_INTEGRITY_INFORMATION_EX operation after application of updates. |
September 20, 2023 |
|
|
This document has been updated as follows: Updated changes in the FSCTL_SET_INTEGRITY_INFORMATION_EX operation after application of updates. |
September 20, 2023 |
|
|
This document has been updated as follows: In section 3.1.5.2 Encryption Types, added that all other encryption types (that are not listed) should be rejected.
|
September 20, 2023 |
|
|
[MS-LSAD]: Local Security Authority (Domain Policy) Remote Protocol |
This document has been updated as follows: In section 2.2.1.4, AEAD-AES-256-CBC-HMAC-SHA512 Constants, updated AEAD-AES-256-CBC-HMAC-SHA512 constants to ensure that the value details allow an implementation to be successfully created.
|
September 20, 2023 |
|
This document has been updated as follows: ● Added 7 new sections, updated 24 sections, each with multiple subsections, a total of 99 sections updated with 7 pages added. ● 1.7 Versioning and Capability Negotiation: Updated version v5, added and v6. ● 2.2.3.4 resourceId: Added multisite and multisitePrimary to the Resource table. ● 2.2.4 Data Structures: Added data structures configurationState and sites for the multisite resource. ● 3.1.5 Message Processing Events and Sequencing Rules: Added multisite, multisitePrimary, and networkControllerSite resources. ● 3.1.5.1 accessControlLists: Added securityTags element. ● 3.1.5.5.4 inboundNatRules: For property enableTcpReset removed HCI in the product note <8>. ● 3.1.5.5.5 loadBalancingRules: For property enableTcpReset removed HCI and Windows Server 2022 in the product note <9>. ● 3.1.5.5.6 outboundNatRules: Removed idleTimeoutInMinutes property and for property enableTcpReset removed HCI in the product note <11>. ● 3.1.5.6 loadBalancerManager: Added loadBalancerMuxMode property. ● 3.1.5.7 loadBalancerMuxes: Changed networkInterfaces.externalNetworkInterface and networkInterfaces.internalNetworkInterface to Required. ● 3.1.5.11 networkInterfaces: Changed QosSettings.enableHardwareLimits support from v3.1 to v4 or later. ● 3.1.5.19 virtualNetworkManager: Added enableMetering property. ● 3.1.5.26 virtualSwitchManager: Updated the methods table from virtualNetworkManager to virtualSwitchManager and removed the support statement for enableHardwareLimits. ● 3.1.5.31 securityTags: Changed accessControlList property from Optional to Read-only. ● 3.1.5.33 multisite: Added new section and subsections for resource that configures the synchronization of two Network Controller—managed sites. ● 3.1.5.33.2 networkControllerSite: Added new section for resource that contains configuration information. ● 3.1.5.34 multisitePrimary: Added new section and subsections for resource that represents a mechanism to set a Network Controller—managed site as the primary site. ● 3.1.5.35 Response Content for Errors: Added 56 error codes for various resources. ● 6.1 accessControlLists: Added securitytags resource and removed AddressPrefix in section 6.1 subsections. ● 6.5.6 inboundNatRules: Removed enableTcpReset in subsections ● 6.5.7 loadBalancingRules: Removed enableTcpReset in subsections ● 6.5.8 outboundNatRules: Removed enableTcpReset and idleTimeoutInMinutes in subsections ● 6.6 loadBalancerManager: Added loadBalancerMuxMode in subsections ● 6.11 networkInterfaces: Added learnedIp in all subsections and added securityTags in GET and GET ALL subsections. ● 6.11.7 ipConfigurations: Added learnedIp and removed schema v5. ● 6.16 virtualNetworks: Added learnedIpAddresses in GET and GET ALL sections in 6.16 subsections. ● 6.17 virtualNetworkManager: Added enableMetering in section 6.17 subsections. ● 6.29 multisite: Added new section and subsections. ● 6.30 multisitePrimary: Added new section and subsections. ● 6.31 securityTags: Added new section and subsections. ● 6.32 learnedIPAddresses: Added new section and subsections. |
September 20, 2023 |
|
|
This document has been updated as follows: Added to NETLOGON_CAPABILITIES case (2) RequestedFlags, changed NetrLogonGetCapabilities (opnum 21) ServerCapabilities to Capabilities for addition of validating case 1: server NegotiatedFlags or case 2: client RequestedFlags, and updated product applicability to not applicable to Windows XP/Server 2003 and earlier. |
September 20, 2023 |
|
|
[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients |
This document has been updated as follows: ● In section 3.2.5.2.1.1.2 x-ms-DeviceCredential HTTP header format, added JWT field values x_client_platform, win_ver, and windows_api_version to inform the AAD/server. ● In section 3.2.5.2.1.1.1 x-ms-RefreshTokenCredential HTTP header format, added JWT field values x_client_platform, win_ver, and windows_api_version to inform the AAD/server. ● Clarified how the client uses a previously received Nonce from the server, added 'request_nonce' as a required field in the 'assertion' field (for the signed JWT used to authenticate the user), and clarified the user JWT authentication processing steps taken by the server when the authenticated device kid is a mismatch with the assertion JWT kid. |
September 20, 2023 |
|
This document has been updated as follows: ● 2.4 PAC_INFO_BUFFER: Added new required ulType 0x00000013 for Extended KDC (privilege server) checksum buffer. Additional checksum buffers are to be ignored. ● 2.8.1 Server Signature: Added that the server signature MUST be generated AFTER the extended KDC signature. ● 2.8.3 Ticket Signature: Added the extended KDC signature in the recompute list. ● 2.8.4 Extended KDC Signature: Added new section, used to detect tampering of PACs by parties other than the KDC. When a ticket is altered as during renewal the KDC SHOULD verify the integrity of the existing signatures and recompute the ticket signature, server signature, KDC signature, and extended KDC signature in the PAC. |
September 20, 2023 |
|
|
[MS-PKCA]: Public Key Cryptography for Initial Authentication (PKINIT) in Kerberos Protocol |
This document has been updated as follows: Section 2.2.3 PA-PK-AS-REQ: added PAChecksum2 extension to PKAuthenticator with product applicability note, return value and reference to [RFC8636]. |
September 20, 2023 |
|
[MS-RDPBCGR]: Remote Desktop Protocol: Basic Connectivity and Graphics Remoting |
This document has been updated as follows: ● 2.2.1.3.2 Client Core Data (TS_UD_CS_CORE): Added value '0x00080011' to version number table and substituted 'RNS_UD_CS_RELATIVE_MOUSE_INPUT' for 'RNS_UD_CS_UNUSED' in earlyCapabilityFlags table. ● 2.2.1.4.2 Server Core Data (TS_UD_SC_CORE): Added '0x00080011' value to version number table. ● 2.2.7.1.6 Input Capability Set (TS_INPUT_CAPABILITYSET): Substituted 'INPUT_FLAG_MOUSE_RELATIVE' for 'INPUT_FLAG_UNUSED' in inputFlags table. ● 2.2.8.1.1.3.1.1 Slow-Path Input Event (TS_INPUT_EVENT): Added 'INPUT_EVENT_MOUSEX' value to messageType table. ● 2.2.8.1.1.3.1.1.3 Mouse Event (TS_POINTER_EVENT): Updated 'Keyboard Event' to 'Pointing Device Event'. ● 2.2.8.1.1.3.1.1.7 Relative Mouse Event (TS_RELPOINTER_EVENT): New section. An event structure used to specify relative mouse pointer movement. ● 2.2.8.1.2.2 Fast-Path Input Event (TS_FP_INPUT_EVENT): Added 'FASTPATH_INPUT_EVENT_MOUSEREL' value to eventCode table. ● 2.2.8.1.2.2.7 Fast-Path Relative Mouse Event (TS_FP_RELPOINTER_EVENT): New section. A fast-Path variant of the TS_RELPOINTER_EVENT structure used to specify relative mouse pointer movement. ● 3.2.5.8.1.1 Sending Input Event PDU: Added 'Relative Mouse Event (section 2.2.8.1.1.3.1.1.7)' to input event data list. ● 3.2.5.8.1.2 Sending Fast-Path Input Event PDU: Added 'Relative Mouse Event (section 2.2.8.1.2.2.7)' to list of fast path input event data. ● 3.3.5.8.1.1 Processing Input Event PDU: Added 'Relative Mouse Event (section 2.2.8.1.1.3.1.1.7)' to input event data list. ● 3.3.5.8.1.2 Processing Fast-Path Input Event PDU: Added 'Relative Mouse Event (section 2.2.8.1.2.2.7)' to list of input events. |
September 20, 2023 |
|
[MS-RDPEAR]: Remote Desktop Protocol Authentication Redirection Virtual Channel |
This document has been updated as follows: In section 2.2.1.2.1 KERB_ASN1_DATA, updated PDU numeric values. Added product note for RS1 values. |
September 20, 2023 |
|
[MS-RDPEGFX]: Remote Desktop Protocol: Graphics Pipeline Extension |
This document has been updated as follows: Updated formulas and labels in sections 2.2.4.5, 2.2.4.6, 3.3.8.3.2, and 3.3.8.3.3. |
September 20, 2023 |
|
[MS-RNAS]: Vendor-Specific RADIUS Attributes for Network Policy and Access Server Data Structure |
This document has been updated as follows: ● Section 3.1.5.2 Microsoft VSA Support of RADIUS Messages: added MS-Azure-Policy-ID to VSA table. ● Section 3.3.5.2.3 MS-Azure-Policy-ID, added new section. This attribute is consumed only by the Microsoft Azure Point to Site VPN Server. ● Section 2.2.1.11 MS-Azure-Policy-ID, added new section. This Vendor-Specific attribute is to be used by the Radius Server to send an identifier which is used by Azure Point to Site VPN Server to match an authenticated RADIUS user Policy configured on the Azure side. ● Section 3.1.5.2 Microsoft VSA Support of RADIUS Messages: added MS-Azure-Policy-ID to VSA table. ● Section 3.3.5.2.3 MS-Azure-Policy-ID, added new section. This attribute is consumed only by the Microsoft Azure Point to Site VPN Server. |
September 20, 2023 |
|
[MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server) |
This document has been updated as follows: ● In section 2.2.7.15, SAMPR_REVISION_INFO_V1, in the Supported Features table, added a behavior note to value 0x00000020 and added value 0x00000040 with a behavior note. Each note states product and KB support. ● In section 3.1.5.13.8 SamrValidateComputerAccountReuseAttempt (Opnum 74), updated the message data processing. Added ComputerSid field values ms-ds-CreatorSid attribute and ntSecurityDescriptor owner with behavior notes that state product and KB support. |
September 20, 2023 |
|
[MS-SMB2]: Server Message Block (SMB) Protocol Versions 2 and 3 |
This document has been updated as follows: ● 2.2.1.1 SMB2 Packet Header - ASYNC: Added SMB2 SERVER_TO_CLIENT_NOTIFICATION to the Command table. ● 2.2.3 SMB2 NEGOTIATE Request: Added SMB2_GLOBAL_CAP_NOTIFICATIONS to the Capabilities table. ● 2.2.44 SMB2 SERVER_TO_CLIENT Notification: Added new section header (empty). ● 2.2.44.1 Server to Client Notification: Added new subsection for the SMB2_SERVER_TO_CLIENT_NOTIFICATION structure packet sent by the server to indicate an implementation-specific intent. ● 2.2.44.2 SMB2 Notify Session Closed: Added new subsection with structure to indicate that the SMB2_SERVER_TO_CLIENT_NOTIFICATION structure NotificationType is Closed. ● 3.2.5.2 Receiving an SMB2 NEGOTIATE Response: Added usage instructions for Connection.SupportsNotifications. ● 3.2.5.3.3 Handling Session Binding: Adjusted processing for when Connection.Dialect is 3.1.1. ● 3.2.5.20 Receiving a Server to Client Notification: Added section for SMB2_SERVER_TO_CLIENT_NOTIFICATION processing rules. ● 3.3.1.7 Per Transport Connection: Added Connection.SupportsNotifications definition. ● 3.3.1.8 Per Session: Added Session.SupportsNotification definition. ● 3.3.5.5 Receiving an SMB2 SESSION_SETUP Request: Added processing rules for checks of Session.SupportsNotifications. ● 4.11 Sending and Processing a Session Closed Notification: Added section with example to demonstrate SMB2 payload is closed. ● 4.11.1 Nuances with Multichannel, Signing, & Encryption: Added subsection to explain processing for various nuance cases. |
September 20, 2023 |
|
This document has been updated as follows: Clients of Certificate Authority (CA) servers are now provided with a significantly higher level of security when connecting with CA servers, with the use of the RPC_C_AUTHN_LEVEL_PKT_PRIVACY authentication level. Clients must now use this authentication level, otherwise CA servers will not allow client connections to succeed. This issue is further addressed in the Active Directory Certificates elevation of privilege issue that is described in [MSFT-CVE-2022-37976]. |
September 20, 2023 |
|
|
This document has been updated as follows: ● 2.2.2.2.6 GetExtendedUpdateInfo: Added the callerAttributes definition and the callerAttributes element to the GetExtendedUpdateInfo complex type. ● 6.2 Client Web Service WSDL: Added the callerAttributes element to the GetExtendedUpdateInfo complex type in the Client Web Service WSDL schema. |
November 28, 2023 |
|
|
This document has been updated as follows: ● In section 2.2.5.19.3, Encrypt Key and MAC Key, clarified the calculation of the keys. ● In section 2.2.5.19.4, Encrypt Encoded Password, clarified the encryption process. |
September 20, 2023 |
Technical Document Release
The following technical document was revised with product updates for Microsoft SQL Server 2022 and may also have been revised for content issues.
|
Specification |
Description |
Release date |
|---|---|---|
|
This document has been updated as follows: ● Clarified the mandate that until the packet size is confirmed by the server, a Length value larger than 4,096 bytes cannot be used. ● Defined the difference between the TDS 7.x version family, in which encryption is optional and negotiated in the TDS layer, and the new TDS 8.0 version, in which encryption is mandatory and handled in the lower layer before TDS begins functioning. ● Added prelogin features for communication between client and server to enhance the security and efficiency of login support. ● Added support to the COLUMNENCRYPTION feature extension for the ability to allow clients to cache column encryption keys when enclave computations are required. |
April 10, 2023 |