announcement-2026-01-12T21-54-12-003Z1000×600 64.1 KB

This notice highlights recent Microsoft KB conflicts that impact Kerberos event capture and blocking on Windows Server 2016, 2019, and 2022.

On January 13, 2026, Microsoft released KB updates that conflict with Netwrix Threat Prevention agents.
If these KBs are applied before updating the agents, certain Kerberos authentication activity events will no longer be captured or blocked.

Netwrix recommends delaying the deployment of these KBs if your organization relies on these event types. The Netwrix development and QA teams are working on updated agents compatible with these KBs and will send another notice when they are available.

Important Details
If your organization does not use Netwrix Threat Prevention for the following activity event collection, or such events are not deemed important, you may elect to deploy the following Microsoft KBs in advance of updated Netwrix Threat Prevention agents.

No other aspect of Netwrix Threat Prevention operation is impacted by the January 13, 2026 KBs beyond what is described below. There is no adverse impact to domain controllers if the KBs are deployed without updating the agents.

Event Types Affected:
Capture or block Kerberos authentication activity

Severity: MEDIUM

Affected Products:

• Netwrix Activity Monitor for Active Directory
• Netwrix Threat Prevention for Active Directory
• Netwrix Threat Manager for Active Directory

Affected Systems:

• Windows Server 2025 (for Active Directory)
• Windows Server 2022 (for Active Directory)
• Windows Server 2019 (for Active Directory)
• Windows Server 2016 (for Active Directory)

Affected Microsoft KBs:

• Windows Server 2025 KB5073379
• Windows Server 2022 KB5073457
• Windows Server 2019 KB5073723
• Windows Server 2016 KB5073696

Impact:

Functional:

• Windows Server 2025 — KB5073379
  Netwrix Threat Prevention agents will lose the ability to capture or block Kerberos authentication activity.
  Log Indicators:

  • resolving HandleTGSRequest failed

• Windows Server 2022 — KB5073457
  Netwrix Threat Prevention agents will lose the ability to capture or block Kerberos authentication activity.
  Log Indicators:

  • resolving HandleTGSRequest failed
  • Couldn't resolve I_RenewTicket
  • Couldn't resolve I_GetASTicket

• Windows Server 2019 — KB5073723
  Netwrix Threat Prevention agents will lose the ability to capture or block Kerberos authentication activity.
  Log Indicators:

  • resolving HandleTGSRequest failed
  • Couldn't resolve I_RenewTicket
  • Couldn't resolve I_GetASTicket

• Windows Server 2016 — KB5073696
  Netwrix Threat Prevention agents will lose the ability to capture or block Kerberos authentication activity.
  Log Indicators:

  • resolving HandleTGSRequest failed
  • Couldn't resolve I_RenewTicket
  • Couldn't resolve I_GetASTicket

Stability:
No stability impact on any server platforms or domain controllers.

Need help with this update?

There are many different ways to get help with our products!

What are your thoughts?

We are always happy to hear from our users on what you like, and what you hope to see in the future. Please, share your thoughts below!

Hello,

Just wanting to confirm that this only affects Netwrix Activity Monitor and not Netwrix Threat Prevention. We have NTP installed but no activity monitor.

Just confirming as it says Netwrix Threat Prevention Agents a lot in the verbiage.

Thanks
Lee

Hi Lee,

Thanks for checking in. Apologies for the confusion in the post, this issue does affect Netwrix Threat Prevention for AD as well. The post has now been updated.