On June 10th 2025 Microsoft distributed KB’s whic conflict with existing Netwrix Threat Prevention (formerly StealthINTERCEPT) agents. If these KB’s are applied to your systems, they will conflict with current Netwrix Threat Prevention (formerly StealthINTERCEPT) agents as described below. Netwrix recommends delaying deployment of these KB’s until updated agents are deployed if the impacted event types are important to your organization.
The Netwrix development and QA teams are actively working on an agent update to be compatible with the new KB’s. We will send another notice with new agent versions in a few days.
Important Details
If your organization does not use Netwrix Threat Prevention (formerly StealthINTERCEPT) for the following activity event collection or such events are not deemed important then you may elect to deploy the following MS KB’s in advance of updated Netwrix Threat Prevention (formerly StealthINTERCEPT) agents. No other aspect of Netwrix Threat Prevention (formerly StealthINTERCEPT) operation is impacted by the June 10th 2025 KB’s beyond what is described below. There is no adverse impact to the domain controllers if the KB’s are deployed without updating the Netwrix Threat Prevention (formerly StealthINTERCEPT).
- Server 2025 capture LDAP Bind activity or capture or block Kerberos Authentication activity
- Server 2022 capture LDAP Bind activity or capture or block Kerberos Authentication activity
- Server 2019 capture or block Kerberos Authentication activity, capture FSMO Role changes
- Server 2016 capture or block Kerberos Authentication activity
Severity: MEDIUM
Affected Products
- Netwrix Threat Prevention for Active Directory
- Netwrix Threat Manager for Active Directory
- Netwrix Activity Monitor for Active Directory
Affected System(s):
- Windows Server 2025 (for Active Directory)
- Windows Server 2022 (for Active Directory)
- Windows Server 2019 (for Active Directory)
- Windows Server 2016 (for Active Directory)
Affected Platform/KB:
- Windows Server 2025 KB5060842
- Windows Server 2022 KB5060526
- Windows Server 2019 KB5060531
- Windows Server 2016 KB5061010
Impact:
• Functional:
- 2025 Server - KB5060842
- Netwrix Threat Prevention (formerly StealthINTERCEPT) agents will lose the ability to capture or block Kerberos Authentication events and to capture LDAP Bind events
- Expected ADMonitor_Logs Error:
- Couldn’t resolve LDAP_CONN::BindRequest
- Couldn’t resolve KdcGetTicket
- Couldn’t resolve HandleTGSRequest
- 2022 Server - KB5060526
- Netwrix Threat Prevention (formerly StealthINTERCEPT) agents will lose the ability to capture or block Kerberos Authentication events and to capture LDAP Bind events
- Expected ADMonitor_Logs Error:
- Couldn’t resolve I_GetASTicket
- Couldn’t resolve LDAP_CONN::BindRequest
- Couldn’t resolve KdcGetTicket
- Couldn’t resolve HandleTGSRequest
- 2019 Server - KB5060531
- Netwrix Threat Prevention (formerly StealthINTERCEPT) agents will lose the ability to capture or block Kerberos Authentication events and to capture FSMO Role changes
- Expected ADMonitor_Logs Error:
- Couldn’t resolve DsaGetValidFSMOs
- Couldn’t resolve KdcGetTicket
- Couldn’t resolve HandleTGSRequest
- Couldn’t resolve I_GetASTicket
- 2016 Server - KB5061010
- Netwrix Threat Prevention (formerly StealthINTERCEPT) agents will lose the ability to capture or block Kerberos Authentication events
- Expected ADMonitor_Logs Error:
- Couldn’t resolve I_RenewTicket
• Stability:
○ No stability impact on any server platforms / Domain Controllers