On May 13th, 2025, Microsoft distributed KB’s which conflict with existing AD Module used in Netwrix Activity Monitor for AD. If these KB’s are applied to your systems, they will conflict with current AD module as described below. Netwrix recommends delaying deployment of these KBs until the updated version of the module is released if the impacted event types are important to your organization.
The Netwrix development and QA teams are actively working on an agent update to be compatible with the new KB’s. We will send another notice with new version in a few days.
Important Details
If your organization does not use Active Directory monitoring on Server 2025 to capture NTLM Authentication activity or on Server 2022, 2019 and 2016 to capture Kerberos or NTLM Authentication activity or such events are not deemed important then you may elect to deploy the following MS KB’s in advance of updated Netwrix AD Module. No other aspect of Netwrix Activity Monitor operation is impacted by the May 13th 2025 KB’s beyond what is described below. There is no adverse impact on the domain controllers if the KBs are deployed without updating the AD Module.
Severity: MEDIUM
Affected Products:
- Netwrix Activity Monitor for Active Directory
Affected System(s):
• Windows Server 2025 (for Active Directory)
• Windows Server 2022 (for Active Directory)
• Windows Server 2019 (for Active Directory)
• Windows Server 2016 (for Active Directory)
Affected Platform/KB:
• Windows Server 2025 KB5058411
• Windows Server 2022 KB5058385
• Windows Server 2019 KB5058392
• Windows Server 2016 KB5058383
Impact:
• Functional:
○ Server 2025 - KB5058411
– AD module will lose the ability to capture NTLM Authentication events (Termsrv (JumpBox)
○ Expected ADMonitor_Logs Error:
- Couldn’t resolve NlpLogonSamLogon for Windows Server 2022 (20348.2400)
- Couldn’t resolve NlpUserValidate
- Couldn’t resolve CConnectionEx::InitializeClientData (4 param)
○ Server 2022 - KB5058385
– AD module will lose the ability to capture Kerberos and NTLM Authentication events
○ Expected ADMonitor_Logs Error:
- Couldn’t resolve HandleTGSRequest
- Couldn’t resolve I_GetASTicket
- Couldn’t resolve NlpLogonSamLogon
- Couldn’t resolve NlpLogonSamLogon
- Couldn’t resolve NlpUserValidate (Old)
- Couldn’t resolve NlpUserValidate
○ Server 2019 - KB5058392
– AD module will lose the ability to capture or block Kerberos and NTLM Authentication events
○ Expected ADMonitor_Logs Error:
- Couldn’t resolve HandleTGSRequest
- Couldn’t resolve I_GetASTicket
- Couldn’t resolve NlpLogonSamLogon
- Couldn’t resolve NlpLogonSamLogon
- Couldn’t resolve NlpUserValidate (Old)
- Couldn’t resolve NlpUserValidate
○ Server 2016 - KB5058383
– AD module will lose the ability to capture Kerberos and NTLM Authentication events
○ Expected ADMonitor_Logs Error:
- Couldn’t resolve HandleTGSRequest
- Couldn’t resolve I_GetASTicket
- Couldn’t resolve NlpLogonSamLogon
- Couldn’t resolve NlpLogonSamLogon
- Couldn’t resolve NlpUserValidate (Old)
- Couldn’t resolve NlpUserValidate
• Stability:
○ No stability impact on any server platforms / Domain Controllers
File activity on RHEL 9
The product failed to collect file system events on some Red Hat Enterprise Linux 9 servers due to a failure to register the monitoring service process.