Microsoft KB Update (September, 2025) – Medium Severity

Tatiana.Severina · September 9, 2025, 5:00pm

On September 9, 2025, Microsoft released KB updates that conflict with Netwrix Threat Prevention (formerly StealthINTERCEPT) agents used by Threat Manager for AD to collect AD event data. If these KBs are applied before updating the agents, certain LDAP and Kerberos events will no longer be captured or blocked.

Netwrix recommends delaying the deployment of these KBs if the impacted event types are important to your organization. The Netwrix development and QA teams are working on updated agents compatible with these KBs and will send another notice when they are available.

Important Details
If your Threat Manager for AD deployment does not use Threat Prevention (formerly StealthINTERCEPT) agents for the following activity event collection, or such events are not deemed important, you may elect to deploy the following Microsoft KBs in advance of updated Netwrix Threat Prevention agents.

No other aspect of Threat Manager operation is impacted by the September 9, 2025 KBs beyond what is described below. There is no adverse impact to domain controllers if the KBs are deployed without updating the agents.

Event Types Affected:

Server 2025 Termsrv (Jumpbox) blocking
Server 2022 capture or block Kerberos or NTLM authentication activity
Server 2019 capture or block NTLM authentication activity
Server 2016 capture or block Kerberos or NTLM authentication activity, Capture or Block AD Replication activity

Severity: MEDIUM

Affected Products:

Netwrix Threat Prevention (formerly StealthINTERCEPT) for Active Directory
Netwrix Threat Manager (formerly StealthDEFEND) for Active Directory

Affected agent Builds - all prior to:

7.5.0.234
7.4.0.246
7.3.9.317

Affected Systems:

Windows Server 2025
Windows Server 2022
Windows Server 2019
Windows Server 2016

Affected Microsoft KBs:

KB5065426 (Windows Server 2025)
KB5065432 (Windows Server 2022)
KB5065428 (Windows Server 2019)
KB5065427 (Windows Server 2016)

Impact:

Functional:

2025 Server – KB5065426
- Impact: Termsrv (JumpBox) blocking
- Log:

Couldn't resolve CConnectionEx::InitializeClientData (4 param)

2022 Server – KB5065432
- Impact: Netwrix Threat Prevention / StealthINTERCEPT agents will lose the ability to capture or block Kerberos or NTLM authentication activity
- Log:

Couldn't resolve KdcGetTicket  
Couldn't resolve NlpUserValidate

2019 Server – KB5065428
- Impact: Netwrix Threat Prevention / StealthINTERCEPT agents will lose the ability to capture or block NTLM authentication activity
- Log:

Couldn't resolve NlpUserValidate

2016 Server – KB5065427
- Impact: Netwrix Threat Prevention / StealthINTERCEPT agents will lose the ability to capture or block Kerberos or NTLM authentication activity and capture or block AD Replication activity
- Log:

Couldn't resolve I_RenewTicket  
Couldn't resolve NlpUserValidate  
Couldn't resolve IDL_DRSGetNCChanges

Stability:
No stability impact on any server platforms or domain controllers

Topic	Replies	Views
Microsoft KB Update (August 12, 2025) – Medium Severity News threat-manager , announcement , release-patch , patch-tuesday	65	August 12, 2025
Microsoft KB Update (October 14, 2025) – Medium Severity News threat-manager , announcement , patch-tuesday	75	October 14, 2025
Microsoft KB Update (May 13, 2025) - Medium Severity News threat-manager , announcement	422	May 13, 2025
Microsoft KB Update (July 8, 2025) - Medium Severity News threat-prevention , announcement , patch-tuesday	168	July 8, 2025
Microsoft KB Update (April 8, 2025) - Medium Severity News threat-prevention , announcement , product-update	83	April 8, 2025

Microsoft KB Update (September, 2025) – Medium Severity

Related topics