11B checker
This is a sample PowerShell script to help detect potential authentication issues that may occur in an AD environment after installing Windows Update from November 2022 or newer.
The msDS-SupportedEncryptionTypes attribute that is mentioned in the script is an attribute that can be configured on AD objects such as computers and users to signify as a bitmap the types of encryption types (etypes) that can be used when authenticating to that target server/service. You can use the AD Users and Computers MMC console to edit this value. Please see the reference section for more details on this attribute.
Microsoft has verified and fixed multiple known issues with the original November Winodws Update. It is recommended to install Windows Update released January 2023 (or newer) to avoid hitting these known issues.
Usage
Run the script in PowerShell with domain administrator privileges from a machine with AD RSAT tools installed, such as on a domain controller. The script will output any detected compatibility issues found in the domain related to changes made for CVE-2022-37966.
Note that this will enumerate every user and computer object in your AD environment. This may take some time to complete. For very large AD environments, consider limiting the number of objects queried at once by specifying an OU with the SearchBase option in Get-ADComputer and Get-ADUser. By default, the query is recursive and any child OUs will be queried asd well.
Example:
$computers = Get-ADComputer -filter * -SearchBase "OU=OU1,DC=example,DC=domain" -Properties msDS-SupportedEncryptionTypes,operatingSystem,operatingSystemVersion,userAccountControl,passwordLastSet
$users = Get-ADUser -Filter * -SearchBase "OU=OU1,DC=example,DC=domain" -Properties msDS-supportedEncryptionTypes,servicePrincipalName,passwordLastSet