KB4012216 issue with event ID 4768 and workaround

KB4012216 issue with event ID 4768 and workaround

This is to provide you all a heads-up regarding the recent Windows Server 2012 R2  security update from Microsoft, KB4012216, and the audit failure it causes.  

When you apply this security patch to the domain controllers, they will fail to log the event ID 4768, which represent a user being granted or denied TGT. We’ve reported the issue to Microsoft and hope to receive a solution ASAP.

What does this security update flaw do to your ADAudit Plus and AD auditing in general?
  • Many clients, who’ve had applied the security patch KB4012216 to their domain controllers, noticed that ADAudit Plus user logon reports show no data after the patch application.
  • This means user logon auditing will be inconsistent if you apply this patch to your servers.
What’s the workaround until Microsoft solves this issue?
  1. We’ve figured out an easy workaround which logs back the event ID 4768: 
    1. Enable “Audit Other Account Logon Events” in your “Default Domain Controllers Policy”. 
    2. [Navigate to Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy -> Account Logon -> Audit Other Account Logon Events. Enable both “Success” and “Failure”]
TechNet link on the issue,