06-15-2021 09:07 AM
Hello All,
Just wanted to post this in case anyone else ran into it. Microsoft release patches as they normally do, however there is one that might break user-id, June 8, 2021—KB5003671 (Monthly Rollup). There is a warning in the notes:
After installing this or later updates, apps accessing event logs on remote devices might be unable to connect. This issue might occur if the local or remote has not yet installed updates released June 8, 2021 or later. Affected apps are using certain legacy Event Logging APIs. You might receive an error when attempting to connect.
Link to notes and patch: https://support.microsoft.com/en-us/topic/june-8-2021-kb5003671-monthly-rollup-a1359a77-3932-46f9-8c...
What they are saying is if the server that hosts user-id is patched and the server that the user-id agent reaches out to is not, it might not connect.
In our case we are monitoring Exchange, gets patched manually and the server that hosts the user-id agent gets patches automatically. So our solution was to install the user-id agent onto the Exchange server to get us going in the short term. You'll have to add the agent to the PAN's and make sure security policies are updated as applicable.
Hope this can help someone.
Cheers!
06-15-2021 11:46 AM
Official Palo Alto response/notification 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
