Following the release of this month’s Patch Tuesday updates, Microsoft has issued a warning that installing the KB5013943 update can lead to authentication issues for various Windows services.
The update was released on May 10, and was meant to — among other things — fix an issue with screen flicker in Safe Mode. But in addition to causing error messages for some users, the KB5013943 update has also led to authentication failures Windows domain controllers.
In an advisory about the problem, Microsoft says: “After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller”.
The company points out that the issue only affects the installation of May 10, 2022 updates on servers used as domain controllers. Anyone who installs the updates on client Windows devices and non-domain controller Windows Servers should not experience the same problem.
Microsoft shares the following list of affected platforms:
Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 1909; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Although Microsoft has not said when a fix will be available, the company says that it is “presently investigating and will provide an update in an upcoming release”.
In the meantime, the company provides details of a workaround:
The preferred mitigation for this issue is to manually map certificates to a machine account in Active Directory. For instructions, please see Certificate Mapping. Note: The instructions are the same for mapping certificates to user or machine accounts in Active Directory. If the preferred mitigation will not work in your environment, please see KB5014754—Certificate-based authentication changes on Windows domain controllers for other possible mitigations in the SChannel registry key section. Note: Any other mitigation except the preferred mitigations might lower or disable security hardening.
Image credit: liorpt / depositphotos