Windows 10: Windows Server out-of-band update addressing authentication issues released

Microsoft released updates for various Windows Server versions that address issues that were experienced after installation of the May 2022 security updates.



The updates address the authentication issues and the Microsoft Store app installation issues. The released updates are not distributed via Windows Update, but only available as manual downloads from the Microsoft Update Catalog website.

Authentication issues

The first issue was experienced after installing the May 2022 updates on domain controllers. Some administrators noted a rise in authentication failures on the server or client for services, including Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).

Microsoft discovered that the issue affected how domain controllers handled the mapping of certificates to machine accounts. The company published a workaround for the issue shortly after confirming it on its Docs website. Administrators should map certificates manually to machine accounts in Active Directory to resolve the issue. While other mitigations were published, all "might lower or disable security hardening" and were therefore not recommended.

Microsoft Store apps installation failures

On some devices, installation of Microsoft Store applications might fail with the error code 0xC002001B after installation of the May 2022 updates. Some installed applications might fail to open as well.

The issue happened on devices with Control-flow Enforcement Technology processors according to Microsoft.

Additional details are available on Microsoft's Docs website.

Out-of-band-updates are available

Microsoft has released out-of-band updates for affected Windows Server versions. Cumulative updates are available for the Windows Server versions 2016, 2019, 2022 and 20H2:

• Windows Server 2022: KB5015013 and Update Catalog download.
• Windows Server, version 20H2: KB5015020 and Update Catalog download.
• Windows Server 2019: KB5015018 and Update Catalog download.
• Windows Server 2016: KB5015019 and Update Catalog download.

These can be installed directly as they are cumulative in nature and include previous updates that may not have been released yet.

The Windows Server versions 2008 R2 SP1, 2008 SP2, 2012 and 2012 R2 may be updated using standalone updates instead:

• Windows Server 2012 R2: KB5014986 and Update Catalog download.
• Windows Server 2012: KB5014991 and Update Catalog download
• Windows Server 2008 R2 SP1: KB5014987 and Update Catalog download
• Windows Server 2008 SP2: KB5014990 and Update Catalog download

Microsoft notes that installation of the standalone updates differs depending on whether monthly-rollup updates or security-only updates are installed on machines.

On machines with security-only updates, the standalone updates can be installed directly. On monthly-rollup updates, it is required to install the standalone update and the monthly-rollup update released on May 10, 2022.

A restart may be required to complete the update installation.

Now You: did you install the May 2022 updates already?

Thank you for being a Ghacks reader. The post Windows Server out-of-band update addressing authentication issues released appeared first on gHacks Technology News.

read more...

 

Windows update issues

Came here to suggest this.*Laugh :laugh:

Definitely not an issue with the Windows Servers as I just re-installed yesterday and got all my updates.

 

Raising the windows domain and forest issues?


hi,

I run a domain that was all 2003 r2 servers. I recently upgraded all my domain controllers to windows 2012 r2.
That went off without any problems.. Our trust relationships had no issues also.

My first step was to raise the Domain and Forest levels past 2003 to 2008. This went off without a hitch.
These are the features for raising the levels to 2008:

• Features and benefits include all default Active Directory features, all features from the Windows Server 2003 domain functional level, plus:
• Read-Only Domain Controllers – Allows implementation of domain controllers that only host read-only copy of NTDS database.
• Advanced Encryption Services – (AES 128 and 256) support for the Kerberos protocol.
• Distributed File System Replication (DFSR) – Allows SYSVOL to replicate using DFSR instead of older File Replication Service (FRS). It provides more robust and detailed replication of SYSVOL contents.

Forest Level Windows Server 2008

• Features and benefits include all of the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest will operate at the Windows Server 2008 domain functional level by default.

My next step is to raise the domain and forest to 2008 r2, then 2012, and finally 2012 r2. I have been trying to find out exactly what I could expect from raising the Domain and Forest for each step.

The step involving 2008 r2 seems relatively a non issue. But getting the couple of new features seem very nice

Domain Level Windows Server 2008 R2

• All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus 2 new features

Forest Level Windows Server 2008 R2

• All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:

• Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. <== New Feature very cool
• All domains subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.

Here is my big concerns for the next raising of domain and forest to 2012.

Forest Level Windows Server 2012:

• All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.
• All domains subsequently added to the forest will operate at the Windows Server 2012 domain functional level by default.

Domain Level Windows Server 2012 R2: <=====Need to investigate more and why this post

• DC-side protections for Protected Users. Protected Users authenticating to a Windows Server 2012 R2 domain can no longer:

• Authenticate with NTLM authentication <==============(what issues may arise)
• Use DES or RC4 cipher suites in Kerberos pre-authentication
• Be delegated with unconstrained or constrained delegation
• Renew user tickets (TGTs) beyond the initial 4-hour lifetime

Will this affect my exchange anywhere users with remote access authenticating either clear of NTLM???
and what would/may not to work properly day 1 when I raise the domain and forest to 2012. I cant really find anyone that can answer a straight question.

Has anyone gone through this? what problems did you have, if any , if a lot???

Any thoughts and suggestions will be much appreciated??

thanks


- - - Updated - - -

One more point... I am not sure if I posted this to the correct forum.. So if I was wrong and it should be in a different one..
PLEASE LET ME KNOW

 

Error: "Server PC is not accessible", "The network address is invalild" on Windows 10

Hi Gavin,

Apologize for the delay in response to your issue.

• Do let us know if your device is connected to a Windows Server?
• Have you tried the troubleshooting steps suggested in the Microsoft help article in my previous post and check if it helps?

Step like: Run the Network troubleshooter, Update the rivers, Rollback the drivers, turn off firewalls etc..

Try the above troubleshooting steps update us the status for further assistance.

Thank you.