After this month's patch was released on Tuesday, Microsoft warned that installing the kb5013943 update may lead to authentication problems for various windows services. The update, released on May 10, mainly fixes the screen flicker problem in safe mode However, in addition to bringing error messages to some users, the update of kb5013943 also led to the failure of authentication of Windows domain controller
In the consultation on this issue, Microsoft said: "after installing the update released on May 10, 2022 on your domain controller, you may see the authentication failure of services such as network policy server (NPS), routing and remote access service (RRAs), radius, extensible authentication protocol (EAP) and protected Extensible Authentication Protocol (PEAP) on the server or client. A problem related to how the domain controller handles the mapping of certificates to machine accounts has been found." 。
The company pointed out that this problem only affects the servers that install the update on May 10, 2022 and act as domain controllers. Any client windows People who install updates on devices and non domain controller windows servers should not experience the same problems.
Microsoft shared a list of affected platforms
Client:
● Windows 11 Version 21H2
● Windows 10 Version 21H2
● Windows 10 Version 21H1
● Windows 10 Version 20H2
● Windows 10 Version 1909
● Windows 10 Version 1809
● Windows 10 Enterprise LTSC 2019
● Windows 10 Enterprise LTSC 2016
● Windows 10 Version 1607
● Windows 10 Enterprise 2015 LTSB
● Windows 8.1
● Windows 7 SP1
Server:
● Windows Server 2022
● Windows Server Version 20H2
● Windows Server Version 1909
● Windows Server Version 1809
● Windows Server 2019
● Windows Server 2016
● Windows Server 2012 R2
● Windows Server 2012
● Windows Server 2008 R2 SP1
● Windows Server 2008 SP2
Although Microsoft did not say when it would have a fix, the company said it was "currently investigating and will provide an update in the upcoming version".
At the same time, Microsoft also provides a temporary solution:
The preferred mitigation for this problem is to manually map certificates to machine accounts in the active directory. For instructions, see Certificate Mapping。 Note: the description is the same for mapping a certificate to a user or machine account in the active directory.
If the preferred mitigation does not work in your environment, see kb5014754 certificate based authentication changes on Windows domain controllers , learn about other possible mitigation measures in the key section of the schannel registry. Note: in addition to the preferred mitigation measures, any other mitigation measures may reduce or disable safety reinforcement.