The May patchday updates caused services in Active Directory to fail to authenticate. New patches without the bug are now available.
The updates for Windows that Microsoft released for the May patch day of this year sometimes led to unpleasant system behavior: various services could no longer authenticate themselves in Active Directory (AD). Even the top US cybersecurity authority, CISA, temporarily withdrew the recommendation or instruction to install the updates in Windows domains.
The updates that are now available no longer show the problem, Microsoft explains in the associated Windows -Release Health entry. No actions are necessary on the client side, but any workarounds that have been carried out are no longer necessary. According to Microsoft, administrators should therefore undo them.
Shortly after the release of the Windows updates for the May patch day, there were problems in Active Directory through which services on servers and clients reported with authentication errors. In particular, the services Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP) were affected.
Microsoft’s developers were initially able to narrow down that the problem is how domain controllers map certificates to machine accounts. As a preliminary countermeasure, they recommended doing the certificate mapping manually. All Windows client systems since Windows 7 SP1 and all server systems since Windows Server 2008 SP2 were affected.
The updated Microsoft does not distribute patches via automatic updates. Administrators must either search for them in the Windows Update Catalog and download them manually, or can use the links in Microsoft’s KB entries. WSUS administrators can manually import the updates into the update server and distribute them in their network.
- Windows Server 2022: KB5015013
- Windows Server 20H2: KB5015020
- Windows Server 2019: KB5015018
- Windows Server 2016: KB5015019
Standalone updates (previous Windows updates must be installed first):
- Windows Server 2012 R2: KB5014986
- Windows Server 2012 : KB5014991
- Windows Server 2008 R2 SP1: KB5014987
- Windows Server 2008 SP2: KB5014990
There were already problems with the Windows updates provided by Microsoft became known the week before last. In addition to the authentication problems, the deactivation of support for the .Net 3.5 framework meant that various applications could no longer be started or showed unusual behavior. However, the software company has not yet corrected this error.