Windows Server out-of-band update addressing authentication issues released
Microsoft released updates for various Windows Server versions that address issues that were experienced after installation of the May 2022 security updates.
The updates address the authentication issues and the Microsoft Store app installation issues. The released updates are not distributed via Windows Update, but only available as manual downloads from the Microsoft Update Catalog website.
Authentication issues
The first issue was experienced after installing the May 2022 updates on domain controllers. Some administrators noted a rise in authentication failures on the server or client for services, including Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).
Microsoft discovered that the issue affected how domain controllers handled the mapping of certificates to machine accounts. The company published a workaround for the issue shortly after confirming it on its Docs website. Administrators should map certificates manually to machine accounts in Active Directory to resolve the issue. While other mitigations were published, all "might lower or disable security hardening" and were therefore not recommended.
Microsoft Store apps installation failures
On some devices, installation of Microsoft Store applications might fail with the error code 0xC002001B after installation of the May 2022 updates. Some installed applications might fail to open as well.
The issue happened on devices with Control-flow Enforcement Technology processors according to Microsoft.
Additional details are available on Microsoft's Docs website.
Out-of-band-updates are available
Microsoft has released out-of-band updates for affected Windows Server versions. Cumulative updates are available for the Windows Server versions 2016, 2019, 2022 and 20H2:
- Windows Server 2022: KB5015013 and Update Catalog download.
- Windows Server, version 20H2: KB5015020 and Update Catalog download.
- Windows Server 2019: KB5015018 and Update Catalog download.
- Windows Server 2016: KB5015019 and Update Catalog download.
These can be installed directly as they are cumulative in nature and include previous updates that may not have been released yet.
The Windows Server versions 2008 R2 SP1, 2008 SP2, 2012 and 2012 R2 may be updated using standalone updates instead:
- Windows Server 2012 R2: KB5014986 and Update Catalog download.
- Windows Server 2012: KB5014991 and Update Catalog download
- Windows Server 2008 R2 SP1: KB5014987 and Update Catalog download
- Windows Server 2008 SP2: KB5014990 and Update Catalog download
Microsoft notes that installation of the standalone updates differs depending on whether monthly-rollup updates or security-only updates are installed on machines.
On machines with security-only updates, the standalone updates can be installed directly. On monthly-rollup updates, it is required to install the standalone update and the monthly-rollup update released on May 10, 2022.
A restart may be required to complete the update installation.
Now You: did you install the May 2022 updates already?
KB5015020 out-of-band update for Windows Server 20H2 and Windows 10 (Client), 20H2/21H1/21H2 also fixes another problem on systems with recent Intel/AMD CPUs being unable to install Microsoft store apps:
https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-20h2#2830msgdesc
“After installing KB5011831 or later updates, you might receive an error code: 0xC002001B when attempting to install from the Microsoft Store. Some Microsoft Store apps might also fail to open. Affected Windows devices use a processor (CPU) which supports Control-flow Enforcement Technology (CET), such as such as 11th Gen and later Intel® Core™ Processors or later and certain AMD processors.”
“Resolution: This issue was resolved in the out-of-band update KB5015020. It is a cumulative update, so you do not need to apply any previous update before installing it. To get the standalone package for KB5015020, search for it in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager.”
Do the OOB updates ONLY install on DCs (if you deploy them via MEMCM), or should you only install them on DCs
It looks like the May 19, 2022 out-of-band updates will not fix the certificate issue with AD DC when a Network Policy Server (NPS) is in use. I’ve had multiple reports about that.
See my English blog post for details: https://borncity.com/win/2022/05/21/windows-out-of-band-updates-vom-19-5-2022-versagen-mit-nps-beim-ad-dc-authentifizierungsfehler/
did install the rollup and do see an NPS error that never happened before. gonna install the update after I do second daily backup to be safe.
If you haven’t installed the May 2022 updates yet on 2012 and 2016 DC’s, will you be able to use Windows update to patch them to this fix or will you still need to manually download and install the fixed updates after using Windows update?
the “new” patch to correct is NOT in WSUS yet.
The fixes should be included in next month’s cumulative updates.