Master Patch List as of May 19, 2022 – out of band for server auth issues

Topic

New Reply

Microsoft has released an out of band update for Servers only to fix the authentication issues with certificates introduced in the May updates. I’ve u
[See the full post at: Master Patch List as of May 19, 2022 – out of band for server auth issues]

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Replies

So does the OOB replaces the original Cumulative update for Server 2019?  Can I only install this OOB and get all updates for May?

 

Reply | Quote

Correct it takes the place of.  It’s only the older OS (2012 R2/2012/2008 r2 Sp1 and 2008 Sp2) that are in addition to the prior updates.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you.  MS sure doesnt do a very good job at making that clear.  I assume the original monthly patch for older OS’s is fine, they are not DC’s.

Reply | Quote

Correct if they are not DCs.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Have a single Windows 2012 R2 server essentials using remote desktop attached to 4 clients machines.  Need some basic help on this months patches.  Your patch list indicates to test machine before applying.  What type of test need to be completed that would tell you if these patches need to applied.  Thank you for your help.

Reply | Quote

If you have a plain domain network with workstations using ethernet connections joined ot the domain and you are merely RDP/remote access to provide remote users access I do not anticipate issues with this patch for you.

Testing is needed for those firms that use certificates for access – https://www.teradici.com/web-help/ter1504003/5.3/05_HowTo/10_802.1x.htm  https://blog.naglis.no/?p=3816

 

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

cadprofessor

Reply | Quote

Yes, that is correct.  The only certificate that is being used (as far as I know) is the one remote access cert.  xxxxx.remotewebaccess.com.  When I ran connect on the clients to the server I ran the reg tweak so the client would not attach using the server domain controller.  So for the 2012 r2 I run the first May patch and then I run the OOB secondly.

Thanks again for your help and insight.

Reply | Quote

That’s a godaddy supplied cert but not used for authentication to the domain.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

No worries. We still using Server 2003 and 2008. MS has no clue how clients work. Most business do not have cash layout to spend on not need things. Our last Server 2000 finally bit the dust about 5 months ago. The  lightning strike to power lines fried it. This server lasted over 21 years….

1 user thanked author for this post.

cadprofessor

Reply | Quote

It looks like the May 19, 2022 out-of-band updates will not fix the certificate issue with AD DC when a Network Policy Server (NPS) is in use. I’ve had multiple reports about that.

See my English blog post for details: https://borncity.com/win/2022/05/21/windows-out-of-band-updates-vom-19-5-2022-versagen-mit-nps-beim-ad-dc-authentifizierungsfehler/

Reply | Quote

Can you post this back on that thread —  There’s a timing that may need to be done:

“Those with a PKI need to update their CA’s first. The patch adds a new OID to all templates used for authentication.
This OID is populated by the AD object SID further identifying the specific device in the cert.
Once CA’s are updated and OID is present in your initial test cert to a PC, you can revoke older certs without the OID and through Auto-enrollment issue new ones.
Then it is safe to patch your DC’s and authentication will continue as normal because DCs after patching will understand the new OID as an identifier.

If you can hold off patching your DC’s until after all new certs are issued, all the better.”

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

gborn

Reply | Quote

Thanks for the hint – I’ve added your suggestion to both of my blog posts. Maybe it’s helpful for thouse affected.

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

Reply | Quote

I tried your suggestion but it was not worked for me

Reply | Quote

Do you have the ability to open up a support case with Microsoft?  What’s the version of the server OS that is your domain controller?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Do we have an example of what these OIDs are?  My mobile device certificate, used for mobile phones, ipads, etc,  has the following.  We use MAAS360 which uses NDES and their Cloud connector to automate certificate provisioning.

Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)

Have not yet patched my DCs or PKI servers with the updated patch that is supposed to fix this Microsoft induced fiasco.

Reply | Quote

“Enterprise Certificate Authorities (CA) will start adding a new non-critical extension with Object Identifier (OID) (1.3.6.1.4.1.311.25.2) by default in all the certificates issued against online templates after you install the May 10, 2022 Windows update.” from https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_compatmode

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thanks for the reply.  Should have read that doc all the way to the end.  Our Computer certificate does show having the OID.  Already requested support last week MAAS360 last week for this.  Now we’ll need to see their response for the  Mobile device certificate as the OID isn’t on new certificates they request through their ”cloud extender server” through NDES.

Reply | Quote

I’ve read a fair amount of articles now and wanted to ask you about this.  Appreciate any and all input as I’m not a PKI expert.

As it stands I have some Windows Server 2012R2 DCs.  I skipped the updates for May due to the PKI Authentication issues with 802.1x.  I tried to apply the one for June after reading the OOB update was included in June’s; but that did not work and I still had 802.1x authenticaon failures until I uninstalled the patch.

From this post:

“Correct it takes the place of.  It’s only the older OS (2012 R2/2012/2008 r2 Sp1 and 2008 Sp2) that are in addition to the prior updates.”

It sounds like with Windows Server 2012R2 there may be an extra step required; like I still need the OOB patch maybe?

I also ready this post you made multiple times.  I didn’t think revoking certificates and having clients re-enroll was required.  But it almost sounds like it actually may be required to get a new OID number?

Reply | Quote

Both the security only and the monthly update have the fixes.

“If you haven’t installed the May 19, 2022 or later releases, then installing this June 14, 2022 update will also address that issue. For more information”

Install the update on your PKI servers first. Wait for the workstations to pick up new certs, then do your dc.

For machine certificate authentication considerations, do one of the following:

• Install this June 14, 2022 update on all intermediate or application servers that pass authentication certificates from authenticated clients to the domain controller (DC) first. Then install this update on all DC role computers.

• Or, pre-populate CertificateMappingMethods to 0x1F as documented in the Registry key information section of KB5014754 on all DCs. Delete the CertificateMappingMethods registry setting only after the June 14, 2022 update has been installed on all intermediate or application servers and all DCs.

  Note Adding, modifying, or removing the CertificateMappingMethods registry setting does not require a device restart.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you.  That makes sense and after re-reading the Microsoft articles this is starting to make some sense to me.

While putting together the detials of my procedure I came across something that I thought I’d ask about.

Up until now I’ve only been concerned with my NPS based authentication.  Looking at my subordinate CA however, I see some EAP certificates, Web servers, domain controllers, mail server certificates, and a few others.  I don’t believe these rely on NPS to connect to the network.  Based on your experience, are any of these categories also ones I should re-enroll before updating my DCs?

Reply | Quote

It’s just the 802.1x that is throwing off issues.  Mail servers/web servers did not have hiccups.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Appreciate it Susan.  Well, wish me the best : )

Reply | Quote

Hi Susan, I had a follow up question.

In regards to this statement

“Or, pre-populate <b class=”ocpLegacyBold”>CertificateMappingMethods</b> to <b class=”ocpLegacyBold”>0x1F</b> as documented in the Registry key information section of KB5014754 on all DCs. Delete the <b class=”ocpLegacyBold”>CertificateMappingMethods</b> registry setting only after the June 14, 2022 update has been installed on all intermediate or application servers and all DCs.”

Is there any issue with trying to only update 1 DC (after having done PKI infrastructure)?  I would think this registry setting remains in place until after all clients have received the updated certificates rather than just all PKI and DCs.  Maybe I’m not understanding something.

Reply | Quote

How many do you have?  Normally patches don’t like to have some on some build.  given that this can be removed, I would go for all DCs if you can?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

my dell inspirion # 3668. 2017 model keeps showing a blue screen upside down smiley face,  STOP CODE: video-scheduler, internal error. it keeps shutting down. Nothing wrong with the hardware, but the software is the problem. How can I fix this. frankie

 

Reply | Quote

Run Nir Sofer’s WinCrashReport.
It is probably a faulty GPU driver.

Reply | Quote

Update your video driver or uninstall the latest updates (for test purposes).

Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

https://www.borncity.com/win/

Reply | Quote

from Neowin

https://www.neowin.net/news/microsoft-store-apps-failed-to-install-on-intel-11th-12th-gen-and-amd-ryzen-5000-6000-pcs/

Microsoft has released an important out-of-band (OOB) update which resolves an issue that was leading to app installation failures from the Microsoft Store with an error code “0xC002001B”. The issue was arising after installing the KB5011831 Windows 10 build.

Microsoft has determined that the issue was plaguing modern Intel and AMD CPU systems which supported the Intel Control-flow Enforcement Technology (CET) or the AMD equivalent Shadow Stack technology (via TechBeezer). CET helps to mitigate Return-oriented Programming (ROP) exploits or CALL/JMP-oriented programming (COP/JOP) exploits.

The affected CPUs include Intel 11th Gen Tiger Lake chips, as well as 12th Gen Alder Lake CPUs. On the AMD side, the Zen 3 Ryzen 5000 and the latest Zen 3+ Ryzen 6000 series CPUs are affected.

the out-of-band updates might be needed when using recent AMD (Zen 3 or newer) or Intel (11th gen or newer) CPUs

Reply | Quote

Susan Bradley wrote:

Can you post this back on that thread —  There’s a timing that may need to be done:

“Those with a PKI need to update their CA’s first. The patch adds a new OID to all templates used for authentication.
This OID is populated by the AD object SID further identifying the specific device in the cert.
Once CA’s are updated and OID is present in your initial test cert to a PC, you can revoke older certs without the OID and through Auto-enrollment issue new ones.
Then it is safe to patch your DC’s and authentication will continue as normal because DCs after patching will understand the new OID as an identifier.

If you can hold off patching your DC’s until after all new certs are issued, all the better.”

Can someone provide me some guidance as to the best way to ensure all clients (users and computers) have a certificate available with the new OID field and receive that certificate?

From what I’ve gathered I think we have auto enrollement setup for both.  However I am seeing the following.

1.) Desktops and Laptops that on my CA do not have a newly issued certificate available.  The template show a 6 week renewal period so in theory every client should have a certificate available on the CA of at least mid June or later; but that is not the case.

2.) I see user certificates almost every week in the CA even though that template is also set to 6 weeks.  However I checked a couple of my accounts and on most of them the certificate still installed for my user profile on my computer and laptop both show ones issued from back in October.  Is a new user certificate generated for every computer I login to?  That could explain at least some of the quantity, but now why my computer and laptop User certificates are older than 6 weeks by several months.

Related Info/Questions

I’ve seen some options online to “reenroll all certificate holders” from the template.  I’m not sure if that will help my scenario or not or if it is necessary?

I would also like to know if this option is safe to do.  I don’t have a method of testing it so the entire organization would be affected so I’m a tad concerned about just trying it on a wim.  From what I’ve read it does not seem dangerous?

Reply | Quote