• Master Patch List as of May 19, 2022 – out of band for server auth issues

    Home » Forums » Newsletter and Homepage topics » Master Patch List as of May 19, 2022 – out of band for server auth issues

    Author
    Topic
    #2447816

    Microsoft has released an out of band update for Servers only to fix the authentication issues with certificates introduced in the May updates. I’ve u
    [See the full post at: Master Patch List as of May 19, 2022 – out of band for server auth issues]

    Susan Bradley Patch Lady

    Viewing 5 reply threads
    Author
    Replies
    • #2447828

      So does the OOB replaces the original Cumulative update for Server 2019?  Can I only install this OOB and get all updates for May?

       

      • #2447834

        Correct it takes the place of.  It’s only the older OS (2012 R2/2012/2008 r2 Sp1 and 2008 Sp2) that are in addition to the prior updates.

        Susan Bradley Patch Lady

        • #2447835

          Thank you.  MS sure doesnt do a very good job at making that clear.  I assume the original monthly patch for older OS’s is fine, they are not DC’s.

        • #2447838

          Correct if they are not DCs.

          Susan Bradley Patch Lady

    • #2447962

      Have a single Windows 2012 R2 server essentials using remote desktop attached to 4 clients machines.  Need some basic help on this months patches.  Your patch list indicates to test machine before applying.  What type of test need to be completed that would tell you if these patches need to applied.  Thank you for your help.

      • #2447979

        If you have a plain domain network with workstations using ethernet connections joined ot the domain and you are merely RDP/remote access to provide remote users access I do not anticipate issues with this patch for you.

        Testing is needed for those firms that use certificates for access – https://www.teradici.com/web-help/ter1504003/5.3/05_HowTo/10_802.1x.htm  https://blog.naglis.no/?p=3816

         

        Susan Bradley Patch Lady

        1 user thanked author for this post.
        • #2448006

          Yes, that is correct.  The only certificate that is being used (as far as I know) is the one remote access cert.  xxxxx.remotewebaccess.com.  When I ran connect on the clients to the server I ran the reg tweak so the client would not attach using the server domain controller.  So for the 2012 r2 I run the first May patch and then I run the OOB secondly.

          Thanks again for your help and insight.

        • #2448017

          That’s a godaddy supplied cert but not used for authentication to the domain.

          Susan Bradley Patch Lady

    • #2448015

      No worries. We still using Server 2003 and 2008. MS has no clue how clients work. Most business do not have cash layout to spend on not need things. Our last Server 2000 finally bit the dust about 5 months ago. The  lightning strike to power lines fried it. This server lasted over 21 years….

      1 user thanked author for this post.
    • #2448056

      It looks like the May 19, 2022 out-of-band updates will not fix the certificate issue with AD DC when a Network Policy Server (NPS) is in use. I’ve had multiple reports about that.

      See my English blog post for details: https://borncity.com/win/2022/05/21/windows-out-of-band-updates-vom-19-5-2022-versagen-mit-nps-beim-ad-dc-authentifizierungsfehler/

      • #2448058

        Can you post this back on that thread —  There’s a timing that may need to be done:

        “Those with a PKI need to update their CA’s first. The patch adds a new OID to all templates used for authentication.
        This OID is populated by the AD object SID further identifying the specific device in the cert.
        Once CA’s are updated and OID is present in your initial test cert to a PC, you can revoke older certs without the OID and through Auto-enrollment issue new ones.
        Then it is safe to patch your DC’s and authentication will continue as normal because DCs after patching will understand the new OID as an identifier.

        If you can hold off patching your DC’s until after all new certs are issued, all the better.”

        Susan Bradley Patch Lady

        1 user thanked author for this post.
        • #2448098

          Thanks for the hint – I’ve added your suggestion to both of my blog posts. Maybe it’s helpful for thouse affected.

          Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

          https://www.borncity.com/win/

        • #2448490

          I tried your suggestion but it was not worked for me 🙁

        • #2448500

          Do you have the ability to open up a support case with Microsoft?  What’s the version of the server OS that is your domain controller?

          Susan Bradley Patch Lady

        • #2448565

          Do we have an example of what these OIDs are?  My mobile device certificate, used for mobile phones, ipads, etc,  has the following.  We use MAAS360 which uses NDES and their Cloud connector to automate certificate provisioning.

          Client Authentication (1.3.6.1.5.5.7.3.2)
          Server Authentication (1.3.6.1.5.5.7.3.1)

          Have not yet patched my DCs or PKI servers with the updated patch that is supposed to fix this Microsoft induced fiasco.

        • #2448569

          Enterprise Certificate Authorities (CA) will start adding a new non-critical extension with Object Identifier (OID) (1.3.6.1.4.1.311.25.2) by default in all the certificates issued against online templates after you install the May 10, 2022 Windows update.” from https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16#bkmk_compatmode

          Susan Bradley Patch Lady

        • #2448582

          Thanks for the reply.  Should have read that doc all the way to the end.  Our Computer certificate does show having the OID.  Already requested support last week MAAS360 last week for this.  Now we’ll need to see their response for the  Mobile device certificate as the OID isn’t on new certificates they request through their ”cloud extender server” through NDES.

    • #2448141

      my dell inspirion # 3668. 2017 model keeps showing a blue screen upside down smiley face,  STOP CODE: video-scheduler, internal error. it keeps shutting down. Nothing wrong with the hardware, but the software is the problem. How can I fix this. frankie

       

      • #2448155

        Run Nir Sofer’s WinCrashReport.
        It is probably a faulty GPU driver.

      • #2448156

        Update your video driver or uninstall the latest updates (for test purposes).

        Ex Microsoft Windows (Insider) MVP, Microsoft Answers Community Moderator, Blogger, Book author

        https://www.borncity.com/win/

    • #2448666

      from Neowin

      https://www.neowin.net/news/microsoft-store-apps-failed-to-install-on-intel-11th-12th-gen-and-amd-ryzen-5000-6000-pcs/

      Microsoft has released an important out-of-band (OOB) update which resolves an issue that was leading to app installation failures from the Microsoft Store with an error code “0xC002001B”. The issue was arising after installing the KB5011831 Windows 10 build.

      Microsoft has determined that the issue was plaguing modern Intel and AMD CPU systems which supported the Intel Control-flow Enforcement Technology (CET) or the AMD equivalent Shadow Stack technology (via TechBeezer). CET helps to mitigate Return-oriented Programming (ROP) exploits or CALL/JMP-oriented programming (COP/JOP) exploits.

      The affected CPUs include Intel 11th Gen Tiger Lake chips, as well as 12th Gen Alder Lake CPUs. On the AMD side, the Zen 3 Ryzen 5000 and the latest Zen 3+ Ryzen 6000 series CPUs are affected.

      the out-of-band updates might be needed when using recent AMD (Zen 3 or newer) or Intel (11th gen or newer) CPUs

    Viewing 5 reply threads
    Reply To: Master Patch List as of May 19, 2022 – out of band for server auth issues

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: