alert banner

ISSUE 19.47.1 • 2022-11-22

MS-DEFCON 3: Issues with domains


By Susan Bradley

November updates lead to side effects

My usual advice regarding updates with known side effects is to wait until the problems are resolved. But every so often, the risk of waiting is greater than the risks associated with the side effects.

That’s the way I see the situation now. The November updates require you to slog through the issues and deal with the side effects. For that reason, I’m lowering the MS-DEFCON level to 3. I’d really like to go to 4, but I think greater caution is required.

Although it’s possible for businesses to push off updates for 30 days, sometimes they are required by policy to delay no further and to get the updates installed. In other words, you might as well bite the bullet and start working through those side effects and find mitigations, or expose the business to the risks of not updating at all.

Consumer and home users

I’m not tracking any major issues introduced on Windows 10 21H2 or 22H2, or Windows 11 21H2. On these platforms, I’ve seen the expected odd issues here and there, but nothing widespread or trending across the board. I can’t say the same for Windows 11 22H2.

Microsoft is putting a block on installing Windows 11 22H2 for PCs running certain games. As noted in its Windows release health dashboard:

Some games and apps might experience lower than expected performance or stuttering on Windows 11, version 22H2. Affected games and apps are inadvertently enabling GPU performance debugging features not meant to be used by consumers.

Microsoft recommends updating the game software because the vendors will have to disable the debugging in order to get performance back up. As I’ve said before, Windows 11 22H2 isn’t quite ready for prime time. If you find that you’ve ended up with Windows 11 22H2 installed due to automatic updating, remember that you have only ten days to roll back to Windows 11 21H2.

You can extend this to a 60-day rollback window as follows. Get to an administrative command prompt. The simplest way to do this is by entering cmd in the Windows search box, right-clicking the Command Prompt app in the resulting “best match” display, and selecting Run as administrator. Once at the command prompt, enter the following command:

  • DISM /Online /Set-OSUninstallWindow /Value:60

The “Value” switch can accept any value between 1 and 60, meaning days.

If you get the message “Error: 1168 Element not found. The DISM log file can be found at C:\WINDOWS\Logs\DISM\dism.log,” you can use the registry-key method to extend the rollback period. I’ve linked the download to a registry key on this post.

I recommend that you install November’s security updates. Because Microsoft will go into its “holiday” mode, no preview updates — normally pushed in the final week of the month — will released in December. For those with Windows 11 22H2, I am still awaiting final word on how to defer “dribbled” changes. Stay tuned.

Recommendations to Apple users

For those of you with Apple iPhone 11 or newer phone systems, I’m recommending that you install iOS 16.1.1 and iPadOS 16.1.1. For those with older phones and iPads, I recommend staying on version 15.7.1.

Although I have not encountered issues with macOS Ventura 13.0.1 on my test machine, I still am not recommending installing it without first ensuring you have a backup — and then checking to make sure you aren’t using certain apps, such as Microsoft teams and Cisco Webex.

There are still well-known issues with Calendar synchronization with Exchange that have been in Ventura since Beta1. Another issue still present is that Microsoft Teams and Cisco Webex URLs in Calendar Events are not parsed properly, and therefore you cannot join a meeting by simply pressing the Join button.

I don’t see major, impactful issues with Ventura for consumers, but those who use Apple in business still have some annoying side effects. Those cause me to recommend not upgrading at this time.

Business users

This month’s updates result in some extra work for those who have traditional domains. For workstations and non-domain controller servers, the November updates are not triggering major side effects. The same cannot be said for domain controllers. Microsoft pushed an out-of-band update that I’ve listed on the Master Patch List; you will want to install that update on your Domain controllers to deal with the side effects introduced with this month’s updates.

Thus for networks, you may wish to install updates on all systems except domain controllers, and then use maintenance windows and holidays that are coming up to test for issues.

There are three blog posts I urge you to read. They go deep into the weeds of the fixes that are being pushed out in the November updates and that can impact your domain controllers.

First, check out the DirTeam blog post You experience errors with Event ID 14 and source Kerberos-Key-Distribution-Center on Domain Controllers. The underlying issue is that:

The absence of RC4 in the list of supported Kerberos key encryption types in specifically configured situations causes the issues, as the domain-joined device mistakenly thinks it does not have a valid Kerberos ticket encryption type available.

You will need to uninstall the November updates and take the actions noted in the blog before you can reinstall the patches.

Next, you might see Event ID 42 and source Kdcsvc on Domain Controllers, also triggered by the November updates. If you have seen this error, reset the password for the KRBTGT account and have users who are impacted change their passwords, sign out, and sign back in. In fact, I’d recommend you change the KRBTGT account password on an annual basis, anyway. (Why this isn’t automatic, I’ll never know.) Follow this DirTeam blog post and use the script located on GitHub to update the password. Put it on your calendar as an annual task!

Finally, take the time to review this post about upcoming changes to the Kerberos Protocol that take effect next year. Have your domain-patching team review these changes to Kerberos and its impact on your systems.



Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2022 AskWoody Tech LLC. All rights reserved.