[German]As part of the October 2021 patchday wrap-up, I'd like to bring up a second topic in addition to the post Microsoft confirms Windows network printing issue after October 2021 updates. Microsoft has announced that the smartcard authentication issue with remote desktop connections has been fixed with the October 2021 updates via a rollback. At the same time, I've seen reports here on the blog that the October 2021 security update for Windows 10 will break YubiKey authentication, which should also be fixed.
YubiKey authentication broken
Following the release of the October 2021 security updates (see Patchday: Windows 10-Updates (October 12, 2021)), several administrators have come forward in comments within my German the blog describing how YubiKey authentication is no longer working. IT Guy wrote:
Unfortunately, the update has broken the RDP login via Yubikey.
After uninstalling KB5006670 the login is possible again.
And the user with the alias CloudKasper added:
ditto here, …. Do they actually check their own dog food?
especially here Yubikey with MS AD Enterprise CA, no third party software.
According to this user, the problem also affects Windows Hello. In a second comment he wrote:
I have not found a solution yet. It seems to affect Windows Hello as well.
A quick test yesterday at our end showed that it doesn't affect RDP clients in the same domain, only RDP clients that have no domain affiliation (in our case, a Surface that is not logged into the domain). So far the sample is too small for reproducibility.
But there must be a lot of admins out there who use the constellation Yubikey smartcard certificate with MS CA.
In a recent comment, CloudKasper notes (thanks for that) that Microsoft has confirmed this and links to the post Smartcard authentication might fail when attempting to connect using Remote Desktop in the Windows 10 status area for version 21H1.
Smartcard authentication with Remote Desktop
The post Smartcard authentication might fail when attempting to connect using Remote Desktop published by Microsoft in the Windows 10 status area for version 21H1 addresses the addressing problem when using smartcards. It mentioned Remote Desktop (but should also affect Windows Hello, as mentioned above). Microsoft writes about this:
After installing KB5005611 or later updates, when connecting to devices in an untrusted domain using Remote Desktop, connections might fail to authenticate when using smart card authentication. You might receive the prompt, "Your credentials did not work. The credentials that were used to connect to [device name] did not work. Please enter new credentials." and "The login attempt failed" in red.
Update KB5005611 is the September 30, 2021 preview update. After installing KB5005611 or newer updates, smart card authentication may fail when connecting to devices in an untrusted domain with Remote Desktop. Users receive a message "Your credentials did not work. The credentials used to connect to [device name] did not work. Please enter new credentials." and "The login attempt failed" in red font. The following systems are affected if the updates have been installed:
- Client: Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 2004.
- Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 2004.
Microsoft has used a profound solution to this problem and simply removed the affected patches from the affected machines through the KIR (Know Issues Rollback) feature. This should also make authentication via YubiKey work again. For unmanaged systems, the rollback started on October 15 is automatic. For managed systems (enterprise), a group policy must be rolled out that triggers the rollback. Details can be found in the article linked above.
Cookies helps to fund this blog: Cookie settings