[German]Microsoft has released unscheduled, so-called out-of-band updates for various versions of Windows 10 and Windows Server 2016 / 2019 as well as Windows Server 2012 R2 and Windows Server 2008 R2 on November 14, 2021. These are intended to fix domain controller authentication errors that occurred with the November 2021 patchday updates. Here is some information about them.
Advertising
DC authentication errors after November update
The November 9, 2021 security updates für Windows causes an issue in network environments with domain controllers (DCs). This is because Windows clients may no longer be able to authenticate against their domain controllers. The authentication issues occur with certain Kerberos delegation scenarios at the Domain Controller (DCs). I had covered this issue in the blog post November 2021 Patchday issues: WSUS, DC, Events early on, based on reader comments. And Microsoft had then confirmed the whole thing. This morning I received various reader comments pointing to some out-of-band updates to fix the problem.
Out-of-band updates for Windows 10/Windows Server 2016/2019
Various German reader comments (thanks for that) on the blog post now point to the out-of-band updates to fix the problem.
Update KB5008601 for Windows 10 V1607/Server 2016
Update KB5008601 is available for Windows 10 version 1607, as well as Windows Server 2016, and upgrades the OS build to 14393.4771. Microsoft states the following fix is performed by the update.
Fixes a known issue that can cause authentication failures related to Kerberos tickets that you purchased from Service for User to Self (S4U2self). This issue occurs after you install the November 9, 2021 security updates on domain controllers (DC) that run Windows Server.
This update must be manually downloaded and installed from Microsoft Update Catalog. For systems managed with WSUS, the out-of-band update must be manually imported from the download. For the update, Microsoft notes that this update fixes the printer errors that occur on clients:
- 0x000006e4 (RPC_S_CANNOT_SUPPORT)
- 0x0000007c (ERROR_INVALID_LEVEL)
- 0x00000709 (ERROR_INVALID_PRINTER_NAME)
does not fix. About the printer errors Microsoft Healt-Status-Dashboard has written something and mentioned workarounds. In addition, I had given hints in the blog post Windows PrintNightmare printing issues: Server loses settings, Error while printing (Nov 11, 2021). It is currently unclear to me whether the KIR solution for error 0x0000007c (ERROR_INVALID_LEVEL) given there still works.
Advertising
Update KB5008602 for Windows 10 V1909/Server 2019
Update KB5008601 is available for Windows 10 Enterprise 2019 LTSC, Windows 10 IoT Enterprise 2019 LTSC, Windows 10 IoT Core 2019 LTSC and Windows Server 2019. It upgrades the OS build to 17763.2305. Microsoft states the following fix that is performed by the update.
Fixes a known issue that can cause authentication failures related to Kerberos tickets that you purchased from Service for User to Self (S4U2self). This issue occurs after you install the November 9, 2021 security updates on domain controllers (DC) that run Windows Server.
At the same time, the update makes improvements to the servicing stack update and upgrades it to build 17763.2262. Update KB5008602 must be manually downloaded and installed from Microsoft Update Catalog. For systems managed with WSUS, the out-of-band update must be manually imported from the download. For the update, Microsoft identifies several known issues in support article KB5008601.
Update KB5008603 foür Windows Server 2012 R2
Update KB5008603 is available for Windows Server 2012 R2 and resolves the known issue that can cause authentication failures related to Kerberos tickets that you purchased from Service for User to Self (S4U2 self). This issue occurs after you install the November 9, 2021 security updates on domain controllers (DC) running on Windows Server. Microsoft is not aware of any issues with the update. However, this must be manually downloaded and installed from Microsoft Update Catalog. For systems managed with WSUS, the out-of-band update must be imported manually from the download.
Update KB5008605 for Windows Server 2008 R2
Update KB5008605 is available for Windows Server 2008 R2 and fixes the known issue that can cause authentication failures related to Kerberos tickets that you purchased from Service for User to Self (S4U2 self). This issue occurs after you install the November 9, 2021 security updates on domain controllers (DC) running on Windows Server. Microsoft is not aware of any issues with the update. However, this must be manually downloaded and installed from Microsoft Update Catalog. For systems managed with WSUS, the out-of-band update must be imported manually from the download.
Similar articles
November 2021 Patchday issues: WSUS, DC, Events
Patchday: Windows 10-Updates (November 9, 2021)
Windows PrintNightmare printing issues: Server loses settings, Error while printing (Nov 11, 2021)
I believe the build edition for Server 2019 is incorrect. See: https://support.microsoft.com/en-us/topic/november-14-2021-kb5008602-os-build-17763-2305-out-of-band-8583a8a3-ebed-4829-b285-356fb5aaacd7
It should be 17763.2305
Don: Did you noticed, that build 17763.2262 is for SSU?