Windows Server 2019: Update KB5011551 causes password loop

Windows[German]A brief information for administrators who running Windows Server 2019 as domain controllers. A blog reader informed me that update KB5011551 prevents passwords from being changed. This is the preview update released on March 22, 2022, which probably not every administrator will install on their machines. It seems, that this preview update is forcing DCs in password loops. Here is a brief overview of what I know so far.


Advertising

Password loop caused by KB5011551

A few hours ago, German blog reader Rico N. contacted me by mail and pointed out a problem in his constellation with two Windows Server 2019 systems (correspond yes on the Windows 10 1809 development thread). As a hint why the update was installed there, the following note from him.

We operate two Windows Server 2019 (version 1809) as domain controllers in a perpetual update state, since we are a ***** that is permanently under external data protection control and must be able to demonstrate a seamless update policy at all times for successful certification.

This probably also means that preview updates are installed on the machines within a certain time. When exactly the installation took place is not known to me. But Rico wrote me that the trouble started on Friday, April 1, 2022.

Now on Friday on a file server Windows Server 2012 R2 problems followed, which nobody could understand. Almost all security groups had disappeared from the directories. Thus, no one saw any folder, let alone a file, in the entire setup anymore.

The solution administration tried in this case was to restore an older back dated March 30, 2022 to the file server running Windows Server 2012 R2:

Overnight, we then restored the file server to a backup from Wednesday last week, thinking that would take care of the problems BUT: far from it!

Monday, April 4, 2022 there were the next problems, as Nico writes to me in his email. Suddenly there were problems changing user passwords. Rico wrote about

Then this morning the next trouble started, the password change prompt hit some of our employees and they were shown in dialog change password after/on change that they have to change the password first.

The problem could be traced back to preview update KB5011551 dated March 22, 2022, as Rico wrote:


Advertising

After trying to import backup's of the DC's, I then simply uninstalled update KB5011551 mentioned in the subject and excluded it with WUSHWOHIDE.DIAGCAB against possible reinstallation. Voila, password change goes….

So much for his experience with this preview update – at this point, thanks for these tips. I had covered update KB5011551 in the  blog post Windows 10 / Windows Server Preview Updates (March 22, 2022). Update KB5011551 is available for Windows 10 Enterprise LTSC 2019 as well as Windows Server 2019 and raises the build to 17763.2746.

More evidence of password issues

Rico also noted that yesterday, April 4, 2022, he had already found a lot of entries on Google with questions on this topic, which remained unanswered through the bank. Was also the reason to inform me later yesterday afternoon about the problem – I was not yet known in this regard. I started a quick web search while writing this post and found on reddit.com this post.

KB5011551 causing password change loop

Problem: we reset user password in AD and tick box "user must change password". User goes to change password but stuck in a loop saying password must be changed before logging in.

Did some research and see others having the same issue after installing KB5011551. Attempted to uninstall through control panel but getting an error that not all components have been removed. Tried to uninstall with below command:

DISM /online /remove-package /packagename:package_for_rollupFix…….

I get the message:

An error occurred – package_for_rollupFix error: 0x8007371b Error 14107 One or more required members of the transaction are not present.

Any other tips on removing this?

Edit: I inherited this setup from previous Sysadmin. We have secondary DC and was able to uninstall the update from DC2. I'm thinking I may need to restore DC1. All FSMO roles are currently assigned to DC1. Should I seize all roles to DC2, restore DC1 to last week, then move some/all roles back?

Also there, the problem with password change not being possible is confirmed on a Windows Server 2019 acting as a domain controller. In the Spiceworks community there is this short entry

The users password must be changed before signing

I have a single DC. – SERVER 2019 Standard

DCDiag all comes up with no issues.
Group Policies are not the issue.
Minimum password age is set to 0.

Passwords are new and meet complexity.

Users are unable to change their password when it expires or if I reset in AD and flag to change password on next logon.

I created a test admin account. Full schema domain admin.

I tested and tried flagging to change password on next logon, tried changing it directly on the DC and received the same error:

the users password must be changed before signing

It has been working fine for the past 2+ years. All of a sudden this started being an issue in the past 10 days.

I am lost, any ideas?

Looks to me like the problem described above. On the German site administrator.de there is this entry with a similar description. In the Microsoft Techcommunity there is this entry from April 4, 2022 describing the same thing:  

Password Change Logon Loop Windows Server 2019 KB5011551

I have a problem
users passwords expire or I manual reset them with "User must change password" box checked. Every time they enter a new password it tells them to do it again in an endless loop. All of this happened after installing KB5011551. Is it possible to repair without uninstalling KB5011551 ?

There, too, the problem is confirmed by a second user – uninstalling KB5011551 fixed the problem – they say. The oldest entry could be from March 30, 2022 and can be found in the Microsoft Q&A session here

Password Change Logon Loop

Hello, I have this issue when users passwords expire or I manual reset them with "User must change password" box checked. Every time they enter a new password it tells them to do it again in an endless loop. Any ideas?

We have two DC's with Server 2019 and one DC with 2012.

We do do AD SYNC to Azure

PCS are mostly Windows 10 with a couple Windows 11

The issue is confirmed in this thread by various users on Domain Controllers running Windows Server 2019 acting as AD. In the Known Issues section for update KB5011551, I have not yet found any information that Microsoft is aware of the problem. Only DNS issues caused by an update are confirmed there (see Windows Server 2019: Update KB5009616 causes DNS problems). Question: Are there any others affected? When was the update installed? Has anyone already found a solution without having to uninstall and block preview update KB5011551 for Windows Server 2019?


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in issue, Update, Windows and tagged , , . Bookmark the permalink.

8 Responses to Windows Server 2019: Update KB5011551 causes password loop

  1. Eric says:

    I can verify that we have experienced the same thing in our domain. We are also running Windows Server 2019 and didn't have any issues until update KB5011551. Now we are having to reset our users passwords for them, then have them change their passwords using ctrl-alt-delete, then Change Password.

    • guenni says:

      I've set Microsoft's twitter social media team @WindowsUpdate at cc with a link to this tweet on Twitter – so they should be aware of this.

  2. Charl says:

    I can also confirm that this is happening with several of my Windows Server 2019 domains we use for development and testing. An endless password loop saying your credentials are invalid if you reset user passwords and specify that they need to change password on next login. Passwords cannot be changed via OWA or logging into a machine. This also affects users whose passwords have expired.

  3. Jenny Tano says:

    Also had the same issue. Ad 2019 server Uninstalling fixed it.

  4. Advertising

  5. Mark says:

    We had the same thing happen with KB5011558. I rolled back. Hoping today's release doesn't cause the issue to come back.

  6. MysticFoxDE says:

    Habe bei einem Kunden auf Server 2022 das glitzegleiche Problem. 🤢

  7. MysticFoxDE says:

    Hi Günni,
    I installed the patch on the 2022 DC today, but a user was still unable to change the password himself afterwards. 🤢
    But… I did some "refoxing" around and was able to solve the problem by setting "Minimum password age" to "0 days" in the "Default Domain Policy". 😁
    Best Regards from BaWü
    Alex

Leave a Reply

Your email address will not be published.