[German]A brief information for administrators who running Windows Server 2019 as domain controllers. A blog reader informed me that update KB5011551 prevents passwords from being changed. This is the preview update released on March 22, 2022, which probably not every administrator will install on their machines. It seems, that this preview update is forcing DCs in password loops. Here is a brief overview of what I know so far.
Password loop caused by KB5011551
A few hours ago, German blog reader Rico N. contacted me by mail and pointed out a problem in his constellation with two Windows Server 2019 systems (correspond yes on the Windows 10 1809 development thread). As a hint why the update was installed there, the following note from him.
We operate two Windows Server 2019 (version 1809) as domain controllers in a perpetual update state, since we are a ***** that is permanently under external data protection control and must be able to demonstrate a seamless update policy at all times for successful certification.
This probably also means that preview updates are installed on the machines within a certain time. When exactly the installation took place is not known to me. But Rico wrote me that the trouble started on Friday, April 1, 2022.
Now on Friday on a file server Windows Server 2012 R2 problems followed, which nobody could understand. Almost all security groups had disappeared from the directories. Thus, no one saw any folder, let alone a file, in the entire setup anymore.
The solution administration tried in this case was to restore an older back dated March 30, 2022 to the file server running Windows Server 2012 R2:
Overnight, we then restored the file server to a backup from Wednesday last week, thinking that would take care of the problems BUT: far from it!
Monday, April 4, 2022 there were the next problems, as Nico writes to me in his email. Suddenly there were problems changing user passwords. Rico wrote about
Then this morning the next trouble started, the password change prompt hit some of our employees and they were shown in dialog change password after/on change that they have to change the password first.
The problem could be traced back to preview update KB5011551 dated March 22, 2022, as Rico wrote:
After trying to import backup's of the DC's, I then simply uninstalled update KB5011551 mentioned in the subject and excluded it with WUSHWOHIDE.DIAGCAB against possible reinstallation. Voila, password change goes….
So much for his experience with this preview update – at this point, thanks for these tips. I had covered update KB5011551 in the blog post Windows 10 / Windows Server Preview Updates (March 22, 2022). Update KB5011551 is available for Windows 10 Enterprise LTSC 2019 as well as Windows Server 2019 and raises the build to 17763.2746.
More evidence of password issues
Rico also noted that yesterday, April 4, 2022, he had already found a lot of entries on Google with questions on this topic, which remained unanswered through the bank. Was also the reason to inform me later yesterday afternoon about the problem – I was not yet known in this regard. I started a quick web search while writing this post and found on reddit.com this post.
KB5011551 causing password change loop
Problem: we reset user password in AD and tick box "user must change password". User goes to change password but stuck in a loop saying password must be changed before logging in.
Did some research and see others having the same issue after installing KB5011551. Attempted to uninstall through control panel but getting an error that not all components have been removed. Tried to uninstall with below command:
DISM /online /remove-package /packagename:package_for_rollupFix…….
I get the message:
An error occurred – package_for_rollupFix error: 0x8007371b Error 14107 One or more required members of the transaction are not present.
Any other tips on removing this?
Edit: I inherited this setup from previous Sysadmin. We have secondary DC and was able to uninstall the update from DC2. I'm thinking I may need to restore DC1. All FSMO roles are currently assigned to DC1. Should I seize all roles to DC2, restore DC1 to last week, then move some/all roles back?
Also there, the problem with password change not being possible is confirmed on a Windows Server 2019 acting as a domain controller. In the Spiceworks community there is this short entry.
The users password must be changed before signing
I have a single DC. – SERVER 2019 Standard
DCDiag all comes up with no issues.
Group Policies are not the issue.
Minimum password age is set to 0.
Passwords are new and meet complexity.
Users are unable to change their password when it expires or if I reset in AD and flag to change password on next logon.
I created a test admin account. Full schema domain admin.
I tested and tried flagging to change password on next logon, tried changing it directly on the DC and received the same error:
the users password must be changed before signing
It has been working fine for the past 2+ years. All of a sudden this started being an issue in the past 10 days.
I am lost, any ideas?
Looks to me like the problem described above. On the German site administrator.de there is this entry with a similar description. In the Microsoft Techcommunity there is this entry from April 4, 2022 describing the same thing:
Password Change Logon Loop Windows Server 2019 KB5011551
I have a problem
users passwords expire or I manual reset them with "User must change password" box checked. Every time they enter a new password it tells them to do it again in an endless loop. All of this happened after installing KB5011551. Is it possible to repair without uninstalling KB5011551 ?
There, too, the problem is confirmed by a second user – uninstalling KB5011551 fixed the problem – they say. The oldest entry could be from March 30, 2022 and can be found in the Microsoft Q&A session here.
Password Change Logon Loop
Hello, I have this issue when users passwords expire or I manual reset them with "User must change password" box checked. Every time they enter a new password it tells them to do it again in an endless loop. Any ideas?
We have two DC's with Server 2019 and one DC with 2012.
We do do AD SYNC to Azure
PCS are mostly Windows 10 with a couple Windows 11
The issue is confirmed in this thread by various users on Domain Controllers running Windows Server 2019 acting as AD. In the Known Issues section for update KB5011551, I have not yet found any information that Microsoft is aware of the problem. Only DNS issues caused by an update are confirmed there (see Windows Server 2019: Update KB5009616 causes DNS problems). Question: Are there any others affected? When was the update installed? Has anyone already found a solution without having to uninstall and block preview update KB5011551 for Windows Server 2019?
Cookies helps to fund this blog: Cookie settings