[German]I'm posting a first warning about the October 2022 security updates for Windows here on the blog because a reader from the business environment pointed it out to me. The domain join hardening changes made with the updates to close the vulnerability (CVE-2022-38042) have powerful collateral damage. With this update, AD join of Windows clients may no longer be possible if certain conditions cannot be met – this affects all versions of Windows.
Netjoin: Domain Join Hardening Changes
Microsoft describes in a support article KB5020276—Netjoin: Domain join hardening changes some chances made to fix vulnerability CVE-2022-38042 with the October 11, 2022 cumulative update packages for all supported operating systems.
- Windows Server 2008 (ESU)
- Windows 7 (ESU)
- Windows Server 2008 R2 (ESU)
- Windows Embedded POSReady 7 (ESU)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Embedded 8 Standard
- Windows Embedded 8.1
- Windows 8.1
- Windows RT 8.1
- Windows 10 Windows 10, version 1607
- Windows 10 Enterprise 2019 LTSC
- Windows 10 IoT Enterprise 2019 LTSC
- Windows 10 IoT Core 2019 LTSC
- Windows 10 Enterprise Multi-Session, version 20H2
- Windows 10 Enterprise und Education, version 20H2
- Windows 10 IoT Enterprise, version 20H2
- Windows 10 auf Surface Hub
- Windows 10, Version 21H1 – 21H2 (all editions)
- Windows 11 Version 21H2 – 22H2 (all editions)
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Once the Windows cumulative updates dated October 11, 2022 or later are installed on a client computer, the client will perform additional security checks during domain joining before attempting to reuse an existing computer account. These changes are enabled by default and are "secure," according to Microsoft. The support article states:
During domain joining and computer account provisioning, the client computer queries Active Directory for an existing account with the same name. If such an account exists, the client automatically attempts to reuse it.
The reuse attempt fails, according to Microsoft, if the user trying to join the domain does not have the appropriate write permissions. However, if the user has sufficient permissions, the domain join should succeed. In the support article, Microsoft describes scenarios why domain join fails.
Domain join always fails
German blog reader Martin E. wrote me a few minutes ago that the October 2022 updates for Windows are causing disaster in his environment. After he integrated the update KB5018418 for his Windows 11 21H2 clients (it is similar for Windows 10, see screenshot below) into the image and the clients could not join the AD to the domain anymore.
This probably affects all Windows versions. Martin points to support article KB5020276—Netjoin: Domain join hardening changes (microsoft.com) as the cause. He now faces the problem that the exceptions described in the above support post cannot possibly be guaranteed on a large fleet of machines. The user who created the machines must also be the join account or a domain admin created the machine account.
An adhoc approach would be to create an image with old September 2022 patch, and install the October 2022 update only after the domain join.
Leaving an AD domain and rejoining would then no longer be possible with the October 2022 patch. Currently, this October 2022 update is not yet in any Windows installation image – even Windows 11 22H2 does not have the October 2022 update integrated in the installation image yet (it is still at the September 2022 patch level).
How do you solve this problem? Or does this not apply to you in the corporate environment?
Martin wrote in a follow-up that there might be a backdoor and sent me the following screenshot with a trace log and a short explanation:
There is a new registry entry NetJoinLegacyAccountReuse, and the log provides an indication that Active Directory join has been blocked on the account by security policy. Martin writes:
I think status: 2 = net helpmsg 2 = "The system cannot find the specified file".
So that it can't find the key.
Currently, search engines like Google can't find anything about the NetJoinLegacyAccountReuse, which is brand new. The entryNetJoinLegacyAccountReuse is a DWORD value within the registry key:
If this DWORD value NetJoinLegacyAccountReuse is set to 0x1, a domain join with the old user accounts should work again. Without the DWORD entry, the domain join attempt with the October 2022 update installed returns the following error:
An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.
The command failed to complet successfully.
Once the NetJoinLegacyAccountReuse DWORD value is set to 1, the client reports:
The computer needs to be restartet in order to complet the operation.
The command completed successfully.
This is confirmed in the log, because the query for IsNetJoinLegacyAccountReuseSetInRegistry now returns Tr
Thanks to Martin for these hints. A support post or an addendum to KB5020276 is not yet available – feel free to leave a comment if you come across anything else on the subject.
Microsoft Office Updates (Oktober 4, 2022)
Microsoft Security Update Summary (October 11, 2022)
Patchday: Windows 10-Updates (October 11, 2022)
Windows 10: Beware of a possible TLS disaster on October 2022 patchday
Cookies helps to fund this blog: Cookie settings