[German]An October update for CVE-2022-38042 and a long history now confirmed by Microsoft. The October 11, 2022 security update also included domain join hardening to close the vulnerability (CVE-2022-38042). However, these changes had powerful collateral damage. Now Microsoft has published a support post confirming bug 0xaac (2732) in connections between Windows Domain Servers through this update. Looking it up, I noticed that I had reported this collateral damage as of October 12, 2022 here on the blog. So I'll briefly revisit the topic.
Advertising
Issues after fix for CVE-2022-38042
In the October 11, 2022 cumulative updates (see links at the end of the article), Microsoft had also made changes to "domain join hardening". Microsoft describes in support post KB5020276—Netjoin: Domain join hardening changes (article revised as of Oct. 12, 2022) the changes introduced because of the CVE-2022-38042 vulnerability in the Oct. 11, 2022 cumulative update packages for all supported operating systems.
Shortly thereafter, blog reader Martin contacted me to report that the domain join hardening changes made with the updates to close the vulnerability (CVE-2022-38042) caused powerful collateral damage. With this update, AD join of Windows clients may no longer be possible if certain conditions cannot be met – this affects all versions of Windows. I had picked up the details in the blog post Windows Oktober 2022 Patchday: Fix for Domain Join Hardening (CVE-2022-38042) prevents domain join. There have been some discussion here within my German blog, where administrators published their test results.
Support post for October 27, 2022
As of October 27, 2022, Microsoft has posted a new entry Domain join processes may fail with error "0xaac (2732)" on the Windows Release Health status page for Windows Server 2022 (and other Windows versions). Microsoft writes:
Domain connection operations may intentionally fail with the error "0xaac (2732): NERR_AccountReuseBlockedByPolicy" and the text "An account with the same name exists in Active Directory. Account reuse has been blocked by security policy."
This issue originated in the October 2022 security updates (e.g., KB5018421), which introduced some hardening changes that are enabled by default for domain joining. Affects the following Windows versions that are deployed in enterprise environments in domains:
Advertising
- Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1.
- Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2.
Microsoft writes in the post, please read KB5020276 – Netjoin: Domain join hardening changes to understand the redesigned behavior. Colleagues here had noticed the new entry, but when following the link to KB5020276 I note that this had already been addressed and linked to in my blog post Windows Oktober 2022 Patchday: Fix for Domain Join Hardening (CVE-2022-38042) prevents domain join dated October 12, 2022. So Microsoft has confirmed the problem and suggests several workarounds for affected people in its support post KB5020276 – Netjoin: Domain join hardening changes. But this doesn't change the general discussion in the comments like here. Or how do you see it?
Similar articles:
Patchday: Windows 10-Updates (October 11, 2022)
Patchday: Windows 11/Server 2022-Updates (October 11, 2022
Windows 7/Server 2008 R2; Windows 8.1/Server 2012 R2: Updates (October 11, 2022)
Windows Oktober 2022 Patchday: Fix for Domain Join Hardening (CVE-2022-38042) prevents domain join
