{"id":23470,"date":"2022-02-26T00:20:00","date_gmt":"2022-02-25T23:20:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=23470"},"modified":"2022-02-26T00:33:31","modified_gmt":"2022-02-25T23:33:31","slug":"windows-10-20h2-january-2022-updates-breaks-agpm-server","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/02\/26\/windows-10-20h2-january-2022-updates-breaks-agpm-server\/","title":{"rendered":"Windows 10 20H2: January 2022 Updates breaks AGPM-Server"},"content":{"rendered":"

\"Windows\"[German<\/a>]Microsoft's fix for vulnerability CVE-2022-21920 may block NTLM authentication if Kerberos authentication is not successful. A German blog reader has notified me in January 2022 about issues with Advanced Group Policy Management<\/em> (AGPM<\/em>). After installing January 2022 security updates , there are problems to reach the AGPM server. Microsoft has now confirmed these issues and a workaround is possible.<\/p>\n

<\/p>\n

Issues with AGPM Server<\/h2>\n

\"\"Austrian blog reader Markus K. uses AGPM in a larger network environment in a university. He has already emailed me as of 1\/23\/2022 about a problem he posted on the patchmanagement.org mailing list under the title AGPM client fails to connect with 2022-01 CU<\/a><\/em>. There he wrote:<\/p>\n

Dear all,<\/p>\n

just a heads up cause it might concern you.<\/p>\n

We have a 20H2 machine with an AGPM client installed.
\nAfter installing 2022-01 CU the connection to the AGPM server failed.
\nAfter uninstalling the patch the connection to the server works again.
\nThe 2019 server has the 2022-01 CU installed though.<\/p>\n

The error on the clients log:
\n2022-01-13 10:21:23:1869726 [pid=8016,tid=3] [Error] Error in AgpmClient.Reconnect() System.ServiceModel.Security.SecurityNegotiationException: Either the target name is incorrect or the server has rejected the client credentials. \u2014> System.Security.Authentication.InvalidCredentialException: Either the target name is incorrect or the server has rejected the client credentials. \u2014> System.ComponentModel.Win32Exception: The logon attempt failed
\n\u2014 End of inner exception stack trace \u2014
\nat System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
\nat System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
\nat System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
\n\u2014 End of inner exception stack trace \u2014<\/p>\n

Seems the patch breaks the auth process. Not much we can do except waiting for a fix I guess.<\/p><\/blockquote>\n

However, in the discussion it turned out that hardly anyone on the list uses AGPM and others are not affected either. Markus was able to provoke this issue on a freshly installed Windows 10 20H2 client in a virtual machine.<\/p>\n

<\/a><\/p>\n

What is AGPM?<\/h2>\n

AGPM stands for Microsoft's Advanced Group Policy Management<\/em>. According to this Microsoft document<\/a>, Microsoft Advanced Group Policy Management (AGPM) extends the capabilities of the Group Policy Management Console (GPMC). It will provide comprehensive change control and improved management for Group Policy Objects (GPOs). AGPM is available as part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance. There are several versions available.<\/p>\n

Microsoft's explanation<\/h2>\n

Blog reader Markus K. emailed me again on February 25, 2022 and wrote:<\/p>\n

Hello,<\/p>\n

Problem solved myself, because the ticket at MS is a farce.
\nA few people on the NTSysadmin list should also be happy about this, as they are also affected.<\/p>\n

We had entered the IP of the AGPM server. Split-DNS therefore delivers a FQDN outside the domain. Kerberos does not work then of course, so fallback to NTLM.<\/p><\/blockquote>\n

Microsoft released an update on January 11, 2022 to close the vulnerability CVE-2022-21920<\/a>, which triggered the above effect. Markus K. pointed me to the Microsoft support article KB5011233: Protections in CVE-2022-21920 may block NTLM authentication if Kerberos authentication is not successful<\/a>, where this is discussed. According to the support article, it affects all supported Windows versions.<\/p>\n

Windows Server 2008
\nWindows 7 Service Pack 1
\nWindows Server 2008 R2 Service Pack 1
\nWindows Server 2012
\nWindows 8.1 Windows Server 2012 R2
\nWindows 10 Windows 10, version 1607,
\nall editions Windows 10, version 1809,
\nall editions Windows Server 2016
\nWindows 10, version 1909,
\nall editions Windows Server 2019
\nWindows 10, version 20H2,
\nall editions Windows 10, version 21H1,
\nall editions Windows 10, version 21H2,
\nall editions Windows 11 Windows Server 2022<\/p>\n

Markus wrote: If you replace the IP with the correct FQDN of the domain, everything works again. <\/em>Perhaps this is helpful for some affected administrators.<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]Microsoft's fix for vulnerability CVE-2022-21920 may block NTLM authentication if Kerberos authentication is not successful. A German blog reader has notified me in January 2022 about issues with Advanced Group Policy Management (AGPM). After installing January 2022 security updates , … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[463,22,2],"tags":[166,195,194],"class_list":["post-23470","post","type-post","status-publish","format-standard","hentry","category-issue","category-update","category-windows","tag-issues","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/23470","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=23470"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/23470\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=23470"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=23470"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=23470"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}