Resolution: This issue was resolved in the out-of-band update KB5010792. It is a cumulative update, so you do not need to apply any previous update before installing it. Note: Not all VPN servers have the option to disable Vendor ID from being used. Workaround: To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings.
VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected. Server: Windows Server 2022 Windows Server, version 20H2 Windows Server, version 1909 Windows Server, version 1809 Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows Server 2008 R2 SP1 Windows Server 2008 SP2Īfter installing KB5009545, IP Security (IPSEC) connections which contain a Vendor ID might fail.
If you are using Monthly rollup updates, you will need to install both the standalone updates listed above to resolve this issue, and install the Monthly rollups released to receive the quality updates for May 2022. Monthly rollup updates are cumulative and include security and all quality updates. Security only updates are not cumulative, and you will also need to install all previous Security only updates to be fully up to date. Note: If you are using security only updates for these versions of Windows Server, you only need to install these standalone updates for the month of May 2022. Note: You do not need to apply any previous update before installing these cumulative updates. Note The below updates are not available from Windows Update and will not install automatically. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog. For WSUS instructions, see WSUS and the Catalog Site. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. To get the standalone package for these out-of-band updates, search for the KB number in the Microsoft Update Catalog. There is no action needed on the client side to resolve this authentication issue. This includes the removal of the registry key (CertificateMappingMethods = 0x1F) documented in the SChannel registry key section of KB5014754. If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them. Resolution: This issue was resolved in out-of-band updates released for installation on all Domain Controllers in your environment, as well as all intermediary application servers such as Network Policy Servers (NPS), RADIUS, Certification Authority (CA), or web servers which passes the authentication certificate from the client being authenticated to the authenticating DC. Note: Any other mitigation except the preferred mitigations might lower or disable security hardening. If the preferred mitigation will not work in your environment, please see KB5014754-Certificate-based authentication changes on Windows domain controllers for other possible mitigations in the SChannel registry key section.
Note: The instructions are the same for mapping certificates to user or machine accounts in Active Directory. For instructions, please see Certificate Mapping. Workaround: The preferred mitigation for this issue is to manually map certificates to a machine account in Active Directory. This issue only affects installation of May 10, 2022, updates installed on servers used as domain controllers.
Note: Installation of updates released May 10, 2022, on client Windows devices and non-domain controller Windows Servers will not cause this issue. An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.
You might see authentication failures on the server or client for servicesĪfter installing updates released on your domain controllers, you might see machine certificate authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP).