Windows out-of-band updates (05/19/2022) fixes AD authentication error and Store installation error

Windows[German]Microsoft has released a series of unscheduled updates (out-of-band updates) for supported versions of Windows (client and server) as of May 19, 2022, to correct issues caused by the May 10 security updates. These include the Active Directory authentication issue on domain controllers, but also a bug that prevents the installation of apps from the Microsoft Store.

Blog reader EP informed me in the English-language blog about this comment (thanks for that) about three unscheduled updates and wrote:

no KB5014023 on May 19 but Microsoft released a bunch of out-of-band updates on TH May 19 such as KB5015020 for 21H1/21H2 and KB5015018 for 1809 LTSC 2019 along with KB5015019 for 1607 LTSB 2016:

https://support.microsoft.com/help/5015020
https://support.microsoft.com/help/5015018
https://support.microsoft.com/help/5015019

But that's only a subset of the released updates. Microsoft has listed the full list of updates in the Windows 11 Healt status area in this entry of the Know Issues section includes subsequent cumulative updates (thanks to the colleagues at Bleeping Computer).

as well as the subsequent standalone updates:

You do not need to apply previous updates before installing these cumulative updates. However, for the standalone updates, if you are only using security updates for these versions of Windows Server, you only need to install these updates for the month of May. Those using monthly rollup updates will need to install both the standalone update listed above and the May 10, 2022 monthly rollups.

Miscellaneous fixes

The support article for update KB5015020 for Windows Server Version 20H2 states the following fixes for the package in question:

  • Fixes a known issue that can prevent some services from authenticating machine accounts on clients or servers. This issue occurs after you install the May 10, 2022 update on domain controllers.
  • Resolves an issue that might prevent you from installing Microsoft Store applications.

Microsoft has also released servicing stack updates for various updates. The updates must be downloaded and installed from the Microsoft Update Catalog. You can read about the details and known issues in the support articles linked above. An outline of the AD certification issue and the fixes through the updates can be found in the postYou might see authentication failures on the server or client for services. I had reported on the AD issue in blog posts like Windows May 2022 Updates Cause AD Authentication Failure (Server, Client) (see also the links below).

Didn't help in all cases

Addendum: I got the first feedback, that it didn't help, to fix that issue. A German blog reader wrote (translated):

It does not help for us. The May update (May 10th) is installed, and now also update KB5015018 for Windows Server 2019.

But the RADIUS clients still can't get past the NPS and into the WLAN.

Extremely annoying, there are 700 iPads in front of the NPS and they want to be let in… The latest SSU update is also installed.

I will probably uninstall the update from 11.5. for now. I can't leave it like this…

Any similar experiences so far? Addendum: I have now multiple reports, that the fix won't help with the AD DC certificate issue, if a Network Policy Server (NPS) is involved (see Windows out-of-band updates dated May 19, 2022 fail on AD DC authentication bug in NPS environments).

What's with Windows-Clients?

Addendum: A German blog reader mentioned, that update KB5014987 may also be used for Windows 7 SP1 ESU. He was right. My above text about the Windows out-of-bound updates is focussed on the fix of the AD DC issues with certificates caused by May 10, 2022 updates.

The standalone updates – can also be applied to the Windows clients (Windows 7, Windows 8.1), if the KB article states so. However, according to Microsoft, only Windows servers are affected with the AD DCs bug. Therefore, the update will probably only be distributed via the Microsoft Update Catalog and will have to be downloaded and installed manually by those affected.

But, what I've overlooked in the text above, was pointed out by blog reader Bolko in a comment. The updates also fixes an installation problem of store apps under Windows 10.

There may be an app install error 0xC002001B (see also), caused by April update KB5011831 or May update KB5013942. Or the app could not be opened afterward. This occurs on Microsoft 11th generation Intel CPUs that support Control-flow Enforcement Technology (CET) and above, as well as on certain AMD processors – see the known issues section of update KB5011831. Out-of-band update KB5015020 for Windows 10 Version 1909 fixes that issue for instance.

Affected users can go to the KB articles above and then download and install the appropriate update for the client. Here is a list of the affected updates and Clients, just in case:

Windows 7: KB5014987
Windows 8.1: KB5014986
Win10 – 1607 LTSB: KB5015019
Win10 – 1809 LTSB: KB5015018
Win10 – 20H1, 20H2, 21H1, 21H2: KB5015020

The updates may be downloaded from Microsoft Update Catalog – search for the kb number. There is no update for Windows 11 clients so far.

Similar articles:
Patchday: Windows 10-Updates (May 10, 2022)
Patchday: Windows 11/Server 2022-Updates (May 10, 2022)
Windows 7/Server 2008R2; Windows 8.1/Server 2012R2: Updates (May 10, 2022)

Windows May 2022 Updates Cause AD Authentication Failure (Server, Client)
CISA warns against installing May 2022 updates on Windows Domain Controllers
Microsoft has fixed the (PetitPotam) NTLM Relay Vulnerability (CVE-2022-26925) with Windows May 2022 Update
Windows 11: Update KB5013943 results in application error 0xc0000135
MS-Patchday wrap-up: Issues with April 2022 updates
Windows Server 2022: RDS bug (RDCB role broken) caused by KB5011497, not fixed in May 2022
Windows Update KB5012599: Microsoft plans fix for install error 0x8024200B and 0x800F0831
Windows 11: Update KB5013943 results in application error 0xc0000135
Active Directory Admins: May 2022 updates may force DCs to a boot loop (AltSecID attribute set on krbtgt)

This entry was posted in Update, Windows and tagged , , . Bookmark the permalink.

3 Responses to Windows out-of-band updates (05/19/2022) fixes AD authentication error and Store installation error

  1. casladek says:

    I can also confirm that KB5015018 also breaks NPS Radius EAP-TLS device authentication.

  2. EP says:

    KB5015020 can only be installed under Win10 20H2, 21H1 & 21H2 (maybe 2004/20H1) and does not apply nor concern 1903/1909, guenni (it's a "mis-print" by MS to mention 1903)

Leave a Reply

Your email address will not be published. Required fields are marked *