[German]I'm posting a first warning about the October 2022 security updates for Windows here on the blog because a reader from the business environment pointed it out to me. The domain join hardening changes made with the updates to close the vulnerability (CVE-2022-38042) have powerful collateral damage. With this update, AD join of Windows clients may no longer be possible if certain conditions cannot be met – this affects all versions of Windows.
Netjoin: Domain Join Hardening Changes
Microsoft describes in a support article KB5020276—Netjoin: Domain join hardening changes some chances made to fix vulnerability CVE-2022-38042 with the October 11, 2022 cumulative update packages for all supported operating systems.
- Windows Server 2008 (ESU)
- Windows 7 (ESU)
- Windows Server 2008 R2 (ESU)
- Windows Embedded POSReady 7 (ESU)
- Windows Server 2012
- Windows Server 2012 R2
- Windows Embedded 8 Standard
- Windows Embedded 8.1
- Windows 8.1
- Windows RT 8.1
- Windows 10 Windows 10, version 1607
- Windows 10 Enterprise 2019 LTSC
- Windows 10 IoT Enterprise 2019 LTSC
- Windows 10 IoT Core 2019 LTSC
- Windows 10 Enterprise Multi-Session, version 20H2
- Windows 10 Enterprise und Education, version 20H2
- Windows 10 IoT Enterprise, version 20H2
- Windows 10 auf Surface Hub
- Windows 10, Version 21H1 – 21H2 (all editions)
- Windows 11 Version 21H2 – 22H2 (all editions)
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
Once the Windows cumulative updates dated October 11, 2022 or later are installed on a client computer, the client will perform additional security checks during domain joining before attempting to reuse an existing computer account. These changes are enabled by default and are "secure," according to Microsoft. The support article states:
During domain joining and computer account provisioning, the client computer queries Active Directory for an existing account with the same name. If such an account exists, the client automatically attempts to reuse it.
The reuse attempt fails, according to Microsoft, if the user trying to join the domain does not have the appropriate write permissions. However, if the user has sufficient permissions, the domain join should succeed. In the support article, Microsoft describes scenarios why domain join fails.
Domain join always fails
German blog reader Martin E. wrote me a few minutes ago that the October 2022 updates for Windows are causing disaster in his environment. After he integrated the update KB5018418 for his Windows 11 21H2 clients (it is similar for Windows 10, see screenshot below) into the image and the clients could not join the AD to the domain anymore.
This probably affects all Windows versions. Martin points to support article KB5020276—Netjoin: Domain join hardening changes (microsoft.com) as the cause. He now faces the problem that the exceptions described in the above support post cannot possibly be guaranteed on a large fleet of machines. The user who created the machines must also be the join account or a domain admin created the machine account.
An adhoc approach would be to create an image with old September 2022 patch, and install the October 2022 update only after the domain join.
Leaving an AD domain and rejoining would then no longer be possible with the October 2022 patch. Currently, this October 2022 update is not yet in any Windows installation image – even Windows 11 22H2 does not have the October 2022 update integrated in the installation image yet (it is still at the September 2022 patch level).
How do you solve this problem? Or does this not apply to you in the corporate environment?
Possible workaround
Martin wrote in a follow-up that there might be a backdoor and sent me the following screenshot with a trace log and a short explanation:
There is a new registry entry NetJoinLegacyAccountReuse, and the log provides an indication that Active Directory join has been blocked on the account by security policy. Martin writes:
I think status: 2 = net helpmsg 2 = "The system cannot find the specified file".
So that it can't find the key.
Currently, search engines like Google can't find anything about the NetJoinLegacyAccountReuse, which is brand new. The entryNetJoinLegacyAccountReuse is a DWORD value within the registry key:
HKLM\System\CurrentControlSet\Control\Lsa
If this DWORD value NetJoinLegacyAccountReuse is set to 0x1, a domain join with the old user accounts should work again. Without the DWORD entry, the domain join attempt with the October 2022 update installed returns the following error:
An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.
The command failed to complet successfully.
Once the NetJoinLegacyAccountReuse DWORD value is set to 1, the client reports:
The computer needs to be restartet in order to complet the operation.
The command completed successfully.
This is confirmed in the log, because the query for IsNetJoinLegacyAccountReuseSetInRegistry now returns Tr
Thanks to Martin for these hints. A support post or an addendum to KB5020276 is not yet available – feel free to leave a comment if you come across anything else on the subject.
Similar articles:
Microsoft Office Updates (Oktober 4, 2022)
Microsoft Security Update Summary (October 11, 2022)
Patchday: Windows 10-Updates (October 11, 2022)
Windows 10: Beware of a possible TLS disaster on October 2022 patchday
Thank you so much, guenni. Your post was a great help to me.
Is that registry key set on the client or the domain controllers?
Client only.
Thank you so much. you're a life saver!!
Thanks a lot for this hint.
I was striving since begining of the week to join a PC to our domain…
Thanks a lot for sharing! Big help. :)
Thanks for this, my troubleshooting made it as far as seeing NetJoinLegacyAccountReuse in the log as not being set. How did you figure out where the value was supposed to be in the registry?
I will add that this image was based on the W10 21H2 October 2022 ISO (Business Editions) from the Visual Studio MSDN download site. The update was not approved yet in WSUS, so it must have come from the ISO…
I opened an support case at Microsoft because this change breaks several delegation concepts. As a result setting the registry key is a temporary workaround https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8, but, Citation Microsoft: This can removed in the future (and can replaced by another method). The support engineer says there are other customers that have openend a similar request and Microsoft is currently evaluating the impact of the change.
So if you have to ability: Open a http://serviceshub.microsoft.com support case (company account). The more cases the more importend for Microsoft to work an this issue.
Michael
Michael: Thanks for the feedback – could you keep us updated about the case? I don't have all issues on my radar.
I do the procedure, but I haven't found this on the device:
NetJoinLegacyAccountReuse
Hope you can help us on this matter.
Thanks this is still working on the old WS2012r2 ( 2023)