Microsoft warns that KB5013943 update is causing authentication failures in Windows 11, Windows Server and more

Following the release of this month's Patch Tuesday updates, Microsoft has issued a warning that installing the KB5013943 update can lead to authentication issues for various Windows services.

The update was released on May 10, and was meant to -- among other things -- fix an issue with screen flicker in Safe Mode. But in addition to causing error messages for some users, the KB5013943 update has also led to authentication failures Windows domain controllers.

See also:

• KB5013943 update for Windows 11 is causing 0xc0000135 errors
• Microsoft releases KB5013943 update to fix screen flicker and app problems in Windows 11
• You can now buy official Microsoft Windows 11 Home and Windows 11 Pro USB drives

In an advisory about the problem, Microsoft says: "After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller".

The company points out that the issue only affects the installation of May 10, 2022 updates on servers used as domain controllers. Anyone who installs the updates on client Windows devices and non-domain controller Windows Servers should not experience the same problem.

Microsoft shares the following list of affected platforms:

• Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1
• Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 1909; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Although Microsoft has not said when a fix will be available, the company says that it is "presently investigating and will provide an update in an upcoming release".

In the meantime, the company provides details of a workaround:

The preferred mitigation for this issue is to manually map certificates to a machine account in Active Directory. For instructions, please see Certificate Mapping. Note: The instructions are the same for mapping certificates to user or machine accounts in Active Directory. If the preferred mitigation will not work in your environment, please see KB5014754—Certificate-based authentication changes on Windows domain controllers for other possible mitigations in the SChannel registry key section. Note: Any other mitigation except the preferred mitigations might lower or disable security hardening.

Image credit: liorpt / depositphotos