Microsoft warns that October 2022 security updates can cause problems joining domains in Windows 11 and older
Microsoft is warning users of every from Windows 11 down to Windows 7 that this month's security updates -- in particular the KB5018427 update -- could lead to issues joining a domain. The company says that those affected by the problem will see 0xaac (2732) errors.
Despite flagging the matter in the known issues section of Windows release health, Microsoft says that the behavior is intentional. There is, sadly, no proper fix right now, just some advice and workarounds -- but this should change soon.
- Microsoft issues emergency patch after breaking OneDrive with Windows 10 update
- Windows 11 bug breaks safe removal of USB devices
- Microsoft releases KB5018496 update to bring new features and improvements to Windows 11 2022 Update
In a notification about the known issue, Microsoft says: "Domain join operations might intentionally fail with error "0xaac (2732): NERR_AccountReuseBlockedByPolicy" and text "An account with the same name exists in Active Directory. Re-using the account was blocked by security policy"."
Pointing out that Home users of Windows are unlikely to experience this issue, the company goes on to explain:
This issue originates with the October 2022 security updates ( KB5018427) which introduced some hardening changes enabled by default for domain join. Please see KB5020276 - Netjoin: Domain join hardening changes to understand the new designed behavior.
Affected scenarios include some domain join or re-imaging operations where a computer account was created or pre-staged by a different identity than the identity used to join or re-join the computer to the domain.
It is not just Windows 7-11 that are affected, but also Windows Server 2008-2022.
There are various workarounds, but Microsoft is working on another solution that will release soon:
Please see KB5020276 to understand the designed behavior. We have added insights to this KB, and are evaluating whether optimizations can be made in a future Windows Update. This guidance will be updated once those changes have released.
In the linked article, Microsoft suggests various solutions, including:
- Perform the join operation using the same account that created the computer account in the target domain.
- If the existing account is stale (unused), delete it before attempting to join the domain again.
- Rename the computer and join using a different account that doesn’t already exist.
There is also registry hack that Microsoft explains here.