Earlier this week, Microsoft released a new cumulative update for Windows 10 version 1809 with a security fix. Today, it"s releasing similar updates for other supported versions of the operating systems, including 20H2, 2004, 1909, 1903, and 1607. They all fix the same Kerberos issue.
Here"s the list of fixes from the updates:
- Addresses issues with Kerberos authentication related to the PerformTicketSignature registry subkey value in CVE-2020-17049, which was a part of the November 10, 2020 Windows update. The following issues might occur on writable and read-only domain controllers (DC):
- Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
- Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
- S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.
None of these updates are available via Windows Update in any way. That means that if you want them, you"ll have to download them from the Update Catalog and install them manually. You can use the table below for links:
| Version | KB | Build | Download | Support |
|---|---|---|---|---|
| 20H2 / 2004 | 19042.631 / 19041.531 | Update Catalog | All | |
| 1909 / 1903 | 18363.1199 / 16362.1199 | Update Catalog | ||
| 1607 | 14393.4048 | Update Catalog | Long-Term Servicing Branch |
All of these have at least one known issue, so you might want to check the specific KB articles before going ahead and installing them. If you don"t install the update, you"ll have to wait for next month"s Patch Tuesday for the fix.