Following yesterday's Windows 10 update for version 1809, the Windows maker has today released more out-of-band updates to fix the Kerberos problem. KB4594443 (OS Builds 18362.1199 and 18363.1199) is available for Windows 10 versions 1903 and 1909, and KB4594440 (Builds 19041.631 and 19042.631) is out for this year's versions 2004 and 20H2.
Today's Windows 10 update brings the same fix that was delivered to version 1809 last night.
- Addresses issues with Kerberos authentication related to the PerformTicketSignature registry subkey value in CVE-2020-17049, which was a part of the November 10, 2020 Windows update. The following issues might occur on writable and read-only domain controllers (DC):
- Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
- Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
- S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.
These out-of-band updates are only available via the Microsoft Update Catalog. For download and manual installation, head over to this link for KB4594440 (for May 2020 Update and November 2020 Update) and this link KB4594443 (for versions 1903 and 1909).
As reported earlier, this issue only affects Windows Servers and devices/apps in enterprise environments. Microsoft recommends to only install these updates if you are affected by this issue.
An out-of-band optional update is now available on the Microsoft Update Catalog to address a known issue affecting Kerberos authentication. As part of this issue, ticket renewal and other tasks, such as scheduled tasks and clustering, might fail. This issue only affects Windows Servers, and Windows 10 devices and applications in enterprise environments.
We recommend you only install this optional update on Domain Controllers if you are affected by this issue.