Microsoft has deployed an out-of-band Windows 10 (opens in new tab) update designed to remedy a security flaw affecting all supported versions of the operating system.
The update consists of a handful of different fixes, all of which are geared towards addressing issues with authentication protocol Kerberos that could allow an attacker to bypass security protections (opens in new tab).
The fix was published for enterprise users running Windows 10 1809 earlier in the week, but has now arrived for versions 20H2, 2004, 1909, 1903 and 1607 as well.
- Here's our list of the best endpoint protection (opens in new tab) available
- Check out our list of the best antivirus (opens in new tab) services right now
- We've built a list of the best malware removal (opens in new tab) software on the market
Windows 10 update
According to a Microsoft support post (opens in new tab), the Kerberos authentication issue was caused by a bug in a patch (for CVE-2020-17049 (opens in new tab)) delivered this month as part of the company’s regular update schedule.
“After installing KB4586781 (opens in new tab) on domain controllers (DCs) and read-only domain controllers (RODCs) in your environment, you might encounter Kerberos authentication issues,” explained the firm.
“There are three registry setting values for PerformTicketSignature to control it, but in the current implementation you might encounter different issues with each setting.”
Setting the PerformTicketSignature value to 0 is said to cause authentication issues when using S4U scenarios (e.g. scheduled tasks/clustering), value 1 could bring about ticket renewal failures, while value 2 will cause problems in environments where not all DCs are updated.
Thankfully, these problems are exclusive to Windows Servers, Windows 10 devices and applications running in enterprise environments, so everyday users need not worry in this instance.
Administrators, however, must install the latest out-of-band update (KB4594440 (opens in new tab)) manually by searching for the package via the Microsoft Update Catalog; it is not available through the Windows Update service and will not be installed automatically.
- Here's our list of the best ransomware protection (opens in new tab) right now