Microsoft is rolling out patches for different Windows 10 versions today, one of which we have already covered here – KB4594440. All the updates uniformly address issues with Kerberos authentication related to the PerformTicketSignature registry subkey value in CVE-2020-17049.
You KB4594443 is released for Windows 10 1909 and 1903. This non security update increases the version to 18363.1199 and 18362.1199 respectively. Have a look at – Windows 10 Cumulative Updates List.
KB4594443 for Windows 10 1909 and 1903 18362.1199
Here is the changelog –
Windows 10, version 1909
This non-security update includes quality improvements. Key changes include:
- This build contains all the improvements from Windows 10 v1903.
Windows 10, version 1903
- This non-security patch addresses problem with Kerberos authentication pertaining to the PerformTicketSignature registry subkey value in the vulnerability CVE-2020-17049 on Windows 10 v1909. This was a part of the Nov 10, 2020 update. The underneath problems might happen on writable and read-only domain controllers (DC) –
- Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
- Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
- S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.
Known issues in this updateSymptomWorkaroundSubsequent to updating to Windows 10 v1809 or greater, System and user certificates might become missing. This problem impacts the devices that have obtained Sept 16, 2020 or later patch and then try to update to a greater version through an installation source or media. Moreover, which does not have the Cumulative patch rolled out on Oct 13, 2020 or greater integrated. This essentially happens when managed devices are updated. This might be using outdated bundles or media through an update management tool, for example, Microsoft Endpoint Configuration Manager or WSUS. This might also happen when using outdated physical media or ISO images that do not have the latest updates integrated.
Important – The problem will not impact the devices that use Windows Update for Business.Roll back to the previous version following the instructions here. The uninstall window might be 10 or 30 days based on the settings of the environment and the edition you’re updating to. You will then need to update to the greater version after the issue is resolved in your environment.
Important – You can change the number of days through the DISM command /Set-OSUninstallWindow.
The redmondians are working on a resolution and will come with updated bundles and refreshed media in the coming weeks.How to download KB4594443 and install
Before starting make sure to have KB4586863, the latest SSU installed on your PC. Now follow the way –
1. Using automatic Windows update
2. Via Microsoft update catalog manually