Can Windows updates lower your security?

<p>Microsoft has started investigating the latest Patch Tuesday updates deployment&comma; which&comma; according to reports by Windows admins&comma; leads to authentication failures on some Windows services&period;<&sol;p>&NewLine;<p><img class&equals;"alignnone size-full wp-image-3530" src&equals;"https&colon;&sol;&sol;www&period;wincert&period;net&sol;wp-content&sol;uploads&sol;2020&sol;02&sol;update-3378261&lowbar;640&period;jpg" alt&equals;"" width&equals;"640" height&equals;"426" &sol;><&sol;p>&NewLine;<p>Some Windows System Administrators reported that certain group policies were not applying after installing May 2022 Tuesday updates&period; They were getting &&num;8220&semi;<em>Authentication failed due to a user credentials mismatch<&sol;em>&&num;8221&semi; messages&period;<&sol;p>&NewLine;<p>Even though these updates are intended for Windows 11 and Windows Server 2022 systems&comma; Microsoft confirmed that the problem only triggers after these updates have been installed on Domain Controllers&period;<&sol;p>&NewLine;<p>In a document posted on <a href&equals;"https&colon;&sol;&sol;docs&period;microsoft&period;com&sol;en-us&sol;windows&sol;release-health&sol;status-windows-11-21h2&quest;irgwc&equals;1&amp&semi;OCID&equals;AID2200057&lowbar;aff&lowbar;7593&lowbar;1243925&amp&semi;tduid&equals;&lpar;ir&lowbar;&lowbar;9ta6k26pxkkf6xg9sdldpulisu2xvxvn2xgek1of00&rpar;&lpar;7593&rpar;&lpar;1243925&rpar;&lpar;kXQk6&period;ivFEQ-&period;MfhTG2Ht2kLuDOek8Z&period;Wg&rpar;&lpar;&rpar;&amp&semi;irclickid&equals;&lowbar;9ta6k26pxkkf6xg9sdldpulisu2xvxvn2xgek1of00&num;you-might-see-authentication-failures-on-the-server-or-client-for-services&quest;ranMID&equals;24542&amp&semi;ranEAID&equals;kXQk6&ast;ivFEQ&amp&semi;ranSiteID&equals;kXQk6&period;ivFEQ-&period;MfhTG2Ht2kLuDOek8Z&period;Wg&amp&semi;epi&equals;kXQk6&period;ivFEQ-&period;MfhTG2Ht2kLuDOek8Z&period;Wg" target&equals;"&lowbar;blank" rel&equals;"noopener">Microsoft Build<&sol;a> Microsoft explained that the authentication failures might occur for several services including Protected Extensible Authentication Protocol &lpar;PEAP&rpar;&comma; Extensible Authentication Protocol &lpar;EAP&rpar;&comma; Radius&comma; Route&comma; and Remote access Service &lpar;RRAS&rpar;&comma; and Network Policy Server service &lpar;NPS&rpar;&period;<&sol;p>&NewLine;<p>Furthermore&comma; the company explained that these authentication issues are caused by security updates that address privilege escalation vulnerabilities in Windows Kerberos and Active Directory services&period; It&&num;8217&semi;s worth saying that the recently patched vulnerability in Microsofts&&num;8217&semi; Active Directory Domain Services &lpar;CVE-2022-26923&rpar; has a high severity CVSS score of 8&period;8&period; If this vulnerability remains unpatched on your systems it can be exploited by elevating the privileges of a domain admin account&period; Along with that&comma; the vulnerability in Windows Kerberos &lpar;CVE-2022-26931&rpar; also has a high severity CVSS 7&period;5 score&period;<&sol;p>&NewLine;<p>In order to mitigate issues&comma; Microsoft recommends manually mapping certificates to a machine account in Active Directory and checking Kerberos Operational log to check which domain controller is failing to sign in&period;<&sol;p>&NewLine;<p>Some System Administrators reported that in order to fix the authentication issues&comma; admins can disable the StrongCertificateBindingEnforcmenet registry key by setting it to 0&comma; which actually sets the Kerberos Distribution Center &lpar;KDC&rpar; to compatibility mode&period;<&sol;p>&NewLine;