Following Microsoft’s November 2021 Patch Tuesday, several issues have been reported associated with the installation of these updates. We recommend following Microsoft’s guidance to determine if you require additional measures prior to installing this month’s security updates.
Details
Kerberos Authentication Failures on Domain Controllers
On 14 November 2021, Microsoft issued emergency updates to address Kerboros authentication failures that occur after installing the 9 November 2021 security updates on Domain Controllers (DC) running certain versions of Windows Server.
These issues are related to Kerberos tickets acquired via Service-for-User-to-Self (S4U2self). Authentication fails when delegation scenarios rely on “the front-end service to retrieve a Kerberos ticket on behalf of a user to access a backend service”.
The affected versions are: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2 where the server is being used as a DC (there is no impact on those running only Active Directory).
These emergency updates are not available through Windows Update and must be downloaded as a standalone package available via Microsoft Update Catalog.
Microsoft recommends you install the latest Servicing Stack Update (SSU) for your operating system before installing the latest Cumulative Update (CU).
Users must have at least the 10 August 2021 SSU (KB5005112) before installing the CU.
Compatibility Issues with Intel SST Drivers and Windows 11
On 15 November 2021, Microsoft reported incompatibility issues for Windows 11 and certain versions of Intel Smart Sound Technology (Intel SST) drivers. Devices with Intel SST versions 10.29.0.5152 and earlier or 10.30.0.5152 and earlier may receive a Blue Screen error when installing Windows 11.
Microsoft applied a compatibility hold on devices with the affected Intel SST drivers from being offered Windows 11.
The company recommends checking with your device manufacturer (OEM) for an updated driver and installing it, if available. The updated versions of the Intel SST drivers are 10.30.00.5714 and later or 10.29.00.5714 and later. If the driver update is not offered by OEM, it can be installed manually from Intel website.
To determine if you are using the affected Intel SST driver, use Device Manager > System Devices to look for filename IntcAudioBus.sys with file versions 10.29.0.5152 and earlier or 10.30.0.5152 and earlier.
Microsoft Installer Issue
On 18 November 2021, Microsoft reported that installing KB5007215 or later updates could cause failures with Microsoft Installer (MSI) repairing or updating some apps.
The company suggested uninstalling an affected app and installing the latest version of that same app in order to mitigate this issue. A complete resolution for the issue is expected to come in a future update.
This issue is reported for the following platforms:
- Client: Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 2004; Windows 10, version 1909; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1.
- Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 2004; Windows Server, version 1909; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2.
Recommendations
- We recommend reviewing the guidance in the References section below to determine if you are running one of the affected systems prior to installing November 2021 Microsoft security updates.
References