This article is more than 1 year old
Microsoft warns Direct Access on Windows 10 and 11 could be anything but
Buggy update will be pulled in next 24 hours
Microsoft continues to fix problems that pop up after users have installed the latest updates to Windows 10 and 11 – including one that causes problems with the Direct Access remote connectivity feature.
Direct Access allows remote workers to connect to resources on the corporate network without using traditional VPN connections. It's designed to ensure that remote clients are always connected without having to start and stop connections. IT administrators can also remotely manage client systems using Direct Access when they're running and connected to the internet.
However, some users who installed the KB5019509 update in Windows 10 or 11 were left unable to reconnect to Direct Access after temporarily losing connectivity with the network, or transitioning between Wi-Fi networks or access points, Microsoft wrote in its Windows Health Dashboard.
Microsoft is using the Known Issue Rollback (KIR) tool to address the problem, which might take up to 24 hours to find its way into non-managed business systems and any consumer devices using the system. Restarting the affected Windows device could speed up the timeframe.
For devices managed by the enterprise, IT administrators can install and configure a special group policy found by going to Computer Configuration > Administrative Templates > Group Policy name.
The bug affects clients running Windows 11 22H2 and 21H1, Windows 10 versions 22H2, 21H1, and 20H2, and Windows 10 Enterprise LTSC 2019. Also impacted are Windows Server 2022 and 2019.
Updates released November 8, or later updates on Windows Servers with the Domain Controller role for managing the network and identity security requests, may develop issues with the Kerberos network authentication protocol.
Issues could include domain user sign-in failing, problems with Active Directory Federation Services authentication, issues with Group Managed Service Accounts failing to authenticate, and remote desktop connection using domain users not connecting. Access share folders on workstations and file shares on servers is another reported problem, and it appears printer connections that require domain user authentication can also fail.
Windows systems with the bug will see a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14
in the System section of Event Log on their Domain Controller.
That will come with a message that reads:
While processing an AS request for target service <service>, the account <account> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of <account> will generate a proper key.
Microsoft said it is working on a fix that will be ready in the next few weeks.
- GitHub sets up private vulnerability reports for public repos to avoid 'naming and shaming'
- Microsoft's grand unified theory of .NET advances a little
- Windows breaks under upgraded IceXLoader malware
- NSA urges orgs to use memory-safe programming languages
In addition, some systems running Windows 11 22H2 are seeing low performance in apps and games. According to Microsoft, the problem is that some of this code is inadvertently enabling performance debugging features in GPUs. These are not usually meant to be accessible by users.
Microsoft is putting a compatibility hold on affected devices to ensure they don't install version 22H2, and is recommending that users who already have upgraded should update the apps and games to the latest version available while the company works on a fix. ®