Out-of-band Windows 10 Updates fix Kerberos vulnerability

Microsoft has released a set of out-of-band cumulative updates for supported Windows versions. All the patches fix a vulnerability in the Kerberos protocol. Earlier, the same fix was released to Windows 10 version 1809.

Today's fixes are out for Windows 10 version 20H2, 2004, 1909, 1903, and 1607.

They share the following change log:

Addresses issues with Kerberos authentication related to the PerformTicketSignature registry subkey value in CVE-2020-17049, which was a part of the November 10, 2020 Windows update. The following issues might occur on writable and read-only domain controllers (DC):

  • Kerberos service tickets and ticket-granting tickets (TGT) might not renew for non-Windows Kerberos clients when PerformTicketSignature is set to 1 (the default).
  • Service for User (S4U) scenarios, such as scheduled tasks, clustering, and services for line-of-business applications, might fail for all clients when PerformTicketSignature is set to 0.
  • S4UProxy delegation fails during ticket referral in cross-domain scenarios if DCs in intermediate domains are inconsistently updated and PerformTicketSignature is set to 1.

Here's the list of updates

  • KB4594440  for Windows 10 version 20H2 and version 2004, builds19042.631 and 19041.531.
  • KB4594443 for Windows 1909 and version 1903, builds 18363.1199 and 16362.1199.
  • KB4594441 for Windows 10 version 1607, build 14393.4048.

Microsoft doesn't make the above packages available via Windows Update. In case you need them, you have to visit the Windows Update Catalog website and download and install them manually.

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!


Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

Leave a Reply

Your email address will not be published.

Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.