We couldn’t sign you in
Select the account you want to use.

Release Date:

11/17/2022

Version:

Out-of-band update

Summary

This update includes improvements for the following issue:

  • Addresses a known issue that affects Windows Servers that have the Domain Controller (DC) role. They might have Kerberos authentication issues if both of the following are true:

    • You installed a Windows update on or after November 8, 2022 on the DC.

    • You configured the SupportedEncrytionType key to remove the RC4 cipher at a domain level or on individual account.

    You might receive Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 errors. These appear in the System section of the Event Log on your DC. The affected events include the text, "the missing key has an ID of 1".

    Note This issue is not an expected part of the security hardening for Netlogon and Kerberos starting with November 2022 security update. You must still follow the guidance in the listed articles.

Known issues in this update

We are currently not aware of any issues that affect this update.

How to get this update

Before installing this update

Windows Server 2008 Service Pack 2 (SP2) has reached the end of mainstream support and is now in extended support. Customers who have purchased the Extended Security Update (ESU) for on-premises versions of this OS must follow the procedures in KB4522133 to continue receiving security updates after extended support ended on January 14, 2020. For more information about ESU and which editions are supported, see KB4497181

Because ESU is available as a separate SKU for each of the years in which they are offered (2020, 2021, and 2022)—and because ESU can only be purchased in specific 12-month periods—you must purchase the third year of ESU coverage separately and activate a new key on each applicable device for your devices to continue receiving security updates in 2022.

If your organization did not purchase the third year of ESU coverage, you must purchase Year 1, Year 2, and Year 3 ESU for your applicable Windows Server 2008 SP2 devices before you install and activate the Year 3 MAK keys to receive updates. The steps to install, activate, and deploy ESUs are the same for first, second, and third year coverage. For more information, see Obtaining Extended Security Updates for eligible Windows devices for the Volume Licensing process and Purchasing Windows 7 ESUs as a Cloud Solution Provider for the CSP process. For embedded devices, contact your original equipment manufacturer (OEM).

For more information, see the ESU blog.

For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following article

To view other notes and messages for Windows Server 2008 SP2, see the following update history home page.

Get this update

Release Channel

Available

Next Step

Windows Update and Microsoft Update

No

See the other options below.

Microsoft Update Catalog

Yes

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager

No

You can manually import these updates into Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog.

File information

For a list of the files that are provided in this update, download the file information for update KB5021657.

References

Learn about the standard terminology that is used to describe Microsoft software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×