You cannot access DPAPI data after an administrator resets your password on a Windows Server 2012-based domain controller

Symptoms

Assume that a domain controller is upgraded from an earlier version of Windows Server to Windows Server 2012. After an administrator resets a user's password in the domain, the user cannot access Windows Data Protection API (DPAPI) protected data. For example, the user cannot access the certificate private key.

Note This issue may occur when users change their password by themselves.

Cause

This issue occurs because of an incompatibility in the authentication mechanism that is used by domain controllers. If DPAPI keys are backed up on domain controllers that are running on pre-Windows Server 2003-based servers, and the same keys are retrieved from domain controllers after an upgrade to Windows Server 2012, key retrieval fails after an administrator changes a user's password.

Resolution

Important Do not install a language pack after you install this hotfix. If you do install a language pack, the language-specific changes in the hotfix will not be applied, and you will have to reinstall the hotfix. For more information, see Add language packs to Windows.

To resolve this issue, apply the hotfix that is described in this article on the Windows Server 2012-based domain controller. Even though this issue was observed only on Windows Server 2012, the hotfix also applies to Windows 8 and Windows RT.

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, go to the following Microsoft website:

http://support.microsoft.com/contactus/?ws=supportNote The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

There is no to apply this hotfix.

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You may have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.

Windows 8 and Windows Server 2012 file information and notes

Important Windows 8 hotfixes and Windows Server 2012 hotfixes are included in the same packages. However, hotfixes on the Hotfix Request page are listed under both operating systems. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows 8/Windows Server 2012" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.

  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

    Version

    Product

    Milestone

    Service branch

    6.2.920 0.17 xxx

    Windows RT, Windows 8, and Windows Server 2012

    RTM

    GDR

    6.2.920 0.21xxx

    Windows RT, Windows 8, and Windows Server 2012

    RTM

    LDR

  • GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are not listed.

For all supported x86-based versions of Windows 8

File name

File version

File size

Date

Time

Platform

Dpapisrv.dll

6.2.9200.17343

141,312

13-Apr-2015

22:31

x86

Dpapisrv.dll

6.2.9200.21456

140,288

13-Apr-2015

22:31

x86

Ksecdd.sys

6.2.9200.17343

80,728

13-Apr-2015

22:40

x86

Lsass.exe

6.2.9200.16864

23,552

11-Mar-2014

00:42

x86

Sspicli.dll

6.2.9200.16864

131,584

11-Mar-2014

00:41

x86

Sspisrv.dll

6.2.9200.16864

16,384

11-Mar-2014

00:41

x86

Ksecdd.sys

6.2.9200.21456

80,728

13-Apr-2015

22:54

x86

Lsass.exe

6.2.9200.20521

23,040

20-Sep-2012

05:56

x86

Sspicli.dll

6.2.9200.20984

130,048

11-Mar-2014

02:24

x86

Sspisrv.dll

6.2.9200.20521

16,384

20-Sep-2012

05:55

x86

Cng.sys

6.2.9200.17343

492,256

13-Apr-2015

22:09

x86

Ksecpkg.sys

6.2.9200.17150

156,480

11-Oct-2014

06:18

x86

Lsasrv.dll

6.2.9200.17231

1,026,560

15-Jan-2015

10:00

x86

Cng.sys

6.2.9200.21456

492,768

13-Apr-2015

22:09

x86

Ksecpkg.sys

6.2.9200.21269

156,480

11-Oct-2014

05:58

x86

Lsasrv.dll

6.2.9200.21345

1,033,728

15-Jan-2015

21:22

x86

Adtschema.dll

6.2.9200.17231

717,824

15-Jan-2015

09:09

x86

Msaudite.dll

6.2.9200.17150

146,944

11-Oct-2014

05:05

x86

Msobjs.dll

6.2.9200.16384

61,952

26-Jul-2012

02:47

x86

Adtschema.dll

6.2.9200.21345

719,360

12-Jan-2015

03:31

x86

Msaudite.dll

6.2.9200.21269

146,944

11-Oct-2014

04:35

x86

Msobjs.dll

6.2.9200.16384

61,952

26-Jul-2012

02:47

x86

Credssp.dll

6.2.9200.16891

17,408

12-Apr-2014

07:22

x86

Tspkg.dll

6.2.9200.16891

76,800

12-Apr-2014

07:23

x86

Tspkg.mof

Not applicable

964

02-Jun-2012

14:33

Not applicable

Credssp.dll

6.2.9200.21012

17,408

12-Apr-2014

07:31

x86

Tspkg.dll

6.2.9200.21012

76,800

12-Apr-2014

07:32

x86

Tspkg.mof

Not applicable

964

02-Jun-2012

14:33

Not applicable

Wdigest.dll

6.2.9200.16891

178,688

12-Apr-2014

07:23

x86

Wdigest.dll

6.2.9200.21012

176,640

12-Apr-2014

07:32

x86

Kerberos.dll

6.2.9200.17172

666,624

08-Nov-2014

06:56

x86

Kerberos.dll

6.2.9200.21289

663,552

10-Nov-2014

23:30

x86

Msv1_0.dll

6.2.9200.16891

273,920

12-Apr-2014

07:23

x86

Msv1_0.dll

6.2.9200.21012

273,920

12-Apr-2014

07:31

x86

Shcore.dll

6.2.9200.17293

452,608

06-Mar-2015

05:48

x86

Shcore.dll

6.2.9200.21410

460,800

06-Mar-2015

05:21

x86

Lsm.dll

6.2.9200.16891

350,720

12-Apr-2014

07:23

x86

Workerdd.dll

6.2.9200.16384

12,288

26-Jul-2012

02:38

x86

Lsm.dll

6.2.9200.21012

350,720

12-Apr-2014

07:31

x86

Workerdd.dll

6.2.9200.16384

12,288

26-Jul-2012

02:38

x86

Usercpl.dll

6.2.9200.17231

961,536

15-Jan-2015

10:00

x86

Usercpl.ptxml

Not applicable

789

11-Oct-2012

00:41

Not applicable

Usercpl.dll

6.2.9200.21345

961,536

15-Jan-2015

21:23

x86

Usercpl.ptxml

Not applicable

789

11-Oct-2012

00:42

Not applicable

Winlogon.exe

6.2.9200.16891

429,056

12-Apr-2014

07:24

x86

Winlogon.exe

6.2.9200.21012

429,056

12-Apr-2014

07:33

x86

For all supported x64-based versions of Windows 8 and of Windows Server 2012

File name

File version

File size

Date

Time

Platform

Dpapisrv.dll

6.2.9200.17343

180,224

13-Apr-2015

22:30

x64

Dpapisrv.dll

6.2.9200.21442

177,664

13-Apr-2015

22:28

x64

Ksecdd.sys

6.2.9200.17343

100,184

14-Apr-2015

01:04

x64

Lsass.exe

6.2.9200.16864

35,840

11-Mar-2014

00:39

x64

Sspicli.dll

6.2.9200.16864

164,864

11-Mar-2014

00:38

x64

Sspisrv.dll

6.2.9200.16864

27,648

11-Mar-2014

00:38

x64

Ksecdd.sys

6.2.9200.21456

100,184

14-Apr-2015

00:45

x64

Lsass.exe

6.2.9200.20521

35,840

20-Sep-2012

06:33

x64

Sspicli.dll

6.2.9200.20984

164,352

11-Mar-2014

05:12

x64

Sspisrv.dll

6.2.9200.20521

27,648

20-Sep-2012

06:32

x64

Cng.sys

6.2.9200.17343

570,248

13-Apr-2015

22:09

x64

Ksecpkg.sys

6.2.9200.17150

171,840

11-Oct-2014

08:35

x64

Lsasrv.dll

6.2.9200.17231

1,282,560

15-Jan-2015

11:43

x64

Cng.sys

6.2.9200.21456

564,552

13-Apr-2015

22:09

x64

Ksecpkg.sys

6.2.9200.21269

171,840

11-Oct-2014

07:50

x64

Lsasrv.dll

6.2.9200.21345

1,280,512

15-Jan-2015

05:26

x64

Adtschema.dll

6.2.9200.17231

717,824

15-Jan-2015

09:38

x64

Msaudite.dll

6.2.9200.17150

146,944

11-Oct-2014

05:41

x64

Msobjs.dll

6.2.9200.16384

61,952

26-Jul-2012

02:36

x64

Adtschema.dll

6.2.9200.21289

719,360

10-Nov-2014

04:43

x64

Msaudite.dll

6.2.9200.21269

146,944

11-Oct-2014

05:38

x64

Msobjs.dll

6.2.9200.16384

61,952

26-Jul-2012

02:36

x64

Ocspsvcctrs.ini

Not applicable

2,960

26-Jul-2012

05:07

Not applicable

Ocspsvcctrs.ini

Not applicable

3,134

26-Jul-2012

08:00

Not applicable

Ocspsvcctrs.ini

Not applicable

2,918

26-Jul-2012

04:43

Not applicable

Ocspsvcctrs.ini

Not applicable

3,210

26-Jul-2012

07:59

Not applicable

Ocspsvcctrs.ini

Not applicable

3,098

26-Jul-2012

08:00

Not applicable

Ocspsvcctrs.ini

Not applicable

3,028

26-Jul-2012

07:59

Not applicable

Ocspsvcctrs.ini

Not applicable

3,140

26-Jul-2012

05:21

Not applicable

Ocspsvcctrs.ini

Not applicable

2,642

26-Jul-2012

08:11

Not applicable

Ocspsvcctrs.ini

Not applicable

2,576

26-Jul-2012

05:20

Not applicable

Ocspsvcctrs.ini

Not applicable

3,026

26-Jul-2012

07:36

Not applicable

Ocspsvcctrs.ini

Not applicable

3,028

26-Jul-2012

07:48

Not applicable

Ocspsvcctrs.ini

Not applicable

3,188

26-Jul-2012

05:30

Not applicable

Ocspsvcctrs.ini

Not applicable

3,126

26-Jul-2012

05:08

Not applicable

Ocspsvcctrs.ini

Not applicable

3,064

26-Jul-2012

07:49

Not applicable

Ocspsvcctrs.ini

Not applicable

3,092

26-Jul-2012

07:52

Not applicable

Ocspsvcctrs.ini

Not applicable

2,828

26-Jul-2012

05:12

Not applicable

Ocspsvcctrs.ini

Not applicable

2,464

26-Jul-2012

08:05

Not applicable

Ocspsvcctrs.ini

Not applicable

2,480

26-Jul-2012

05:13

Not applicable

Ocspsvcctrs.ini

Not applicable

2,460

26-Jul-2012

08:11

Not applicable

Ocspsvc.exe

6.2.9200.21345

272,384

15-Jan-2015

05:27

x64

Ocspsvcctrs.h

Not applicable

1,569

02-Jun-2012

14:34

Not applicable

Ocspsvcctrs.ini

Not applicable

2,918

02-Jun-2012

14:34

Not applicable

Credssp.dll

6.2.9200.16891

20,480

12-Apr-2014

09:07

x64

Tspkg.dll

6.2.9200.16891

94,720

12-Apr-2014

09:09

x64

Tspkg.mof

Not applicable

964

02-Jun-2012

14:33

Not applicable

Credssp.dll

6.2.9200.21012

20,480

12-Apr-2014

07:49

x64

Tspkg.dll

6.2.9200.21012

94,720

12-Apr-2014

07:51

x64

Tspkg.mof

Not applicable

964

02-Jun-2012

14:33

Not applicable

Wdigest.dll

6.2.9200.16891

208,896

12-Apr-2014

09:09

x64

Wdigest.dll

6.2.9200.21012

208,896

12-Apr-2014

07:51

x64

Kerberos.dll

6.2.9200.17172

827,904

08-Nov-2014

11:21

x64

Kerberos.dll

6.2.9200.21289

827,392

10-Nov-2014

23:27

x64

Msv1_0.dll

6.2.9200.16891

318,464

12-Apr-2014

09:08

x64

Msv1_0.dll

6.2.9200.21012

317,440

12-Apr-2014

07:50

x64

Shcore.dll

6.2.9200.17293

588,800

06-Mar-2015

07:39

x64

Shcore.dll

6.2.9200.21410

591,360

07-Mar-2015

04:13

x64

Lsm.dll

6.2.9200.16931

439,808

29-May-2014

23:02

x64

Workerdd.dll

6.2.9200.16891

14,848

12-Apr-2014

06:58

x64

Lsm.dll

6.2.9200.21012

439,808

12-Apr-2014

07:49

x64

Workerdd.dll

6.2.9200.21012

14,848

12-Apr-2014

06:58

x64

Usercpl.dll

6.2.9200.17231

1,043,968

15-Jan-2015

11:44

x64

Usercpl.ptxml

Not applicable

789

11-Oct-2012

00:40

Not applicable

Usercpl.dll

6.2.9200.21345

1,043,968

15-Jan-2015

05:27

x64

Usercpl.ptxml

Not applicable

789

11-Oct-2012

00:40

Not applicable

Winlogon.exe

6.2.9200.16891

578,048

12-Apr-2014

09:10

x64

Winlogon.exe

6.2.9200.21012

578,048

12-Apr-2014

07:52

x64

Sspicli.dll

6.2.9200.16864

99,840

10-Mar-2014

01:27

x86

Sspicli.dll

6.2.9200.20984

99,840

10-Mar-2014

01:34

x86

Wdigest.dll

6.2.9200.16891

178,688

12-Apr-2014

07:23

x86

Wdigest.dll

6.2.9200.21012

176,640

12-Apr-2014

07:32

x86

Kerberos.dll

6.2.9200.17172

666,624

08-Nov-2014

06:56

x86

Kerberos.dll

6.2.9200.21289

663,552

10-Nov-2014

23:30

x86

Msv1_0.dll

6.2.9200.16891

273,920

12-Apr-2014

07:23

x86

Msv1_0.dll

6.2.9200.21012

273,920

12-Apr-2014

07:31

x86

Adtschema.dll

6.2.9200.17231

717,824

15-Jan-2015

09:09

x86

Msaudite.dll

6.2.9200.17150

146,944

11-Oct-2014

05:05

x86

Msobjs.dll

6.2.9200.16384

61,952

26-Jul-2012

02:47

x86

Adtschema.dll

6.2.9200.21289

719,360

10-Nov-2014

03:40

x86

Msaudite.dll

6.2.9200.21269

146,944

11-Oct-2014

04:35

x86

Msobjs.dll

6.2.9200.16384

61,952

26-Jul-2012

02:47

x86

Credssp.dll

6.2.9200.16891

17,408

12-Apr-2014

07:22

x86

Tspkg.dll

6.2.9200.16891

76,800

12-Apr-2014

07:23

x86

Tspkg.mof

Not applicable

964

02-Jun-2012

14:33

Not applicable

Credssp.dll

6.2.9200.21012

17,408

12-Apr-2014

07:31

x86

Tspkg.dll

6.2.9200.21012

76,800

12-Apr-2014

07:32

x86

Tspkg.mof

Not applicable

964

02-Jun-2012

14:33

Not applicable

Shcore.dll

6.2.9200.17293

452,608

06-Mar-2015

05:48

x86

Shcore.dll

6.2.9200.21410

460,800

06-Mar-2015

05:21

x86

Usercpl.dll

6.2.9200.17231

961,536

15-Jan-2015

10:00

x86

Usercpl.ptxml

Not applicable

789

11-Oct-2012

00:41

Not applicable

Usercpl.dll

6.2.9200.21345

961,536

15-Jan-2015

21:23

x86

Usercpl.ptxml

Not applicable

789

11-Oct-2012

00:42

Not applicable

For all supported versions of Windows RT

File name

File version

File size

Date

Time

Platform

Dpapisrv.dll

6.2.9200.17343

123,904

13-Apr-2015

22:27

Not applicable

Ksecdd.sys

6.2.9200.17343

71,512

14-Apr-2015

00:49

Not applicable

Lsass.exe

6.2.9200.16420

23,552

20-Sep-2012

05:35

Not applicable

Sspicli.dll

6.2.9200.17343

100,864

13-Apr-2015

22:27

Not applicable

Sspisrv.dll

6.2.9200.17343

16,896

13-Apr-2015

22:27

Not applicable

Cng.sys

6.2.9200.17343

394,624

13-Apr-2015

22:09

Not applicable

Ksecpkg.sys

6.2.9200.17150

128,832

11-Oct-2014

05:48

Not applicable

Lsasrv.dll

6.2.9200.17231

895,488

15-Jan-2015

09:15

Not applicable

Adtschema.dll

6.2.9200.17231

717,824

15-Jan-2015

08:43

Not applicable

Msaudite.dll

6.2.9200.17150

146,944

11-Oct-2014

04:55

Not applicable

Msobjs.dll

6.2.9200.16384

61,952

26-Jul-2012

01:10

Not applicable

Credssp.dll

6.2.9200.16931

18,944

29-May-2014

22:42

Not applicable

Tspkg.dll

6.2.9200.16931

69,120

29-May-2014

22:42

Not applicable

Tspkg.mof

Not applicable

964

02-Jun-2012

14:34

Not applicable

Wdigest.dll

6.2.9200.16931

141,824

29-May-2014

22:43

Not applicable

Kerberos.dll

6.2.9200.17231

574,976

15-Jan-2015

09:15

Not applicable

Msv1_0.dll

6.2.9200.16931

215,040

29-May-2014

22:42

Not applicable

Shcore.dll

6.2.9200.17293

420,864

07-Mar-2015

04:03

Not applicable

Lsm.dll

6.2.9200.17231

318,976

15-Jan-2015

09:15

Not applicable

Workerdd.dll

6.2.9200.16384

13,312

26-Jul-2012

01:07

Not applicable

Usercpl.dll

6.2.9200.17231

965,632

15-Jan-2015

09:16

Not applicable

Usercpl.ptxml

Not applicable

789

11-Oct-2012

00:36

Not applicable

Winlogon.exe

6.2.9200.16931

389,632

29-May-2014

22:43

Not applicable

Workaround

To work around this issue, revert to the user's old password.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

See the terminology that Microsoft uses to describe software updates.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×