domain controllers Archives

Winsage

May 10, 2025

Hackers Using Windows Remote Management to Stealthily Navigate Active Directory Network

Threat actors are exploiting Windows Remote Management (WinRM) to navigate through Active Directory environments stealthily, allowing them to bypass detection systems, escalate privileges, and deploy malicious payloads. WinRM operates on HTTP port 5985 and HTTPS port 5986, enabling remote command execution and management tasks. Attackers can gain access through compromised credentials and use WinRM-enabled PowerShell commands for reconnaissance, deploying payloads while evading detection. The attack chain includes initial access, reconnaissance, payload deployment, persistence, and lateral movement, often utilizing techniques that obfuscate malicious activities. Detecting such attacks is challenging due to the use of built-in Windows functionalities and encrypted channels. Recommended mitigation strategies include monitoring for unusual activity, restricting WinRM access, enforcing credential hygiene, and implementing advanced monitoring solutions.

Winsage

May 7, 2025

Microsoft: April updates cause Windows Server auth issues

Microsoft has acknowledged that the April 2025 security updates are causing authentication challenges for certain Windows Server domain controllers, specifically affecting Windows Server versions 2016, 2019, 2022, and 2025. The issues arise after installing the April Windows monthly security update (KB5055523 or later), leading to complications in processing Kerberos logons or delegations that rely on certificate-based credentials. Affected authentication protocols include Kerberos PKINIT, S4U via RBKCD, and KCD. These issues are linked to security measures addressing the critical vulnerability CVE-2025-26647, which allows authenticated attackers to escalate privileges remotely. A temporary workaround involves modifying a registry value. Microsoft has previously addressed similar authentication issues in Windows 11, Windows Server 2025, and earlier versions.

Winsage

April 23, 2025

Microsoft fixes Windows Server 2025 blue screen, install issues

Microsoft has addressed issues affecting Windows Server 2025 for systems with more than 256 logical processors, which could lead to installation failures, slow start-up times, and blue screen errors. These problems have been resolved through updates since the KB5046617 cumulative update released in November. IT administrators are advised to install the latest security updates, which include essential fixes. A temporary workaround involves limiting the number of logical processors to 256 or fewer by adjusting settings in the UEFI Setup. Additionally, Microsoft warned of potential accessibility issues with Windows Server 2025 domain controllers post-restart and reported login difficulties with Windows Hello after the April 2025 updates. A bug causing authentication issues with Credential Guard has been fixed, and a new safeguard hold for Windows 11 24H2 has been introduced due to compatibility problems with the SenseShield Technology's sprotect.sys driver.

Winsage

April 23, 2025

Microsoft fixes Remote Desktop freezes caused by Windows updates

Microsoft has resolved an issue causing Remote Desktop sessions to freeze on Windows Server 2025 and Windows 11 24H2 devices. The initial fix was provided on February 25 with the KB5052093 optional update for Windows 11, followed by the KB5055523 Patch Tuesday cumulative update for Windows Server on April 8. Users of Windows Server 2025 who installed the February 2025 Security update (KB5051987) experienced freezing issues that rendered mouse and keyboard inputs unresponsive. Microsoft recommended installing the latest updates for improvements and resolutions. Additionally, Microsoft implemented a Known Issue Rollback (KIR) to address Remote Desktop and RDS connection problems stemming from Windows 11 24H2 updates since January 2025, which caused UDP connection interruptions to RDS hosts on Windows Server 2016. A permanent solution has been included in the recent cumulative updates. Microsoft also fixed a bug causing blue screen errors and installation issues on Windows Server 2025 systems with over 256 logical processors, included in updates since the KB5046617 cumulative update. However, users were warned of potential login issues with Windows Hello after the April 2025 security updates and that some Windows Server 2025 domain controllers may become unreachable after a restart.

Winsage

April 17, 2025

New Windows Server emergency updates fix container launch issue

Microsoft released emergency updates for Windows Server to address startup failures in containers operating under Hyper-V isolation mode, caused by compatibility issues with the 2025.04 B container images. The updates enhance access to essential system files from the Windows Server host, improving compatibility and reliability. These out-of-band updates for Windows Server 2019, 2022, and 2025 must be manually downloaded from the Microsoft Update Catalog, as they will not be delivered through Windows Update. This update follows previous challenges, including authentication issues and boot problems caused by earlier security updates for Windows Server 2019 and 2022.

Winsage

April 16, 2025

Microsoft warns of blue screen crashes caused by April updates

Microsoft has warned customers about potential system failures due to a blue screen error (secure kernel fatal error) following the installation of Windows updates since March, specifically the KB5055523 April cumulative update and the KB5053656 March preview update, affecting Windows 11, version 24H2. Users may experience crashes and a blue screen exception with the code 0x18B. Microsoft is working on a solution and has implemented a Known Issue Rollback (KIR) to reverse the problematic updates, which will automatically reach affected devices within 24 hours. Affected users are advised to restart their devices. For enterprise-managed devices, administrators must install the KIR Group Policy specific to their Windows version to resolve the issue, requiring a device restart. Further assistance is available on the Microsoft support website. Additionally, Microsoft has released emergency updates for local audit logon policies in Active Directory Group Policy and alerted administrators about potential inaccessibility of Windows Server 2025 domain controllers post-restart.

Winsage

April 15, 2025

Windows Server 2025 may lose DC connectivity after restart

Microsoft has warned about potential accessibility issues with Windows Server 2025 domain controllers after a restart, where affected servers revert to the default firewall profile, disrupting applications and services. A temporary workaround involves manually restarting the network adapter on the impacted servers using the PowerShell command: Restart-NetAdapter *. This workaround needs to be reapplied after each restart of the domain controller, and Microsoft recommends setting up a scheduled task to automate this process. Windows Server 2025, launched earlier this year, introduced new features and security enhancements but has faced previous issues, including freezing Remote Desktop sessions and accidental upgrades from Windows Server 2022. Developers are currently working on a permanent solution for the domain controller issue.

Winsage

April 14, 2025

Windows Server 2025 Restart Bug Breaks Connection with Active Directory Domain Controller

Microsoft has warned IT administrators about a significant issue affecting Windows Server 2025 domain controllers, which may struggle to manage network traffic after a system restart. This problem arises because the domain controllers revert to the standard firewall profile instead of the required domain firewall profile, leading to potential inaccessibility on the domain network, application failures, and open ports that could pose security risks. The issue specifically affects Windows Server 2025 systems with the Active Directory Domain Services role, while client systems and earlier server versions remain unaffected. To address this, Microsoft recommends a temporary workaround: manually restarting the network adapter using PowerShell with the command Restart-NetAdapter * after each reboot. Administrators are advised to create a scheduled task for automation, monitor domain controllers for disruptions, and minimize unnecessary restarts. Microsoft is working on a permanent fix, with an update expected in the future.

Winsage

April 14, 2025

Emergency Windows update solves Active Directory problem

Microsoft is releasing emergency patches to address an issue with local audit logon policies in Active Directory Group Policy, affecting various Windows versions including Windows 11 and Windows Server editions. The problem involves a reporting error where audit logon/logoff events may not appear as enabled in the Local Group Policy Editor, despite being active. The updates released include: - Windows 11, versions 23H2 and 22H2 (KB5058919) - Windows Server 2022 (KB5058920) - Windows 10 Enterprise LTSC 2019 and Windows Server 2019 (KB5058922) - Windows 10 LTSB 2016 and Windows Server 2016 (KB5058921) - Azure Stack HCI, version 22H2 (KB5058920) These patches are not security updates and are intended for affected organizations only. They can be downloaded from the Microsoft Update Catalog. The current updates are cumulative, meaning previous updates do not need to be installed first. Microsoft notes that home users are unlikely to be affected by this issue.

Winsage

April 14, 2025

Windows Server 2025 domain controllers may lose connectivity after reboot, says Microsoft

Microsoft has alerted IT administrators about potential connectivity issues with Windows Server 2025 domain controllers after a restart, which may lead to network disruptions and unauthorized access. Applications and services relying on these domain controllers could fail or become unreachable. IT administrators are advised to exercise caution when planning server restarts.