KB5018410 Breaks SSL VPN

Question

As stated in the subject, Windows 10 update KB5018410 breaks currently functional SSL VPN connections.

Environment

Clients: Windows 10 Professional. SSL VPN connections using built-in Windows VPN client.

Server: Windows 2008 R2 using a self-signed certificate.

Problem Detail

The client workstations are able to attach to the SSL VPN and everything functions properly until KB5018410 is installed on clients on either of builds 21H1 or 21H2, at which point clients receive the message "client and server can't communicate because they don't possess a common algorithm". Removal of KB5018410 resolves the issue, but Windows Update must also be paused on the client computers to prevent reoccurrence from the update simply reinstalling.

Yes, I am aware that the destination VPN server is well past EoL. However, there's little my team can do about it since it's under the control of another entity for whom our organization does a very large portion of our work via the aforementioned SSL VPN. While I suppose it's possible that something changed server-side, I deem it extremely unlikely to be related since clients connect fine until KB5018410 is installed, cannot connect once it is installed, then connect again without issue once it's uninstalled and updates are paused.

Solutions Attempted Thus Far

Though "common algorithm" sounds more like a cipher, hash, or key exchange issue, I enabled all legacy version of TLS on the client computers via the appropriate registry keys to no avail: they still could not connect with KB5018410 installed.

I also used the IIS Crypto software from Nartac to explicitly enable all legacy cipher suites on several affected client workstations, which similarly failed to resolve the issue.

The only solution that works, at this time, is to manually uninstall KB5018410 and pause updates to prevent reinstallation.

I attempted to use the wushowhide utility to simply hide the offending update, but it doesn't find it in scans to hide it once it's been installed, doesn't find it to hide it while updates are paused, and has about a fifty percent success rate finding it to hide it if I resume updates and try to tag it quickly while KB5018410 is in the process of downloading/installing.

Any suggestions on other ways to block this thing? I have several dozen workstations on which it needs to be addressed, and pausing the updates until Microsoft resolves the issue is not the most desirable solution - I'd rather continue to get other updates and simply ignore this one.

Answer 1

Check the SSL Cert you are using on your VPN server. I just started having issues with my Palo Alto Global Protect VPN and I just figured out what the issue was.

My cert was issued on 9/22/2021 and was valid till 9/24/2022 so while it was still valid, it is 387 days old.

I know ssl cert companies and apple etc have been pushing to invalid certs older than a year so I am guessing Microsoft is now enforcing this.

I created a new cert and uploaded it to the palo alto and bang my clients can now connect. So check your cert on your server and see if it is more than 365 days old and see if installing an updated cert does not fix your issue.

Answer 2

Starbucks, we were able to resolve the issues by working with the team responsible for the 2008 R2 server on the other side. In short, the answer was configuring that server to work with TLS 1.2 instead of TLS 1.0. One of the key things KB5018410 does, apparently, is shut down Windows 10 clients' ability to use TLS 1.0, even if the registry hacks that previously worked to force its acceptance are deployed. Here are the steps we used to make the server start using TLS 1.2 and restore SSL VPN functionality.

1. Ensure KB3140425 was installed properly (enables TLS 1.2 for Server 2008 R2 with Service Pack 1).
2. Set DWORDs named DefaultSecureProtocols with values of 800 hex (enables TLS 1.2) or A00 hex (enables TLS 1.1 and 1.2) in the following registry paths:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
3. Add a key named TLS 1.2 to the following registry path:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
4. Add Client and Server keys to the previously created key.
5. Add a DWORD named DisabledByDefault with a hex value of 0 to both the Client and Server keys just created.
6. Add a DWORD named Enabled with a hex value of 1 to both the Client and Server keys just created.
7. Reboot the server.

Your situation sounds a little different, but perhaps something in this will help nudge you toward a similar solution, or help someone else that finds this thread in the future. Good luck!

Answer 3

Hi,
Similar situation here, although not the same. We noticed reports of users not being able to join some of our systems anymore. TLS error messages started poping out of several Office client applications (Word, Excel, PowerPoint). After some time debugging server side, we started increasing schannel logging client side to notice client certificate authentication errors. We eventually resorted to packet captures and noticed that Office clients are closing connections (RST packet sent to servers) after they are asked to produce a client certificate.

Removing KB5018410 appears to solve the issue.

Freezing ongoing deployment of KB5018410 might be necessary until Microsoft informs on this.

Answer 4

Hello again,
Microsoft issued an out of band patch yesterday evening (kb5020435):
https://support.microsoft.com/en-us/topic/october-17-2022-kb5020435-os-builds-19042-2132-19043-2132-and-19044-2132-out-of-band-243f34de-2f44-4015-a224-1b68a4132ca5

We deployed it on our guinea pigs, it solved the issue. We are still hesitating whether or not to deploy it on all clients, there seems to be undesired effects coming with it (sound issues).

I guess you can give it a try : )

Hope it helps!