Problems with update KB5019081 (8November 22). DC updated KB5026370 (9May23)

Nacho 20 Reputation points

Hello, I have a domain made up of two Windows Server 2022, due to some problem the security update KB5019081 was not installed, the out-of-band update KB5021249 and the December 13 update KB5022291 were not installed either.

My big question is whether these updates that are starting the correction of Kerberos authentication and that culminate in October 2023 are cumulative with each other. That is, if my DCs do not have the November and December updates, but if they have had all the 2023 updates, I am on the right track to successfully reach the October 23 update. Or I am in a false belief. There is talk of an addition of PAC certificates and the creation of several registry keys, automatically that I cannot locate. The attempt to install the mentioned patches is impossible, since the system build is more current and it fails to install the .msu Is there any alternative way or I will have to re-migrate my DCs to correctly implement the security update sequence. Thank you

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,612 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,225 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,778 questions
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous

    KB5019081 == OS Build 20348.1249

    KB5021249 == OS Build 20348.1366

    KB5022291 == OS Build 20348.1487

    As we can see above the build numbers incrementing and the updates are in fact cumulative. So what this means is the current monthly rollup contains new fixes plus all of the previous monthly fixes. So check the current build number (winver) and updates aligning with older build numbers are not required and as you found will also not install.

    --please don't forget to upvote and Accept as answer if the reply is helpful--

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Nacho 20 Reputation points

    Thank you, it was what I thought and what my WSUS indicated to me, that the KB5019081 update was replaced and the monthly updates were marked up to the current one that I have installed. The issue is that when looking for information about the upcoming changes in Kerberos, it always leads to the same articles that go through the aforementioned Kbs. In the current changelogs, nothing is mentioned about the changes, and this has caused me to wonder about the process. In addition, there is talk of the inclusion of new registry keys to monitor in audit mode the users who are not in line with the changes in the KDC. But I haven't seen these records automatically, maybe it's my mistake, understanding that they should appear automatically and you really are expected to enter them manually.

    Thank you for your quick response.