Let’s check how to FIX KB5020276 Domain Join Hardening Changes CVE-2022-38042. You can use the SCCM task sequence to fix this Active Directory Domain Services Elevation of Privilege Vulnerability.
In this post, we will discuss the changes introduced by CVE-2022-38042 in the October 11, 2022, cumulative update packages across all supported operating systems. These changes are enabled and secure by default.
Updated on 8th Nov 2022: After installing the hardening explained in KB5020276, the Domain join processes may fail with the error “0xaac (2732).” Domain join operations might intentionally fail with error “0xaac (2732): NERR_AccountReuseBlockedByPolicy” and text “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”
After October patches are applied to a client, you cannot join the domain to an existing computer object if you are either not a Domain Admin or the owner of the AD object. The scenario of re-images where a service account is doing the domain join and someone used a personal account to pre-stage the AD object completely breaks.
Microsoft made changes to fix KB5020276 Domain Join Hardening Changes vulnerability CVE-2022-38042 with October 11, 2022, cumulative update packages for all supported operating systems.
- Windows Server 2008 Datacenter ESU
- Windows Server 2008 Standard ESU
- Windows Server 2008 Enterprise ESU
- Windows 7 Enterprise ESU
- Windows 7 Professional ESU
- Windows 7 Ultimate ESU
- Windows Server 2008 R2 Enterprise ESU
- Windows Server 2008 R2 Standard ESU
- Windows Server 2008 R2 Datacenter ESU
- Windows Embedded Standard 7 ESU
- Windows Embedded POSReady 7 ESU
- Windows Server 2012
- Windows Embedded 8 Standard
- Windows 8.1 Windows RT 8.1
- Windows Server 2012 R2
- Windows Embedded 8.1 Industry Enterprise
- Windows Embedded 8.1 Industry Pro
- Windows 10, version 1607, all editions
- Windows Server 2016, all editions
- Windows 10 Enterprise 2019 LTSC
- Windows 10 IoT Enterprise 2019 LTSC
- Windows 10 IoT Core 2019 LTSC
- Windows Server 2019
- Windows 10 Enterprise Multi-Session, version 20H2
- Windows 10 Enterprise and Education, version 20H2
- Windows 10 IoT Enterprise, version 20H2
- Windows 10 on Surface Hub
- Windows 10, version 21H1, all editions
- Windows 10, version 21H2, all editions
- Windows 11 version 21H2, all editions
- Windows 11 version 22H2, all editions
- Windows Server 2022
- Install SCCM Client on Workgroup Non-Domain Joined Windows 11 PC
- FIX SCCM OSD Machine Domain Join Issue ldap_add_s failed: 0x35 0x216d
Legacy behavior before you install October 11, 2022 and later updates – KB5020276 Domain Join Hardening
The client queries Active Directory for an existing account that has the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.
Note – The reuse attempt will fail if the user attempting the domain join operation does not have the appropriate write permissions. However, if the user has enough permissions the domain join will succeed.
There are two scenarios for domain joining with respective default behaviors and flags as follows:
- Domain Join (NetJoinDomain)
- Defaults to account reuse (unless NETSETUP_NO_ACCT_REUSE flag is specified)
- Account provisioning (NetProvisionComputerAccountNetCreateProvisioningPackage).
- Defaults to NO reuse (unless NETSETUP_PROVISION_REUSE_ACCOUNT is specified.)
New behavior after you install October 11, 2022 and later updates – KB5020276 Domain Join Hardening
During domain join, the client will perform additional security checks before attempting to reuse an existing computer account.
- Account reuse attempts will be permitted if the user attempting the operation is the creator of the existing account.
- Account reuse attempts will be permitted if the account was created by a member of domain administrators.
After installing the October 11, 2022 or later Windows cumulative updates, domain join might fail with the following error:
Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”
There is a new registry entry NetJoinLegacyAccountReuse, and the log C:\Windows\Debug\netsetup.log provides an indication that Active Directory join has been blocked on the account by the security policy.
NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=DC2,CN=Computers,DC=contoso,DC=com NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=DC2,CN=Computers,DC=contoso,DC=com NetpGetNCData: Reading NC data NetpReadAccountReuseModeFromAD: Searching '<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD,DC=contoso,DC=com>' for '(&(ObjectClass=ServiceConnectionPoint)(KeyWords=NetJoin*))'. Found value: 'NetJoinSecureAccountReuse' Returning NetStatus: 0, ADReuseMode: 1. NetpCheckIfAccountShouldBeReused: Account was created through joinpriv and does not belong to this user. Blocking re-use of account. NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0 NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac NetpProvisionComputerAccount: LDAP creation failed: 0xaac ldap_unbind status: 0x0 NetpJoinCreatePackagePart: status:0xaac. NetpJoinDomainOnDs: Function exits with status of: 0xaac NetpJoinDomainOnDs: status of disconnecting from '\\LT-DJABDC1.contoso.com': 0x0 NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'contoso.com' returned 0x0 NetpJoinDomainOnDs: NetpResetIDNEncoding on 'contoso.com': 0x0 NetpDoDomainJoin: status: 0xaac
- Easily Find SCCM Task Sequences Reference Application
- How to Add Run Command Line Step to SCCM Task Sequence
Possible Solutions to FIX KB5020276 Domain Join Hardening Changes | CVE-2022-38042
You can use event logs and c:\windows\debug\netsetup.log to understand the failure and take the necessary steps to resolve the issue. Here are the possible steps you can follow to fix KB5020276 Domain Join Hardening Changes.
- Rename the machine and join using a different account name
- If the existing account is stale (unused), delete it before re-attempting to join the domain.
|Event log||Event ID||Event Type||Event Text|
|SYSTEM||4100||Informational||“During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.%nAn attempt to re-use this account was permitted. %n%nDomain controller searched: %1%nExisting computer account DN: %2%n%nSee https://go.microsoft.com/fwlink/?linkid=2202145 for more information.|
|SYSTEM||4101||Error||“During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.%nAn attempt to re-use this account was prevented for security reasons.%n%nDomain controller searched: %1%nExisting computer account DN: %2%nThe error code was %3.%n%nSee https://go.microsoft.com/fwlink/?linkid=2202145 for more information.”|
If you are using SCCM Task Sequence for imaging, you can apply the possible solutions in the task sequence step for automation in client machines. If you using the OS Image, that doesn’t include the latest 2022-10 CU or October Updated Image, You can skip this step.
Here you need to adjust the task sequence steps to apply registry changes to fix KB5020276 Domain Join hardening changes during the task sequence execution. The step to create registry value should be added before running the Domain Join step.
Create Registry value – FIX KB5020276 Domain Join Hardening Changes using SCCM Task Sequence
If you set the Dword value NetJoinLegacyAccountReuse to 1, The domain join with the old user accounts should work.
Important⚠️- The workaround for the registry is not officially supported by Microsoft. You can expect some fixes to come out.
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name NetJoinLegacyAccountReuse -PropertyType DWORD -Value 1
Note – The computer needs to be restarted in order to complete the operation.
- Join Domain or Workgroup
- Remove Registry value
Remove-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name NetJoinLegacyAccountReuse
Let’s check how to add Run PowerShell Script Step to SCCM Task Sequence. The PowerShell script added to the SCCM task sequence must be installed silently when you decide to add it during the OS deployment.
- In the Configuration Manager console, go to the Software Library workspace, expand Operating Systems, and then select the Task Sequences node.
- In the Task Sequence list, select the task sequence that you want to edit. Select Edit to modify.
- To add this step in the task sequence editor, select Add, select General and select Run PowerShell Script.
In this step, you can enter the PowerShell code directly. This feature lets you run PowerShell commands during a task sequence without distributing a package. If needed, you can directly do the changes and perform testing without looking into the package creation process and distribution to fix KB5020276 Domain Join Hardening Changes.
FIX Domain join processes may fail with error 0xaac (2732)
Microsoft has not provided any FIX for Domain join processes that may fail with the error 0xaac (2732) issue yet. This issue originates with the October 2022 security updates (KB5020276) as explained in the above section.
These hardening changes are enabled by default for domain join scenarios and caused error 0xaac (2732). You can fix the issue by disabling the hardening policies. The following are the affected scenarios:
- Domain join or re-imaging operations where a computer account was created or pre-staged by a different identity than the identity used to join or re-join the computer to the domain.
Resource – Windows 10, version 22H2 | Microsoft Learn