Microsoft released an emergency out-of-band update (OOB) in November last year, focusing on fixing vulnerabilities in Windows Kerberos on Win10 / Win11 systems.
After Phase 1 in November last year and Phase 2 in December last year, Microsoft announced that it will release a Phase 3 patch to fix the vulnerability during the Patch Tuesday event on April 11.
Kerberos authentication is a computer network security protocol used to authenticate service requests from two or more trusted hosts over an untrusted network, such as the Internet.
The Kerberos authentication problem encountered by Win10 and Win11 devices this time occurred after installing the cumulative update released on the November Patch Tuesday event day this year, resulting in domain user login failures, domain user remote desktop connection failures, and printing may require domain user certified.
The official explanation is as follows:
During our Patch Tuesday event on April 11, 2023, we will release a Phase 3 patch for Kerberos, addressing the CVE-2022-37967 vulnerability in IT environments.
Each stage increases the default minimum value of security hardening changes for CVE-2022-37967, with incremental increases to reduce the impact of this vulnerability on the environment.
After the release of the April 11 update, the previous method of disabling adding a PAC signature by setting the KrbtgtFullPacSignature subkey to 0 no longer works. The new update enforces that the KrbtgtFullPacSignature subkey has a value of 1.