October 2022 Patch Tuesday made changes to Domain Join, and more changes are coming

If you fixed issues with domain join in October 2022 using registry changes, you will need to take other actions now.

[UPDATED: The new scheduled date for this change is now February 13, 2024]

Back in October 2022, Microsoft published CVE-2022-38042, a vulnerability that if exploited can lead to domain takeover by Elevation of Privilege to Domain Admin.

It has been rated as 7.1 on CVSSv3, not 9.x, mainly because exploitation is complex.

The patch changes who is able to join a computer to a Domain, where there is already a computer object with the same name.

However, many found themselves experiencing Domain join issues after applying the patches.

Typically this happened, when computer accounts were provisioned to Active Directory using a service account, and another (non Domain Admin, of course) account joined the computer to the domain.

Known issues were published for products like Quest / One Identity Active Roles Server, VMware Instant Clones and Broadcom / Symantec Ghost.

The default “solution” for many have been to create the HKLM\System\CurrentControlSet\Control\LSA\NetJoinLegacyAccountReuse registry setting, which Microsoft provided as a temporary workaround, but has been accepted as a final solution by many.

Why? Simply, because it made Domain join work again.

Only problem is: Using this registry setting opens up for the vulnerability to be exploited again.
Surely, you have followed Microsoft guidance to only have that registry value set, while you’re joining the computer to the Domain and removing it afterwards.

But even having the option to set that registry value opens opportunities for attackers to exploit the vulnerability.

So, Microsoft had to come up with something else. And that happened with the March 2023 Patch Tuesday updates.

What’s changed with the march 2023 update?

Two things:

1. We now have the ability to specify others than Domain Admins to be allowed to join a computer to the Domain, even if someone else has provisioned it to Active Directory.
   
   By default not only Domain Admins but now also Enterprise Administrators and Bulit-in Administrators group are allowed to perform the Domain join with reuse of computer account.
   But you can also specify your own group, which contains the accounts that should be allowed to perform this action, for example the service account doing computer account provisioning.
   
   

2. This is the important part:
   Microsoft announced, that they will remove the ability to use NetJoinLegacyAccountReuse registry setting altogether.

Since March 2023, the removal of the registry workaround has been scheduled for September 9, 2023.

[UPDATED: The new scheduled date for this change is now February 13, 2024
Thank you, Silas Arentsen from styr-it.nl for noticing the change and informing me]

The complete KB5020276 support article - although a bit counterintuitive to read due to the inline March 2023 additions - can be read here.

So, if you have been using this workaround, unless Microsoft are forced to change the schedule, you have until the beginning of September to react, before Domain join will break again.

What to do?

(I’m assuming here, that you are unable to use the same service account for provisioning as for Domain join and cannot use the approach of deleting the existing computer account before Domain-joining a computer with the same name. If you could use those methods, there would be no Domain join issue anyway.)

Put very simply:

1. Start using the new Group Policy setting Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Allow computer account re-use during domain join
   

2. Stop using the HKLM\System\CurrentControlSet\Control\LSA\NetJoinLegacyAccountReuse registry setting

A few important things regarding the new Group Policy setting

First of all, you would of course not add Authenticated Users to this setting, as this would lead to being completely vulnerable to the vulnerability again.

Only very few accounts, which you can trust to be secure and un-compromised, should be a part of the group you add to Domain controller: Allow computer account re-use during domain join.

Second, be aware that your clients and all your DCs have to have the March 2023 updates for this to work.

The third thing is not mentioned in the Microsoft KB5020276-article:
The PowerShell cmdlet Test-ComputerSecureChannel -Repair actually uses the behavior of reusing the same computer account, and therefore could be blocked, unless you are the owner of the computer account, a Domain Admin, Enterprise Admin, member of the Built-in Administrators group, or the group, you add to Domain controller: Allow computer account re-use during domain join.

Ryan Ries does say “note the registry-based workaround”, but don’t follow that advice, as it was given before the much better March 2023 solution came about.

The point is: If your helpdesk users makes use of that PowerShell cmdlet, they would have to be a part of the group added to Domain controller: Allow computer account re-use during domain join.

I would personally recommend against this and keep the number of group members to an absolute minimum to avoid the vulnerability being exploited.
But it’s of course entirely up to you.

So, August is currently your chance currently, you have until February 14, 2024, to find out, what you are currently doing with Domain joining existing computer account, how you will be doing it in the future and to implement it before February 14, 2024.