| Firmware on smartcard authenticating printers and scanners must be compatible with section 3.2.1 of RFC 4556 in order to successfully authenticate with Active Directory domain controllers before installing the August 2022 security update.
Windows Updates released on July 13, 2021 introduced protections for CVE-2021-33764 which required all devices with a key exchange during the PKINIT Kerberos authentication, including smartcard authenticating printers, to either support:
- Diffie-Hellman or,
- advertise support for the des-ede3-cbc (“triple DES) e-type during the Kerberos AS request.
When will this happen:
August 9, 2022, or later.
How this will affect your organization:
Windows updates released between July 27, 2021, and July 26, 2022 supported temporary mitigation that allowed non-RFC compliant devices to authenticate with Active Directory. As of August 9, 2022, or later, Windows update removes all temporary mitigation released to Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.
What you need to do to prepare:
Firmware on Smartcard-authenticating printers and scanners must be compatible with section 3.2.1 of the RFC 4556 specification required for CVE-2021-33764 prior to installing Windows updates released on August 9, 2022 or later on Active Directory domain controllers.
Additional information:
Review the below documentation
View this message in the Microsoft 365 admin center |
