Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2827 Discussions

AD Integration broken after KB5008102

SysArch
New Contributor I
11,412 Views

Hello

 

After the installation the security patch KB5008102 on our Domain Controllers, the AD integration is broken:

 

The security account manager blocked a non-administrator from creating or renaming a computer account using an invalid sAMAccountName. sAMAccountName on computer accounts must end with a single trailing $ sign.

Attempted sAMAccountName: xxxxxxxxx$iME
Recommended sAMAccountName: xxxxxxxxx$iME$

 

Link to the Microsoft KB: https://support.microsoft.com/en-gb/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e

 

Unfortunately, uninstalling the security patch is not an option.

0 Kudos
29 Replies
Victor_G_Intel
Moderator
9,600 Views

Hello SysArch,


Thank you for posting on the Intel® communities.


To continue with your request for assistance can you please provide the following:


1-Do you have a current deployment with Intel® Active Management Technology (Intel® AMT)?


2-If you do have a deployment can you please let us know how many systems did you deployed and what version of Intel® AMT is being used?


3-Can you please let us know how many systems do you have affected by this issue and what type of systems are we talking about? Please provide as many details as possible.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
SysArch
New Contributor I
9,584 Views

Hello Victor

 

1: We do have a current deployment with Intel AMT

 

2: 14'524 Systems with Intel AMT version 11.8.77

 

3: At the moment every new and every reconfiguring system is affected by this (over time this should be every system) as our Active Directory is not allowing modifying or creation of computer objects without a trailing '$' . These systems are in a production environment and are getting periodicaly new staged.  As i understood the issue we are having, this should not only be a problem of our environment? Is there any way to change the naming in the AD-Integration to something with a trailing '$'?

 

Kind Regrads

 

SysArch

 

somersetchris
Beginner
8,617 Views

I also have this issue.

1300+ machines with Intel AMT

Windows update KB5008601 is the only patch to be installed on windows server 2016 Domain controller

0 Kudos
Victor_G_Intel
Moderator
9,523 Views

Hello SysArch,


Thank you for posting on the Intel® communities.


Please let me review this information internally, and kindly wait for an update.


Once we have more information to share, we will post it on this thread.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
JRüeg
New Contributor I
9,427 Views

We are also affected. Please let me know if you have any solution

0 Kudos
MichaelA_Intel
Moderator
9,376 Views

I wanted to provide an update to this thread. We are digging into this and are working on a response for this thread. Thank you for your patience.


Regards,

Michael


0 Kudos
Horgster
New Contributor I
9,197 Views

Hi @MichaelA_Intel 

 

I can confirm that we are having the same issue at our end.
Affecting 2500 devices.

We have also opened an support case with Microsoft Premier Support regarding this security update KB5008102 for November 2021.
We are seeing the same error messages in the event logs of Active Directory Domain Controllers.

Best Regards

Horgster

0 Kudos
Horgster
New Contributor I
9,156 Views

Hi @MichaelA_Intel  and @SysArch 

I have found an workaround to this problem.

According to KB5008102; this protection and validation check is forced on users who do not have administrator rights for machine accounts that is trying to create or modify sAMAccountName computer accounts ending with with $iME.

The Intel SCS or Intel EMA server machine account is not an administrator account, hence that is why Active Directory refuses these machines accounts to create computer accounts ending with $iME

Ref:
https://support.microsoft.com/en-gb/topic/kb5008102-active-directory-security-accounts-manager-hardening-changes-cve-2021-42278-5975b463-4c95-45e1-831a-d120004e258e

To workaround this, until proper fix exist, do this:

1. Add the AD machine account of "Intel SCS" or "Intel EMA" server as member of the "Administrators" group in Active Directory.

2. Reboot the "Intel SCS" or "Intel EMA" server


This allows you to provisioning the Intel AMT devices again with the ComputerName$iME.

This is of course an ugly workaround and nothing you want to run for an very long time in your environment, but it is the lesser of two evils right now!

This allows you to both run the current security updates for November 2021 while this problem is sorted out with permanent fix and at the same time allows you to continue to provisioning Intel AMT devices.

Above workaround works perfect for us.

Use it for what it's worth!

Best Regards
Horgster


0 Kudos
JRüeg
New Contributor I
9,130 Views

Thank you for sharing this workaround. Unfortunately, getting my SCS service account approved as a domain admin is about as likely as security approving a removal of the cumulative security patch. But others might have more luck with that.

Horgster
New Contributor I
9,115 Views

@JRüeg 

That is fully understandable.

But please be aware that I did write "Administrators group", not "Domain Admins group".
Right now, this is the less of two evils until permanent fix exist or better workaround exists.

Best Regards
Horgster

0 Kudos
JRüeg
New Contributor I
8,534 Views

We did open a Microsoft case and after some back and forth adding the user to the administrators group in the domain is the only available workaround. There is no other way to delegate the needed permissions and there is no other workaround planned. The solution according to Microsoft is for Inel to update their product.

The answer also containes information that "there are plans to apply the same enforcements" for users in the administrators group as well. So this workaround will not be a permanent solution even if it is not a security concern in your company.

0 Kudos
Victor_G_Intel
Moderator
8,482 Views

Hello everyone,


Thank you for all of your responses.


Please have into consideration that, this situation is being worked on as we speak directly with Microsoft; therefore, as soon as we come up with a solution for this, we will be posting it on this thread; consequently, please wait for an update.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
Mathew_E_Intel
Employee
7,656 Views

Thank you for sharing your feedback and describing the issue.  Please review the attached document and contact your Intel Rep or open a ticket with Intel Customer Support if you have additional questions or need next steps.  

 

 

 

0 Kudos
Victor_G_Intel
Moderator
7,029 Views

Hello SysArch,


Were you able to check the previous post?   


Please let me know if you need further assistance.


Regards,


Victor G.

Intel Technical Support Technician


0 Kudos
SysArch
New Contributor I
6,620 Views

Hello Victor G

 

Yes we checked it and unfortunately it's not helpfull for us, as we are using the AMT Kerberos authentication. 

 

Regards,

SysArch

 

0 Kudos
AdrianM_Intel
Moderator
6,597 Views

Hello SysArch,


Thank you for your response.


We are checking into different alternatives, we will update the community as soon as possible.


Regards,


Adrian M.

Intel Customer Support Technician


0 Kudos
SergioS_Intel
Moderator
6,334 Views

Hello SysArch,


We would like to inform you that we have received your input and working on it. This is a high priority to us, but that said many of the developers are out at the end of the year on holiday. 


As soon as we have an update, we will contact you back



Best regards,

Sergio S.

Intel Customer Support Technician



0 Kudos
SergioS_Intel
Moderator
6,312 Views

Hello SysArch,


We have received a fix from the development team and have posted the packages to Download Center. You can find more information here:


https://www.intel.com/content/www/us/en/download/16349/intel-setup-and-configuration-software-intel-scs.html


In case you need more assistance, please contact us back.



somersetchris
Beginner
6,231 Views

Hi Sergio,

Thank you for the update.

I have tested and can confirm it has worked for me, systems are back to being enrolled successfully.

 

Many thanks

Chris

 

0 Kudos
SergioS_Intel
Moderator
6,217 Views

Hello somersetchris,


We are glad to hear that you were able to solve your issue, please let us know if you need more assistance or if we can close this thread.

 


Best regards,

Sergio S.

Intel Customer Support Technician



0 Kudos
Reply