Domain Join Hardening Changes (KB5020276) – Workaround

NOTE: This is 100% a workaround to a security bug/fix. I hope to have a second post out soon that has a better solution, but it may involve a number of things, including searching for an existing computer object, saving it’s OU and group membership, and deleting it. It may further also go into fixing the root issue of an overprivileged domain join account that has owner permissions to many computer objects.

(Additionally, if you move to 100% Azure AD join, this problem no longer exists 😁)

As part of the 2022-10 cumulative update for all supported operating systems, a change was made to resolve a security vulnerability regarding computer account reuse during domain join. More details can be found here: KB5020276 – Netjoin: Domain join hardening changes.

Note that these changes are specifically client-side changes; the additional checks occur client-side when domain join is performed. If your base WIM(s) do not have the 2022-10 CU installed, this will not be an issue.

In environments where tools like ConfigMgr are used for imaging devices, this may pose a problem, if it is expected that computer objects will be reused, and these computer objects may not be owned by the domain join account (e.g. computer objects that were pre-staged by an IT tech, reusing an object that was initially manually joined, etc.).

In my testing, I found a quick workaround, and have ideas for a better solution (see note at top and bottom of post).

Workaround

The workaround for this is to create a new registry value in the OS before domain join occurs and remove it after.

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name NetJoinLegacyAccountReuse -PropertyType DWORD -Value 1

The above registry setting will enable “legacy” account reuse to function. In order to utilize this method, you may need to change how domain join is handled in your task sequence.

Join Domain Step

Before I made the above changes, I was initially using the “Apply Network Settings” step to set the domain join information, which would normally get saved to an unattend file in the new OS to be applied later. Since we need to get into the new OS to apply the registry setting, I changed this to join a workgroup instead, and added a few steps after “Setup Windows and ConfigMgr” to do the following:

  1. “Run PowerShell Script” step to create the registry value
    New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name NetJoinLegacyAccountReuse -PropertyType DWORD -Value 1
  2. “Join Domain or Workgroup” step to join the domain
  3. “Run PowerShell Script” step to remove the registry value
    Remove-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name NetJoinLegacyAccountReuse

NOTE: This is 100% a workaround to a security bug/fix. I hope to have a second post out soon that has a better solution, but it may involve a number of things, including searching for an existing computer object, saving it’s OU and group membership, and deleting it. It may further also go into fixing the root issue of an overprivileged domain join account that has owner permissions to many computer objects.

1 thought on “Domain Join Hardening Changes (KB5020276) – Workaround”

Leave a Reply