Microsoft Windows Server | WI450869

Impact: This might be encountered when an account was created by a different identity than the one used to join the domain Originating KB URL: https://support.microsoft.com/en-us/topic/5018427 Originating KB Release Date: 2022-10-11T10:00:00-07:00 Originating Build: 22621.674 Resolved KB URL: https://support.microsoft.com/en-us/topic/5023706 Date Resolved: 2023-03-14T10:00:00-07:00 Vendor Message History: ======================= Published: 2023-06-20T01:37:05.99+00:00 ---------------------------------------- Domain join operations might intentionally fail with error "0xaac (2732): NERR_AccountReuseBlockedByPolicy" and text "An account with the same name exists in Active Directory. Re-using the account was blocked by security policy." This issue originates with the October 2022 security updates (KB5018427 (https://support.microsoft.com/help/5018427)) which introduced some hardening changes enabled by default for domain join. Please see KB5020276 - Netjoin: Domain join hardening changes (https://support.microsoft.com/help/5020276) to understand the new designed behavior. Affected scenarios include some domain join or re-imaging operations where a computer account was created or pre-staged by a different identity than the identity used to join or re-join the computer to the domain. Home users of Windows are unlikely to experience this issue. Resolution: This issue was resolved in updates released March 14, 2023 (KB5023706 (https://support.microsoft.com/help/5023706)) or later. Please see KB5020276 (https://support.microsoft.com/help/5020276) to understand the newly re-designed behavior. We have added information about a new Allowlist policy for trusted computer account creators to this KB. Affected platforms: - Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1 - Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 Published: 2022-10-27T23:58:51.207+00:00 ---------------------------------------- Domain join operations might intentionally fail with error "0xaac (2732): NERR_AccountReuseBlockedByPolicy" and text "An account with the same name exists in Active Directory. Re-using the account was blocked by security policy." This issue originates with the October 2022 security updates (KB5018427 (https://support.microsoft.com/help/5018427)) which introduced some hardening changes enabled by default for domain join. Please see KB5020276 - Netjoin: Domain join hardening changes (https://support.microsoft.com/help/5020276) to understand the new designed behavior. Affected scenarios include some domain join or re-imaging operations where a computer account was created or pre-staged by a different identity than the identity used to join or re-join the computer to the domain. Home users of Windows are unlikely to experience this issue. Next steps: Please see KB5020276 (https://support.microsoft.com/help/5020276) to understand the designed behavior. We have added insights to this KB, and are evaluating whether optimizations can be made in a future Windows Update. This guidance will be updated once those changes have released. Affected platforms: - Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1 - Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 Published: 2022-10-27T23:24:39.913+00:00 ---------------------------------------- Domain join operations might intentionally fail with error "0xaac (2732): NERR_AccountReuseBlockedByPolicy" and text "An account with the same name exists in Active Directory. Re-using the account was blocked by security policy." This issue originates with the October 2022 security updates (KB5018427 (https://support.microsoft.com/help/5018427)) which introduced some hardening changes enabled by default for domain join. Please see KB5020276 - Netjoin: Domain join hardening changes (https://support.microsoft.com/help/5020276) to understand the new designed behavior. Affected scenarios include some domain join or re-imaging operations where a computer account was created or pre-staged by a different identity than the identity used to join or re-join the computer to the domain. Home users of Windows are unlikely to experience this issue. Next steps: Please see KB5020276 (https://support.microsoft.com/help/5020276) to understand the designed behavior. We will be adding insights to this KB shortly and are evaluating whether optimizations can be made in a future Windows Update. This guidance will be updated once those changes have released. Affected platforms: - Client: Windows 11, version 22H2; Windows 10, version 22H2; Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; Windows 10, version 20H2; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise 2015 LTSB; Windows 8.1; Windows 7 SP1 - Server: Windows Server 2022; Windows Server, version 20H2; Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2