After you install any of the updates that are listed in the list of affected updates table (later in this section) on Windows Server 2012 or Windows Server 2012 R2 domain controllers, or on member servers that perform pass-through authentication on behalf of remote callers, NTLM authentication may fail with error 0xC0000022.
This problem does not occur if the security updates that are described in Microsoft Security Bulletin MS16-101 are installed before, after, or together with fixes in the list of affected updates table.
Note To see the log examples for the Netlogon service shown in this section, you must enable debug logging through the registry or the NLTEST tool. For more information about how to enable debug logging for the Netlogon service, see the following Microsoft webpage:
When this problem occurs, an error message that resembles the following is recorded in the Netlogon.log of an affected domain controller:
The following table shows the error mapping:
The NETLOGON.LOGS files of affected domain controllers will have signatures that resemble the following:
Or the following entries on a stand-alone or member computer with a local account:
Where extended errors map to the following:
List of affected updates
The following updates are known to potentially cause this issue:
Windows 8.1 and Windows Server 2012 R2
Windows Server 2012:
This problem does not occur if the security updates that are described in Microsoft Security Bulletin MS16-101 are installed before, after, or together with fixes in the list of affected updates table.
Note To see the log examples for the Netlogon service shown in this section, you must enable debug logging through the registry or the NLTEST tool. For more information about how to enable debug logging for the Netlogon service, see the following Microsoft webpage:
When this problem occurs, an error message that resembles the following is recorded in the Netlogon.log of an affected domain controller:
SamLogon: Network logon of Domain\User memberServer Returns 0xC0000022
The following table shows the error mapping:
| Hexadecimal | Decimal | Symbolic | Friendly |
| 0xC0000022 | -1073741790 | STATUS_ACCESS_DENIED | A process has requested access to an object, but has not been granted those access rights. |
The NETLOGON.LOGS files of affected domain controllers will have signatures that resemble the following:
Date and time [CRITICAL] [11940] DOMAIN: NlpUserValidateHigher: denying access after status: 0xc0000022 0
Date and time [SESSION] [11940] DOMAIN: NlSetStatusClientSession: Set connection status to c0000022
Date and time [SESSION] [11940] DOMAIN: NlSetStatusClientSession: Unbind from server \\DCName (TCP) 0.
Date and time [SESSION] [11940] DOMAIN: NlSetStatusClientSession: Unbind from server \\DCName (TCP) 1.
Date and time [LOGON] [11940] SamLogon: Network logon of Domain\xxxxx from xxxxxxxxx Returns 0xC000018D
Date and time [SESSION] [11940] DOMAIN: NlSetStatusClientSession: Set connection status to c0000022
Date and time [SESSION] [11940] DOMAIN: NlSetStatusClientSession: Unbind from server \\DCName (TCP) 0.
Date and time [SESSION] [11940] DOMAIN: NlSetStatusClientSession: Unbind from server \\DCName (TCP) 1.
Date and time [LOGON] [11940] SamLogon: Network logon of Domain\xxxxx from xxxxxxxxx Returns 0xC000018D
Or the following entries on a stand-alone or member computer with a local account:
Date and time [LOGON] [4140] SamLogon: Network logon of ComputerA\LocalAccount from ComputerA Entered
Date and time [CRITICAL] [4140] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
Date and time [LOGON] [4140] SamLogon: Network logon of ComputerA\LocalAccount from ComputerA Returns 0xC0000022
Date and time [CRITICAL] [4140] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000064)
Date and time [LOGON] [4140] SamLogon: Network logon of ComputerA\LocalAccount from ComputerA Returns 0xC0000022
Where extended errors map to the following:
| Hexadecimal | Decimal | Symbolic | Friendly |
| 0xC0000022 | -1073741790 | STATUS_ACCESS_DENIED | A process has requested access to an object, but has not been granted those access rights. |
| 0x6e1 | 1761 | RPC_S_ENTRY_NOT_FOUND | The entry is not found. |
| 0xC000018D | -1073741427 | STATUS_TRUSTED_RELATIONSHIP_FAILURE | The logon request failed because the trust relationship between this workstation and the primary domain failed. |
The following updates are known to potentially cause this issue:
Windows 8.1 and Windows Server 2012 R2
| 3187754 | MS16-110: Description of the security update for Windows: September 13, 2016 |
Windows Server 2012:
| 2922223 | You cannot change system time if RealTimeIsUniversal registry entry is enabled in Windows |
| 3167679 | MS16-101: Description of the security update for Windows authentication methods: August 9, 2016 |
| 3174644 | Microsoft security advisory: Updated support for Diffie-Hellman Key Exchange |
| 3175024 | MS16-111: Description of the security update for Windows Kernel: September 13, 2016 |
| 3179575 | August 2016 update rollup for Windows Server 2012 |
| 3187754 | MS16-110: Description of the security update for Windows: September 13, 2016 |
| 3185332 | October 2016 Security Monthly Quality Rollup for Windows Server 2012 |
| 3192393 | October 2016 Security Only Quality Update for Windows Server 2012 |
| 3192406 | October 2016 Preview of Monthly Quality Rollup for Windows Server 2012 |