When you bind your Macs to AD, you probably heard or read that AD bind was going to break when Microsoft was releasing a security patch.
Jamf had an excellent blog post explaining what was going on:
This of course started the discussions (On Slack in #activedirectory) why to bind to AD? In my (and most my other fellow edu lab admins) opinion binding Macs to AD for labs is still the best way for shared macOS devices. We also use 802.1x wifi login profiles for example.
A lot of Macadmins (including myself) started to create tickets with Apple (Feedback assistant!) and Microsoft to bring this problem to their attention.
Microsoft did postpone the definitive enforcement phase to October. https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
But there’s better news: They released a patch that fixes the binding problem for macOS and Linux with de AD PacRequestorEnforcement set to “2” key.
For example this url, the fix isn’t explicitly mentioned: https://support.microsoft.com/en-au/topic/april-12-2022-kb5012647-os-build-17763-2803-9a10c5c9-e65f-4ae1-a9c4-2db9a8eca4fc
With the help of my Windows colleague we could run the fix on the AD server and successfully bind with PacRequestorEnforcement set to “2”! We used Win 2019 build 17763.2803. Build that didn’t work: 17763.2300
On Slack in the #activedirectory channel more admins had the same results.
Big thank you to Jaap for your help and everybody in #activedirectory in Slack. We can breath again!