PKU2U error 0xC000042E: quick fix and why it happens

Quick answer: Enable AllowOnlineID under HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters set to 1, or enable “Network access: Allow PKU2U authentication requests to this computer” in Group Policy.

What’s actually happening here

The PKU2U (Public Key Cryptography Based User-to-User) protocol lets Windows authenticate users via online IDs (like Microsoft account or Azure AD) when there’s no domain controller. Error 0xC000042E means the authentication request was rejected because the PKU2U service is disabled or blocked. This usually shows up after installing KB5005573 or later cumulative updates on Windows 10/11 (versions 21H2 and newer). Microsoft hardened the default security settings — PKU2U gets turned off because it’s considered less secure than Kerberos or NTLM.

Typical scenario: you’re trying to connect to a shared folder on another Windows PC using your Microsoft account credentials. The target machine has the update, but PKU2U is off. The handshake fails, and you get the error. It’s not a driver problem or hardware failure — purely a security policy change.

Fix steps

1. Open Registry Editor (regedit) as Administrator. Navigate to:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
2. Create a new DWORD (32-bit) named AllowOnlineID. Set its value to 1.
3. Restart the computer — a restart is required because Kerberos caches the setting at boot.

That’s usually enough. If the key path doesn’t exist, create it. The reason step 3 works: Windows re-reads the Kerberos configuration parameters on startup, and AllowOnlineID tells the Local Security Authority (LSA) to accept PKU2U tickets. Without it, the LSA silently drops PKU2U requests, producing 0xC000042E.

Alternative fix — Group Policy

If you’re on Windows Pro or Enterprise, you can do it via Local Group Policy instead:

• Run gpedit.msc.
• Go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
• Find “Network access: Allow PKU2U authentication requests to this computer”.
• Set it to Enabled.
• Then run gpupdate /force in an admin command prompt — this refreshes policy without a reboot.

I prefer the registry route because it’s faster and works on Windows Home. The registry fix and the GPO fix modify the same underlying value; they’re interchangeable.

When the main fix doesn’t work

Sometimes re-enabling PKU2U still doesn’t resolve it. Here’s why and what to check:

• Firewall blocking: PKU2U uses port 445 (SMB). If you have a third-party firewall (like Norton or McAfee), it may be blocking SMB connections between non-domain machines. Check logs.
• Credential Manager entry: Try deleting stale saved credentials via control keymgr.dll and re-adding them for the target machine.
• Windows Hello / PIN conflict: Some users report that disabling “Require Windows Hello sign-in for Microsoft accounts” under Settings > Accounts > Sign-in options helps. PKU2U gets confused when the system tries to use a PIN instead of a password.
• Update rollback: If everything fails, uninstall the latest cumulative update (Settings > Windows Update > Update history > Uninstall updates). I’ve only had to do this once, on a client’s Windows 11 22H2 machine where the registry key was already present but ignored — turned out to be a corrupt update.

Prevention tip

After you fix it, the registry change persists across future updates — Microsoft hasn’t re-disabled it, they just default it to off. But if you don’t want random network authentication failures after a major Windows release (like 23H2 or 24H2), either keep a scheduled task that verifies the registry key exists (yes, I’ve done that for a fleet of PCs) or deploy the GPO via domain policy. For a single machine, just remember: after a clean install, the first thing you do is flip AllowOnlineID to 1 if you ever use Microsoft account logons on a workgroup.