A security feature bypass vulnerability exists when ADFS incorrectly treats requests coming from Extranet clients as Intranet requests. To exploit this vulnerability, an attacker could run a specially crafted application and attempt to brute-force an account password. An attacker who successfully exploited this vulnerability could bypass the account lockout protection enforced on Extranet client requests.This update corrects the security features behavior by correcting how ADFS processes requests.