On-premises Identity-related updates and fixes for March 2024

Reading Time: 3 minutes

Windows Serrer

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for March 2024:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5035855 March 12, 2024

The March 12, 2024, update for Windows Server 2016 (KB5035855), updating the OS build number to 14393.6796, is a monthly cumulative update. It does not include Identity-related improvements.

KB5037423 March 22, 2024 Out of Band

The March 22, 2024, update for Windows Server 2016 (KB5037423) is an out-of-band cumulative update, that addresses a known issue that affects the Local Security Authority Subsystem Service (LSASS).

Following installation of the March 12, 2024, update, LSASS may experience a memory leak on Domain Controllers. This is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests. Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of Domain Controllers.

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB5035849 March 12, 2024

The March 12, 2024, update for Windows Server 2019 (KB5035849), updating the OS build number to 17763.5576, is a monthly cumulative update. This update affects Active Directory domains that host mobile device management (MDM) providers. They can transition from the strong certificate mapping Compatibility mode to Enforcement mode. To do this, they can allow an Active Directory Key Distribution Center (KDC) to read user security identifiers (SIDs) from the Subject Alternative Name (SAN). Then, the providers can populate those values. To learn more, see KB5014754.

KB5037423 March 25, 2024 Out of Band

The March 25, 2024, update for Windows Server 2019 (KB5037425) is an out-of-band cumulative update, that addresses a known issue that affects the Local Security Authority Subsystem Service (LSASS).

Following installation of the March 12, 2024, update, LSASS may experience a memory leak on Domain Controllers. This is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests. Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of Domain Controllers.

 

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5035857 March 12, 2024

The March 12, 2024, update for Windows Server 2022 (KB5035857), updating the OS build number to 20348.2340, is a monthly cumulative update. This update affects Active Directory domains that host mobile device management (MDM) providers. They can transition from the strong certificate mapping Compatibility mode to Enforcement mode. To do this, they can allow an Active Directory Key Distribution Center (KDC) to read user security identifiers (SIDs) from the Subject Alternative Name (SAN). Then, the providers can populate those values. To learn more, see KB5014754.

KB5037422 March 22, 2024 Out of Band

The March 22, 2024, update for Windows Server 2022 (KB5037422), updating the OS build number to 20348.2342, is an out-of-band cumulative update, that addresses a known issue that affects the Local Security Authority Subsystem Service (LSASS).

Following installation of the March 12, 2024, update, LSASS may experience a memory leak on Domain Controllers. This is observed when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests. Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of Domain Controllers.

Author: Sander Berkouwer

Sander Berkouwer is the author of the Active Directory Administration Cookbook, speaker and blogger at DirTeam.com and ServerCore.net. He is awarded Microsoft MVP, Veeam Vanguard and VMware vExpert. Since 2009, Microsoft has awarded Sander with the Most Valuable Professional (MVP) award. Since 2016, Veeam has awarded Sander with the Veeam Vanguard award.