Windows Server 2016’s January 2018’s Cumulative Quality Update, bringing the OS version to 14393.2034, offers several fixes for Certification Authorities (CAs) running Active Directory Certificate Services (AD CS).
About Windows Server 2016 Updates
Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.
On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.
In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.
Active Directory Certificate Services Fixes
Windows Server 2016’s January 2018’s Cumulative Quality Update addresses two issues with Active Directory Certificate Services (AD CS).
NDES cannot match issuer and serial number
The first fix addresses an issue where retrieving the Certificate Revocation List (CRL) from the Certification Authority (CA) using the Simple Certificate Enrollment Protocol (SCEP) fails. Users see event ID 45, which says, "NDES cannot match issuer and serial number in the device request with any Certification Authority (CA) Certificate”.
Invalid OCSP response for expired certificate
The second fix addresses an issue where, if the Online Certificate Status Protocol (OCSP) renewal date comes after the certificate expiration date, the OCSP-stapled response is used until the renewal date, even though the certificate has expired.
Call to action
When you experience any one of these issues, you are invited to install Windows Server 2016’s January 2018’s Cumulative Quality Update (KB4057142) on your Certification Authorities (CAs) running Active Directory Certificate Services to resolve them.
After installing this update, servers where Credential Guard is enabled may experience an unexpected restart with the error, "The system process lsass.exe terminated unexpectedly with status code -1073740791. The system will now shut down and restart." This issue can be resolved by disabling Credential Guard.
Editing some group policies using GPMC or AGPM 4.0 may fail with error "The data present in the reparse point buffer is invalid. (Exception from HRESULT: 0x80071128)" after installing this update on a domain controller. This issue is resolved in KB4074590.
After installing this update, some users may experience issues logging into some websites when using third-party account credentials in Microsoft Edge. This issue is resolved in KB4074590.