Windows Server 2016’s May 2018 Quality Update brings several Active Directory fixes

Reading Time: 2 minutes

Windows Server 2016

Windows Server 2016’s May 2018’s Cumulative Quality Update, bringing the OS version to 14393.2237, offers several fixes for issues you might be experiencing on Windows Server 2016-based Certification Authorities (CAs) and AD FS Servers.


About Windows Server 2016 Updates

Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.

On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.

In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016.  This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.


Active Directory Certificate Services fix

NDES won’t issue certificates until after restart

This AD CS fix addresses an issue where an NDES server connection to the Certification Authority (CA) sometimes doesn't automatically reconnect after the Windows Server running AD CS restarts. If this occurs, new devices won't be issued certificates without restarting the NDES server. 


Active Directory Federation Services fixes

IdP-initiated logins fail when PreventTokenReplays is enabled

The first AD FS fix addresses an issue that causes an IdP-initiated login to a SAML-based relying party to fail when PreventTokenReplays is enabled. 

User Password Changes break OAUTH-based applications

The second AD FS fix addresses an issue that occurs when OAUTH authenticates from a device or browser application. A user password change generates a failure and requires the user to exit the app or browser to log in.

Extranet Smart Lockout trips over time zones

The third fix addresses an issue where enabling Extranet Smart Lockout in UTC +1 and higher did not work. Additionally, it causes normal Extranet Lockout to fail with the following error:

Get-AdfsAccountActivity: DateTime values that are greater than DateTime.MaxValue or smaller than DateTime.MinValue when converted to UTC cannot be serialized to JSON.

This fix is welcomed with open arms in Europe and Asia.

Windows Hello for Business fails to provision PIN

The fourth fix addresses a Windows Hello for Business issue in which new users are not able to provision their PIN. This occurs when no MFA provider is configured in AD FS.


Call to action

When you experience any one of these issues, you are invited to install Windows Server 2016’s May 2018’s Cumulative Quality Update (KB4103720) on your Certification Authorities and/or AD FS Servers to resolve them.

Known Issues

Reliability issues have been observed during the creation of shielded VMs and the required artifacts for their deployment.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.