Windows Server 2016’s July 2018’s Cumulative Quality Update, bringing the OS version to 14393.2395, offers four fixes for issues you might be experiencing on your Windows Server 2016-based Active Directory Federation Services (AD FS) Servers and Web Application Proxies.
About Windows Server 2016 Updates
Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.
On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.
In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.
Active Directory Federation Services
The first fix addresses a Web Application Proxy (WAP) issue related to inactive connections that never end. This leads to system resource leaks (e.g., a memory leak) and to a WAP service that is no longer responsive.
The second fix addresses an AD FS issue that prevents users from selecting a different login option. This occurs when users choose to log in using Certificate Based Authentication, but it has not been configured. This also occurs if users select Certificate Based Authentication and then try to select another login option. If this happens, users will be redirected to the Certificate Based Authentication page until they close the browser.
The third fix addresses an issue in AD FS that shows a duplicate Relying Party Trust (RPT) in the AD FS management console when creating or viewing Relying Party Trusts (RPTs) from the console.
The fourth fix addresses an issue in AD FS that causes Windows Hello for Business to fail. The issue occurs when there are two claim providers. PIN registration will fail with the following error:
400 Internal Server Error: Unable to obtain device identifier.
Call to action
When you experience any one of these issues, you are invited to install Windows Server 2016’s July 2018’s Cumulative Quality Update (KB4338822) on your Active Directory Federation Services (AD FS) Servers to resolve them.
After you install any of the July 2018 .NET Framework Security Updates, a COM component fails to load because of “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors.