Windows Server 2016’s July 2018’s Cumulative Quality Update, bringing the OS version to 14393.2457, offers a total of four fixes for issues you might be experiencing on your Windows Server 2016-based Domain Controllers and Active Directory Federation Services (AD FS) Servers.
About Windows Server 2016 Updates
Microsoft issues two major updates each month for Windows Server 2016, as outlined in the Patching with Windows Server 2016 blogpost.
On the second Tuesday of each month (Patch Tuesday) Microsoft issues a cumulative update that includes security and quality fixes for Windows Server 2016. Being cumulative, this update includes all the previously released security and quality fixes.
In the second half of each month (generally the 3rd week of the month) Microsoft releases a non-security / quality update for Windows Server 2016. This update, too, is cumulative and includes all quality and security fixes shipped prior to this release.
Active Directory Domain Services
LSASS stops working intermittently
The first AD DS fix addresses an Active Directory Domain Services (AD DS) issue that causes Local Security Authority Subsystem Service (LSASS) to stop working intermittently. This issue occurs when a custom component binds over Transport Layer Security (TLS) to a Domain Controller using Simple Authentication and Security Layer (SASL) EXTERNAL authentication.
Lock Screen policies don’t apply correctly
The second AD DS fix addresses an issue from the March 2018 update that prevents the correct lock screen image from appearing when the following settings are enabled through Group Policy:
- Computer Configuration\Administrative Templates\Control Panel\Personalization\Force a specific default lock screen and logon image
- Computer Configuration\Administrative Templates\Control Panel\Personalization\Prevent changing lock screen and logon image
Active Directory Federation Services
Custom culture definitions cause MFA to not work correctly
The first AD FS fix addresses an Active Directory Federation Services (AD FS) issue where Multi-Factor Authentication (MFA) does not work correctly with mobile devices that use custom culture definitions.
Custom culture definitions are used in regional settings to modify the appearance of some data types, like the date format.
The interesting deal with this fix is that it closely resembles a fix in the August 2017 Quality update for Windows Server 2016…
Windows Hello for Business is slow when enrolling a new user
The second AD FS fix addresses an issue in Windows Hello for Business that causes a significant delay (15 seconds) in new user enrollment. This issue occurs when a hardware security module (HSM) is used to store an AD FS Registration Authority (RA) certificate.
Call to action
When you experience any one of these issues, you are invited to install Windows Server 2016’s April 2018’s Cumulative Quality Update (KB4343884) on your Active Directory Domain Controllers and Active Directory Federation Services (AD FS) Servers to resolve them.
Microsoft is not currently aware of any issues with this update.