On-premises Microsoft Identity-related updates and fixes for May 2019

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for May 2019:

                 

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4499177 May 23, 2019

The May 23, 2019 update for Windows Server 2016 (KB4499177)  updating the OS Build number to 14393.2999 includes seven Identity-related fixes:

  • It addresses an issue that may cause a temporary KRB_AP_ERR_MODIFIED Kerberos sign-in failure in applications and services configured to use a group Managed Service Account (gMSA). This issue occurs after the automatic update of the service account password.
  • It addresses an issue that causes a sign-in to fail with the error, “Incorrect Username or password” when using an empty or null password and Windows Defender Credential Guard is enabled.
  • It addresses an issue that causes Microsoft Office and other applications to prompt for a password after you change a user account password. This issue occurs on hybrid Azure Active Directory (AD) joined systems.
  • It addresses an issue that may cause event 7600 in the Domain Name System (DNS) server event log to contain an unreadable server name.
  • It addresses an issue with apps that have incorrect audits and are not protected by Extranet Smart lockout when they are published using the Active Directory Federation Services (ADFS) RichClient.
  • It addresses an issue that fails to record a local user’s last logon time even when the user has accessed the server’s network share.
  • It addresses an issue that causes a delay when loading many unsigned Domain Name System (DNS) zones related to the Domain Name System Security Extensions (DNSSEC) feature. This issue occurs after configuring the EnableFastLoadUnsignedZones registry setting with a value of 1.
  • Unfortunately, it also introduces a known issue:
  • Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of this update on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

KB4505052 May 19, 2019

The May 19, 2019 update for Windows Server 2016 (KB505052) merely fixes an issue that was introduced with the May 14, 2019 update. Some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

KB4494440 May 14, 2019

The May 14, 2019 update for Windows Server 2016 (KB4494440) updating the OS Build number to 14393.2969 provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, among other security updates.

It also addresses an issue that may cause zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) to fail.

                          

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4497934 May 21, 2019

The May 21, 2019 update to Windows Server 2019 (KB4497934) bringing the OS Build number to 17763.529 includes the following Identity-related fixes:

  • It addresses an issue that removes UserRights policies from all users in a security group when you remove a device from a mobile device management (MDM) server or Microsoft Intune deletes a UserRights policy.
  • It addresses an issue that causes Microsoft Office and other applications to prompt for a password after you change a user account password. This issue occurs on hybrid Azure Active Directory (AD) joined systems.
  • It addresses an issue that causes a sign-in to fail with the error, “Incorrect Username or password” when using an empty or null password and Windows Defender Credential Guard is enabled.
  • It addresses an issue that may cause a temporary KRB_AP_ERR_MODIFIED Kerberos sign-in failure in applications and services configured to use a group Managed Service Account (gMSA). This issue occurs after the automatic update of the service account password.
  • It addresses an issue that may cause event 7600 in the Domain Name System (DNS) server event log to contain an unreadable server name.
  • It addresses an issue that fails to record a local user’s last logon time even when the user has accessed the server’s network share.
  • It addresses an issue in which Windows attempts to renew Azure Active Directory (AAD) token certificates when there is no internet connectivity. This issue occurs during AAD authentication and slows the performance of applications.
  • It addresses an issue with Assigned Access deployments (formerly Kiosk Mode) that prevents a user from logging on to an Assigned Access profile. This affects all locales and occurs when the local administrator’s group is not named using the English spelling of “Administrators”. In the Event Viewer, Event 31000 shows the source as “Microsoft-Windows-AssignedAccess/Admin” and displays the error message, “The group used to assign the application can’t be found.”
  • It addresses an issue that causes a delay when loading many unsigned Domain Name System (DNS) zones related to the Domain Name System Security Extensions (DNSSEC) feature. This issue occurs after configuring the EnableFastLoadUnsignedZones registry setting with a value of 1.

KB4505056 May 19, 2019

The May 19, 2019 update to Windows Server 2019 (KB4505056) bringing the OS Build number to 17763.504 merely fixes an issue that was introduced with the May 14, 2019 update. Some gov.uk websites that don’t support HTTP Strict Transport Security (HSTS) may not be accessible through Internet Explorer 11 or Microsoft Edge.

K4494441 May 14, 2019

The May 14, 2019 update to Windows Server 2019 (KB4494441) bringing the OS Build number to 17763.503 provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, among other security updates.

It also addresses an issue that may cause zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) to fail. This issue was introduced with the May 3, 2019 update.

KB4495667 May 3, 2019

The May 3, 2019 update to Windows Server 2019 (KB4495667) bringing the OS Build number to 17763.475 includes the following Identity-related fixes:

  • It addresses an issue that may allow a user to continue logging on to an account using a smart card after disabling the account.
  • It addresses an issue that prevents access to enterprise resources when using Kerberos with Windows Hello for Business (WHfB) credentials. This causes users to receive multiple prompts to provide their credentials.
  • It addresses an issue that causes Lightweight Directory Access Protocol (LDAP) client applications to stop responding for at least 30 seconds when many LDAP queries are requested through multiple connections. This occurs because of a race condition in wldap32.dll. You must install this update on the LDAP client that calls wldap32.dll.
  • It addresses a gradual memory leak in LSASS.exe on systems that have cached logon enabled. This issue mainly affects servers that process many interactive logon requests, such as web servers.
  • It addresses an issue that may cause a Lightweight Directory Access Protocol (LDAP) query to return incorrect results. This occurs if a filter clause contains an attribute that has a syntax of Large Integer type and the filter uses the rule, LDAP_MATCHING_RULE_BIT_AND. For example, a simple filter, such as “msExchRoleAssignmentFlags:1.2.840.113556.1.4.803:=51539607552” may return no matches when it should.

Unfortunately, it also introduces a known issue:

  • Zone transfers between primary and secondary DNS servers over the Transmission Control Protocol (TCP) may fail after installing this update.

KB4501835 May 1, 2019

The May 1, 2019 update to Windows Server 2019 (KB4501835) bringing the OS Build number to 17763.439 does not include Identity-related fixes.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.