On-premises Microsoft Identity-related updates and fixes for April 2020

Windows Server

Even though Microsoft's Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for April 2020:

  

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4550929 April 14, 2020

The April 14, 2020 update for Windows Server 2016 (KB4550929) updating the OS build number to 14393.3630 includes both security and quality improvements.

The update addresses a Windows DNS Denial of Service Vulnerability (CVE-2020-0993). This vulnerability in the way Windows DNS handles queries might cause the DNS service to become nonresponsive. To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service. The update addresses the vulnerability by correcting how Windows DNS processes queries.

KB4550947 April 21, 2020

The April 21, 2020 update for Windows Server 2016 (KB4550947) updating the OS build number to 14393.3659 includes quality improvements. This update addresses the following issues:

  1. It addresses an issue that causes a memory leak in the LsaIso.exe process when the server is under a heavy authentication load and Credential Guard is enabled.
  2. It addresses an issue that might cause a delay of up to two minutes when signing in or unlocking a session on Hybrid Azure Active Directory-joined machines.
  3. It addresses an issue with running klist.exe that causes lsass.exe to stop working and generates an access violation error (0xC0000005).
  4. It addresses an issue that causes devices that are provisioned for Windows Hello for Business (WHfB) to fail. Registration occasionally fails, which leads to a delay in WHfB enrollment and, in some instances, creates Conflicting Objects (CNF) in the Active Directory Registered Devices container.
  5. It addresses an issue that occurs when you try to sign in to Windows during recovery mode. The error, "No administrator accounts are available on this machine", appears.
  6. It addresses an issue that prevents you from removing some local users from local built-in groups. For example, you cannot remove "Guest" from the "Guests" local group.

  

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4549949 April 14, 2020

The April 14, 2020 update for Windows Server 2019 (KB4549949) updating the OS build number to 17763.1158 includes both security and quality improvements.

The update addresses a Windows DNS Denial of Service Vulnerability (CVE-2020-0993). This vulnerability in the way Windows DNS handles queries might cause the DNS service to become nonresponsive. To exploit the vulnerability, an authenticated attacker could send malicious DNS queries to a target, resulting in a denial of service. The update addresses the vulnerability by correcting how Windows DNS processes queries.

Additionally, three Hyper-V Elevation of Privilege vulnerabilities (CVE-2020-0910, CVE-2020-0917 and CVE-2020-0918) have been addressed in this update. These vulnerabilities exist when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system or fails to properly handle objects in memory, Virtual Domain Controllers running on the same Hyper-V host as a compromised system, may fell victim to arbitrary code run on the host operating system by an attacker.  The security update addresses the vulnerability by correcting how Hyper-V validates guest operating system user input and how Windows Hyper-V handles objects in memory.

Also, this update addresses an issue that prevents certain apps from installing if they are published using a Group Policy Object.

KB4550969 April 21, 2020

The April 21, 2020 update for Windows Server 2019 (KB4550969) updating the OS build number to 17763.1192 includes quality improvements.

This update addresses the following issues:

  1. It addresses an issue that prevents the correct lock screen from appearing.
  2. It addresses an issue that causes a memory leak in the LsaIso.exe process when the server is under a heavy authentication load and Credential Guard is enabled.\
  3. It addresses an issue that prevents hash signing using the Microsoft Platform Crypto Provider for TPMs from working correctly.
  4. It addresses an issue that causes high CPU usage on Active Directory Domain Controllers when migrating to Windows Server 2019. This increases latency in Microsoft Exchange Server operations, causes Managed Store contention, and severely impacts index creation in Active Directory and the Global Catalog’s performance.
  5. It addresses an issue that causes devices that are provisioned for Windows Hello for Business (WHfB) to fail. Registration occasionally fails, which leads to a delay in WHfB enrollment and, in some instances, creates Conflicting Objects (CNF) in the Active Directory Registered Devices container.

One Response to On-premises Microsoft Identity-related updates and fixes for April 2020

  1.  

    After updating with KB4550947 and KB4550994, "Control Panel – User Accounts" does not show the "Manage User Accounts" option anymore on my Windows Server 2016 VM.

    I have 2 other identical VMs that were not updated and the "Manage User Accounts" is just fine with them.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.