Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for August 2020:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4571694 August 11, 2020

The August 11 update for Windows Server 2016 (KB4571694), updating the OS build number to 14393.3866 is a security update that includes quality improvements.

This update addresses a critical Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472). This vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a Domain Controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could connect to a domain controller to obtain domain administrator access. Addresses this vulnerability has started by flagging insecure connections to Netlogon with Event ID 5829.

This update also addresses an important Local Security Authority Subsystem Service (LSASS)Elevation of Privilege Vulnerability (CVE-2020-1509). This vulnerability exists in the Local Security Authority Subsystem Service (LSASS) when an authenticated attacker sends a specially crafted authentication request. A remote attacker who successfully exploited this vulnerability could cause an elevation of privilege on the target system's LSASS service.

If you’re using Windows Backup to create backups of Domain Controller, than this update is of importance, because is addresses an Elevation of Privilege vulnerability in the Windows Backup Service (CVE-2020-1534).

It includes the following Identity-related quality improvements:

• It addresses an issue that causes Remote Server Administration Tools (RSAT) to stop working on Windows 10 machines. This occurs when you create or edit a Group Policy Object that contains a Scheduled Task.
• It addresses an issue in Universal Windows Platform (UWP) apps that allows single sign-on authentication when an app does not have the Enterprise Authentication capability. With the release of CVE-2020-1509, UWP applications might begin prompting the user for credentials.
• It updates the message users receive that tells them to check their phone for notifications from the Microsoft Authenticator application. This message only appears when authentication is done using the AD FS Azure Multi-Factor Authentication (MFA) adapter.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4565349 August 11, 2020

The August 11 update for Windows Server 2019 (KB4565349), updating the OS build number to 17763.1397 is a security update that includes quality improvements.

This update addresses a critical Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472). This vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a Domain Controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could connect to a domain controller to obtain domain administrator access. Addresses this vulnerability has started by flagging insecure connections to Netlogon with Event ID 5829.

This update also addresses an important Local Security Authority Subsystem Service (LSASS)Elevation of Privilege Vulnerability (CVE-2020-1509). This vulnerability exists in the Local Security Authority Subsystem Service (LSASS) when an authenticated attacker sends a specially crafted authentication request. A remote attacker who successfully exploited this vulnerability could cause an elevation of privilege on the target system's LSASS service.

If you’re using Windows Backup to create backups of Domain Controller, than this update is of importance, because is addresses an Elevation of Privilege vulnerability in the Windows Backup Service (CVE-2020-1534).

It additionally addresses an issue in Universal Windows Platform (UWP) apps that allows single sign-on authentication when an app does not have the Enterprise Authentication capability. With the release of CVE-2020-1509, UWP applications might begin prompting the user for credentials.

KB4571748 August 20, 2020

The August 20 update for Windows Server 2019 (KB4571748), updating the OS build number to 17763.1432 is a non-security update. It includes the following Identity-related fixes:

• It addresses an issue that prevents a delegated user from importing a Group Policy object (GPO) even though the user has the required privilege.
• It addresses an issue that sometimes prevents AppLocker from running an application whose publisher rule allows it to run.
• It addresses an issue in which AppLocker publisher rules might sometimes prevent applications from loading software modules; this can cause partial application failure.
• It addresses an issue that causes the configuration of the “Minimum Password Length” Group Policy with more than 14 characters to have no effect. For more information, see KB4557232.
• It addresses classification failures caused by the wrong User Principal Name (UPN).
• It addresses an issue that fails to log events 4732 and 4733 for Domain-Local group membership changes in certain scenarios. This occurs when you use the “Permissive Modify” control; for example, the Active Directory (AD) PowerShell modules use this control.
• It addresses a Security Assertion Markup Language (SAML) Scoping support issue in the Active Directory Federation Service (AD FS) that is related to entityID and IDPList. For more information, see section 3.4.1.2 of the SAML Core specification.
• It addresses an issue that prevents Account activity cmdlets from executing when you specify an identity that is not in a UPN format.