On-premises Identity-related updates and fixes for October 2020

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for October 2020:

 

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4580346 October 13, 2020

The October 13 update for Windows Server 2016 (B4580346), updating the OS build number to 14393.3986 is a security update that includes quality improvements.

By far, the biggest vulnerability addressed this month is CVE-2020-16898. Described as a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, this vulnerability allows attackers to take over Windows systems by sending malicious ICMPv6 Router Advertisement packets to an unpatched computer via a network connection.

To address the Group Policy Elevation of Privilege Vulnerability marked as CVE-2020-16939, this update should be rolled out to all domain-joined Windows Server and Windows installations.

It includes the following identity-related quality improvements:

  • It addresses an issue with the Group Policy service that might recursively delete critical files in alphabetic order from %systemroot%\system32. This issue occurs when a policy has been configured to delete cached profiles. These file deletions might cause stop error boot failues with the following error:

0x5A (CRITICAL_SERVICE_FAILED)

  • It addresses an issue that might cause Windows 10 devices that enable Credential Guard to fail authentication requests when they use the machine certificate.
  • It addresses an issue that might prevent you from accessing the Security Options data view in the Group Policy Management Editor (gpedit.msc) or Local Security Policy Editor (secpol.msc). The error is:

MMC has detected an error in a snap-in

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4577668 October 13, 2020

The October 13 update for Windows Server 2019 (KB4577668), updating the OS build number to 17763.1518 is a security update that includes quality improvements.

By far, the biggest vulnerability addressed this month is CVE-2020-16898. Described as a remote code execution (RCE) vulnerability in the Windows TCP/IP stack, this vulnerability allows attackers to take over Windows systems by sending malicious ICMPv6 Router Advertisement packets to an unpatched computer via a network connection.

To address the Group Policy Elevation of Privilege Vulnerability marked as CVE-2020-16939, this update should be rolled out to all domain-joined Windows Server and Windows installations.

It includes one identity-related quality improvement that addresses an issue with the Group Policy service that might recursively delete critical files in alphabetic order from %systemroot%\system32. This issue occurs when a policy has been configured to delete cached profiles. These file deletions might cause stop error boot failues with the following error:

0x5A (CRITICAL_SERVICE_FAILED)

KB4580390 October 20, 2020

The October 13 update for Windows Server 2019 (KB4580390), updating the OS build number to 17763.1554 is a quality improvement update. It includes the following identity-related quality improvements:

  • It allows administrators to use a Group Policy to enable Save Target As for users in Microsoft Edge IE Mode.
  • It addresses an issue with the CleanupProfiles Group Policy object (GPO). After you upgrade the operating system, when you configure the CleanupProfiles GPO, it fails to remove unused user profiles.
  • It addresses an issue that fails to set the desktop wallpaper as configured by a GPO when you specify the local background as a solid color.
  • It addresses an issue that prevents you from signing in on certain servers. This occurs when you enable a Group Policy that forces the start of a computer session to be interactive.
  • It addresses an issue that occurs when you first sign in to an account or unlock an existing user session using Remote Desktop Services (RDS). If you enter an incorrect password, the current keyboard layout changes unexpectedly to the system default keyboard layout. This keyboard layout change might cause additional attempts to sign in to fail or lead to account lockouts in domains with low account lockout thresholds.
  • It addresses an issue that prevents the Smart Cards for Windows service from starting, which prevents the use of a smart card for authentication. The event log shows the error:

Server Control failed to access start event: 621

  • It addresses an issue with support for On-Behalf-Of flows (OBO) when using the Microsoft Authentication Library (MSAL).

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.