Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for November 2020:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4586830 November 10, 2020

The November 10 update for Windows Server 2016 (KB4586830), updating the OS build number to 14393.4046 is a security update that includes quality improvements.

The Identity-related vulnerability addressed this month is CVE-2020-17049. Described as a Kerberos Constrained Delegation Security Feature Bypass vulnerability, this vulnerability allows a compromised service that is configured to use KCD to tamper with a service ticket that is not valid for delegation and force the KDC to accept it.

It also includes the following identity-related quality improvements:

• It allows administrators to use a Group Policy to enable the Save Target As… option for people in Microsoft Edge Internet Explorer (IE) Mode.
• It addresses an issue that causes the Microsoft Management Console (MMC) Group Policy application to stop working when you are editing the Group Policy Security settings. The error message is:

MMC cannot initialize the snap-in

• It addresses an issue with devices on which Credential Guard is enabled; if these devices use a Machine-bound certificate, authentication requests might fail. This occurs because Windows 2016 and Windows 2019-based Domain Controllers add duplicate KeyID values to the msDS-KeyCredentialLink attribute of these devices.
  

• It addresses an issue that might cause Windows 10 devices that enable Credential Guard to fail authentication requests when they use the machine certificate.

KB4594441 November 19, 2020

The November 19 update for Windows Server 2016 (KB4594441), updating the OS build number to 14393.4048 is an out-of-band update that resolves Kerberos issues with the November 10 update.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4586793 November 10, 2020

The November 10 update for Windows Server 2019 (KB4586793), updating the OS build number to 17763.1577 is a security update that includes quality improvements.

KB4586793 addresses CVE-2020-17049. Described as a Kerberos Constrained Delegation Security Feature Bypass vulnerability, this vulnerability allows a compromised service that is configured to use KCD to tamper with a service ticket that is not valid for delegation and force the KDC to accept it.

KB4594442 November 17, 2020

The November 17 update for Windows Server 2019 (KB4594442), updating the OS build number to 17763.1579 is an out-of-band update that resolves Kerberos issues with the November 10 update.

KB458839 November 19, 2020

The November 19 update for Windows Server 2019 (KB4586839), updating the OS build number to 17763.1613 is a Preview update. It includes the following identity-related improvements:

• It addresses an issue that causes applications to fail when they call the LookupAccountSid() application programming interface (API). This occurs after migrating accounts to a new domain whose name is shorter than the name of the previous domain.
• It addresses an issue that causes the I forgot my Pin functionality on the lock screen to fail. This failure occurs if the user has signed in using a username and password and the DontDisplayLastUserName or HideFastUserSwitching policy settings are enabled.
• It addresses an issue that prevents access to Azure Active Directory (AD) using the Google Chrome browser because of a Conditional Access policy error.
• It addresses an issue that causes the Microsoft Management Console (MMC) Group Policy application to stop working when you are editing the Group Policy Security settings. The error message is:

MMC cannot initialize the snap-in.

• It addresses an issue in the Microsoft Remote Procedure Call (RPC) runtime that causes the Distributed File System Replication (DFSR) service to stop responding. This issue generates log events for DFS Replication (5014), RPC (1726), and no reconnection (5004) for a default timeout of 24 hours with no replication.
• It addresses an issue with Active Directory Certificate Services (AD CS) that might prevent Certificate Transparency (CT) logs from being submitted, if enabled.