On-premises Identity-related updates and fixes for February 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for February 2021:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB4601318 February 9, 2021

The February 9, 2021 update for Windows Server 2016 (KB4601318), updating the OS build number to 14393.4225 is a security update that includes quality improvements.

This update configures the Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) countermeasures to enable Enforcement mode to require Netlogon secure channel connections.

It includes the following identity-related improvements:

  • It enables administrators to disable standalone Internet Explorer using a Group Policy while continuing to use Microsoft Edge's IE Mode.
  • It addresses an issue that causes LSASS.exe to stop working because of a race condition that results in a double free error in Schannel. The exception code is c0000374, and the Event Log displays Schannel event 36888, fatal error code 20, and error state 960. This issue occurs after installing Windows updates from September 2020 and later.
  • It addresses an issue that fails to log events 4732 and 4733 for Domain-Local group membership changes in certain scenarios. This occurs when you use the Permissive Modify control. The Active Directory (AD) PowerShell modules use this control.
  • It addresses an issue that incorrectly reports that Lightweight Directory Access Protocol (LDAP) sessions are unsecure in Event ID 2889. This occurs when the LDAP session is authenticated and sealed with a Simple Authentication and Security Layer (SASL) method.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4601345 February 9, 2021

The February 9, 2021 update for Windows Server 2019 (KB4601345), updating the OS build number to 17763.1757 is a security update.

This update configures the Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472) countermeasures to enable Enforcement mode to require Netlogon secure channel connections.

KB4601383 February 16, 2021

The February 16, 2021 update for Windows Server 2019 (KB4601383), updating the OS build number to 17763.1790 is a preview quality improvement update. It includes the following identity-related improvements:

  • It turns off token binding by default in Windows Internet (WinINet).
  • It addresses an issue that displays a User Account Control (UAC) dialog box unexpectedly when you turn on speech recognition.
  • It removes the history of previously used pictures from a user account profile.
  • It addresses an issue that prevents the Trusted Platform Module (TPM) from starting. As a result, TPM-based scenarios do not work.
  • It addresses an issue with Key Distribution Center (KDC) code, which fails to check for an invalid domain state when the domain controller restarts. The error message is:

STATUS_INVALID_DOMAIN_STATE

  • It addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerformTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, KRB_GENERIC_ERROR, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
  • It addresses an issue that fails to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes.
  • It addresses an issue with updating to Windows Server 2019 using a .iso image. If you renamed the default administrator account, the Local Security Authority (LSA) process might stop working.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.