Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for March 2021:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB45000803 March 9, 2021

The March 9, 2021 update for Windows Server 2016 (KB5000803), updating the OS build number to 14393.4283 is a security update that includes quality improvements.

Hot on the heels of the March 2, 2021 updates for Microsoft Exchange Server, this update addresses seven Windows Server DNS vulnerabilities, alongside

• CVE-2021-26411, an Internet Explorer memory corruption zero-day vulnerability
• CVE-2021-27077, a Windows Win32k Elevation of Privilege Vulnerability, that was publicly disclosed by Trend Micro’s Zero Day Initiative in January after Microsoft initially said they would not fix it
• CVE-2021-26867, a critical Windows Hyper-V Remote Code Execution vulnerability

This update contains the following quality improvements:

• It turns off token binding by default in Windows Internet (WinINet).
• It addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory Domain Controllers. This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerformTicketSignature to 1 or higher. Ticket acquisition also fails with the error, KRB_GENERIC_ERROR, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag

KB50001633 March 18, 2021

The March 18, 2021 update for Windows Server 2016 (KB50001633), updating the OS build number to 14393.4288, is an out-of-band update to address an issue that fails to print the graphical content in a document after installing the March 9, 2021 update.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5000822 March 9, 2021

The March 9, 2021 update for Windows Server 2019 (KB5000822), updating the OS build number to 17763.1817, is a security update.

Hot on the heels of the March 2, 2021 updates for Microsoft Exchange Server, this update addresses seven Windows Server DNS vulnerabilities, alongside

• CVE-2021-26411, an Internet Explorer memory corruption zero-day vulnerability
• CVE-2021-27077, a Windows Win32k Elevation of Privilege Vulnerability, that was publicly disclosed by Trend Micro’s Zero Day Initiative in January after Microsoft initially said they would not fix it
• CVE-2021-26867, a critical Windows Hyper-V Remote Code Execution vulnerability

This update also incorporates the quality improvements that were released in Preview with the February 16, 2021 update (KB4601383):

• It turns off token binding by default in Windows Internet (WinINet).
• It addresses an issue that displays a User Account Control (UAC) dialog box unexpectedly when you turn on speech recognition.
• It removes the history of previously used pictures from a user account profile.
• It addresses an issue that prevents the Trusted Platform Module (TPM) from starting. As a result, TPM-based scenarios do not work.
• It addresses an issue with Key Distribution Center (KDC) code, which fails to check for an invalid domain state when the domain controller restarts. The error message is:

STATUS_INVALID_DOMAIN_STATE

• It addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerformTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, KRB_GENERIC_ERROR, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
• It addresses an issue that fails to report an error when the Elliptic Curve Digital Signature Algorithm (ECDSA) generates invalid keys of 163 bytes instead of 165 bytes.
• It addresses an issue with updating to Windows Server 2019 using a .iso image. If you renamed the default administrator account, the Local Security Authority (LSA) process might stop working.

KB50001568 March 15, 2021

The March 15, 2021 update for Windows Server 2019 (KB5001568), updating the OS build number to 17763.1821, is an out-of-band update to address an issue that might cause a blue screen when attempting to print to certain printers using some apps and might generate the error, APC_INDEX_MISMATCH

KB5001638 March 18, 2021

The March 18, 2021 update for Windows Server 2019 (KB5001638), updating the OS build number to 17763.1823, is an out-of-band update to address an issue that fails to print the graphical content in a document after installing the March 9, 2021 update.

KB5000856 March 25, 2021 Preview

The March 25, 2021 update for Windows Server 2019 (KB5000854), updating the OS build number to 17763.1852 is a preview update that offers the following quality improvements:

• It allows administrators to use a Group Policy to enable extended keyboard shortcuts, including Ctrl+S, for users in Microsoft Edge IE Mode.
• It addresses an issue with RSA key generation that generates a damaged key.
• It addresses an issue that might prevent Hypervisor-Protected Code Integrity (HVCI) from being enabled when you configure it using a Group Policy
• It addresses an issue that prevents Server Message Block 1 (SMB1) clients from accessing the SMB share after restarting the LanmanServer service
• It addresses an issue with signing in to a device that is in the current domain by using the default user profile of a device that is in a different, but trusted domain. The profile service of the current domain cannot retrieve the default user profile from the trusted domain and uses the local default user profile instead.

These quality improvements are also included in the next cumulative update on April 13, 2021.