Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.
These are the Identity-related updates and fixes we saw for April 2021:
Windows Server 2016
We observed the following update for Windows Server 2016:
KB5001347 April 13, 2021
The April 13, 2021 update for Windows Server 2016 (KB5001347), updating the OS build number to 14393.4350 is a security update that includes quality improvements.
This update contains the following quality improvements:
- It address an issue that causes a system to stop working occasionally when users sign out or disconnect from remote sessions.
- It addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory Domain Controllers. This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerformTicketSignature to 1 or higher. Ticket acquisition also fails with the error, KRB_GENERIC_ERROR, if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
Windows Server 2019
We observed the following updates for Windows Server 2019:
KB5001342 April 13, 2021
The April 13, 2021 update for Windows Server 2019 (KB5001342), updating the OS build number to 17763.1879 is a security update that includes quality improvements.
This update contains the quality improvements, that were part of the March 25, 2021 Preview update for Windows Server 2019 (KB5000854):
- It allows administrators to use a Group Policy to enable extended keyboard shortcuts, including Ctrl+S, for users in Microsoft Edge IE Mode.
- It addresses an issue with RSA key generation that generates a damaged key.
- It addresses an issue that might prevent Hypervisor-Protected Code Integrity (HVCI) from being enabled when you configure it using a Group Policy
- It addresses an issue that prevents Server Message Block 1 (SMB1) clients from accessing the SMB share after restarting the LanmanServer service
- It addresses an issue with signing in to a device that is in the current domain by using the default user profile of a device that is in a different, but trusted domain. The profile service of the current domain cannot retrieve the default user profile from the trusted domain and uses the local default user profile instead.
KB5001384 April 22, 2021 Preview
The April 22, 2021 update for Windows Server 2019 (KB5001384), updating the OS build number to 17763.1911 is a Preview update that includes quality improvements:
- It removes the Microsoft Edge Legacy desktop application that is out of support and installs the new Microsoft Edge.
- It addresses an issue that fails to remove mandatory profiles completely when you sign out when using the “Delete cached copies of roaming profiles” Group Policy.
- It addresses an issue that causes lsass.exe memory usage to grow until the system becomes unusable. This occurs when Transport Layer Security (TLS) resumes a session.
- It addresses an issue that causes automatic enrollment and certificate retrieval to fail with the error, “The parameter is incorrect.”
- It addresses an issue that fails to apply the false setting for the RequirePDC flag in Active Directory Federation Services (AD FS).