Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for May 2021:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB5003197, May 11, 2021

The May 11, 2021 update for Windows Server 2016 (KB5003197), updating the OS build number to 14393.4402 is a security update that includes quality improvements.

This update addresses vulnerabilities in Hyper-V, SMB, SSDP, and the Wallet Service. None of the vulnerabilities are Identity-related.

This update contains quality improvements, but none are Identity-related.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5003171, May 11, 2021

The May 11, 2021 update for Windows Server 2019 (KB5003171), updating the OS build number to 17763.1935 is a security update that includes quality improvements.

This update addresses vulnerabilities in Hyper-V, SMB, SSDP, and the Wallet Service. Another vulnerability in kernel-mode IIS (http.sys) is addressed, but this vulnerability only applies to semi-annual channel releases beyond Windows Server 2019.

This update contains the quality improvements, that were part of the April 22, 2021 update for Windows Server 2019 (KB5001384):

• It removes the Microsoft Edge Legacy desktop application that is out of support and installs the new Microsoft Edge.
• It addresses an issue that fails to remove mandatory profiles completely when you sign out when using the “Delete cached copies of roaming profiles” Group Policy.
• It addresses an issue that causes lsass.exe memory usage to grow until the system becomes unusable. This occurs when Transport Layer Security (TLS) resumes a session.
• It addresses an issue that causes automatic enrollment and certificate retrieval to fail with the error, “The parameter is incorrect.”
• It addresses an issue that fails to apply the false setting for the RequirePDC flag in Active Directory Federation Services (AD FS).

KB5003217, May 20, 2021 Preview

The May 20, 2021 update for Windows Server 2019 (KB5003217), updating the OS build number to 17763.1971 is a Preview update that includes quality improvements:

It addresses an issue in Active Directory (AD) Admin Center that displays an error when it lists many organizational units (OU) or container objects and PowerShell Transcription is enabled. The error message is, "Collection was modified after the enumerator was instantiated".

• It addresses a memory leak issue in PKU2U that causes cluster nodes to run out of memory.
• It addresses an issue that fails to apply BitLocker encryption automatically using a Group Policy. This issue occurs on external drives that have a master boot record (MBR) active boot partition.
• It addresses an issue that sometimes causes event log entries to appear corrupted for Microsoft-Windows-Kerberos-Key-Distribution-Center source and Event IDs 4933, 4928, and 4937.
• It addresses an issue that fails to register a DNS update to an A record and a PTR when Azure virtual machines update against corporate DNS zones.

The quality improvements are automatically part of the next cumulative update, released on June 8, 2021, unless these improvements appear non-functional in the meantime.