Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates.

These are the Identity-related updates and fixes we saw for July 2021:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB5004948 July 7, 2021 Out of band

The July 7, 2021 out of band update for Windows Server 2016 (KB5004948) updating the OS build number to 14393.4470 is a security update.

This update addresses a remote code execution exploit in the Windows Print Spooler service, known as PrintNightmare, as documented in CVE-2021-34527.

By default, administrators can install signed and unsigned printer drivers to a print server. After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. Additionally, the RestrictDriverInstallationToAdministrators registry setting can be used to prevent non-administrators from installing signed printer drivers on a print server.

KB5004238 July 13, 2021

The July 13, 2021 update for Windows Server 2016 (KB5004238) updating the OS build number to 14393.4530 is a monthly cumulative update.

This update addresses twelve vulnerabilities for Domain Controllers running as DNS Servers, Windows Hello, Windows Print Spooler, Windows Defender, Windows Security Account Manager, Hyper-V, SMB and TCP-IP.

This update also includes the following identity-related quality improvements:

1. It removes support for the PerformTicketSignature setting and permanently enables Enforcement mode for the Kerberos Security Feature Bypass vulnerability, known as CVE-2020-17049.
2. After installing this update or later Windows updates, Advanced Encryption Standard (AES) encryption will be the preferred method on Windows clients when using the legacy MS-SAMR protocol for password operations if AES encryption is supported by the SAM server to protect against CVE-2021-33757.
3. Addresses a vulnerability in which Primary Refresh Tokens (PRTs) are not strongly encrypted. This issue might allow the tokens to be reused until the token expires or is renewed. For more information about this issue, see CVE-2021-33779.

There is a known issue with this update. After installing updates released July 13, 2021 on domain controllers (DCs) in your environment, printers, scanners, and multifunction devices that are not compliant with section 3.2.1 of RFC 4556 spec might fail to print when using smart card (PIV) authentication.

KB5005393 July 29, 2021

The July 29, 2021 update for Windows Server 2016 (KB5005393) updating the OS build number to 14393.4532 resolves the known issue found in the KB5004238 July 13, 2021 update.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5004947 July 6, 2021 Out of band

The July 6, 2021 out of band update for Windows Server 2019 (KB5004947) updating the OS build number to 17763.2029 is a security update.

This update addresses a remote code execution exploit in the Windows Print Spooler service, known as PrintNightmare, as documented in CVE-2021-34527.

By default, administrators can install signed and unsigned printer drivers to a print server. After installing this and later Windows updates, users who are not administrators can only install signed print drivers to a print server. Additionally, the RestrictDriverInstallationToAdministrators registry setting can be used to prevent non-administrators from installing signed printer drivers on a print server.

KB5004244 July 13, 2021

The July 13, 2021 update for Windows Server 2019 (KB5004244) updating the OS build number to 17763.2061 is a monthly cumulative update.

This update addresses twelve vulnerabilities for Domain Controllers running as DNS Servers, Windows Hello, Windows Print Spooler, Windows Defender, Windows Security Account Manager, Hyper-V, SMB and TCP-IP.

This update also includes the following identity-related quality improvements:

1. It removes support for the PerformTicketSignature setting and permanently enables Enforcement mode for the Kerberos Security Feature Bypass vulnerability, known as CVE-2020-17049.
2. After installing this update or later Windows updates, Advanced Encryption Standard (AES) encryption will be the preferred method on Windows clients when using the legacy MS-SAMR protocol for password operations if AES encryption is supported by the SAM server to protect against CVE-2021-33757.
3. Addresses a vulnerability in which Primary Refresh Tokens (PRTs) are not strongly encrypted. This issue might allow the tokens to be reused until the token expires or is renewed. For more information about this issue, see CVE-2021-33779.

There is a known issue with this update. After installing updates released July 13, 2021 on domain controllers (DCs) in your environment, printers, scanners, and multifunction devices that are not compliant with section 3.2.1 of RFC 4556 spec might fail to print when using smart card (PIV) authentication.

KB500438 July 20, 2021 Preview

The July 20, 2021 update for Windows Server 2019 (KB5004308) updating the OS build number to 17763.2090 is a preview update that includes the following identity-related quality improvements:

• It addresses a timing issue in the Group Policy Registry Telemetry that causes Group Policy extension processing to fail.
• It addresses an issue in that might cause the Local Security Authority Subsystem Service (LSASS) process on Active Directory domain controllers to stop working under high load scenarios.
• It addresses a Local Security Authority Subsystem Service (LSASS) domain controller memory leak that is reported in Privileged Access Management (PAM) deployments.
• It addresses an issue that causes the enrollment of the Elliptic Curve Digital Signature Algorithm (ECDSA) certificate to fail when the Trusted Platform Module (TPM) provider (the Microsoft Software Key Storage Provider) stores the key. The error shown is:

0x80090027 NTE_INVALID_PARAMETER

• It addresses an issue with auditing events 4624 and 5142 that display the wrong event template when Dutch is the display language.

KB5005394 July 27, 2021

The July 27, 2021 update for Windows Server 2019 (KB5005394) updating the OS build number to 17763.2091 resolves the known issue found in the KB5004244 July 13, 2021 update.