Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. Additionally, Windows Server 2022 received its first share of updates, last month.

These are the Identity-related updates and fixes we saw for September 2021:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB5005573 September 14, 2021

The September 14, 2021 update for Windows Server 2016 (KB5005573), updating the OS build number to 14393.4651 is a monthly cumulative update.

It includes one Identity-related quality improvement. It addresses an issue that causes Authentication Mechanism Assurance (AMA) to stop working. This issue occurs when you migrate to Windows Server 2016 (or newer versions of Windows) and when using AMA in conjunction with certificates from Windows Hello for Business.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5005568 September 14, 2021

The September 14, 2021 update for Windows Server 2019 (KB5005568), updating the OS build number to 17763.2183 is a monthly cumulative update.

It includes the following Identity-related quality improvements:

• It addresses an issue that causes Authentication Mechanism Assurance (AMA) to stop working. This issue occurs when you migrate to Windows Server 2016 (or newer versions of Windows) and when using AMA in conjunction with certificates from Windows Hello for Business.
• It addresses an issue that might occur when you configure the Delete user profiles older than a specified number of days on system restart Group Policy setting. If a user has been signed in for longer than the time specified in the policy, the device might unexpectedly delete profiles at startup.
• It addresses a race condition in the server message block (SMB) client that might slow the I/O for a connection until the I/O times out.

KB5005625 September 21, 2021 Preview

The September 21, 2021 update for Windows Server 2019 (KB5005625), updating the OS build number to 17763.2210 is a preview update.

It includes the following Identity-related quality improvements:

• It addresses an issue that causes the system time to be incorrect by one hour after a daylight saving time (DST) change.
• It addresses an issue with a non-paged pool (NPP) leak from the UxSF pool tag. This leak occurs when lsass.exe stops processing asynchronous Security Support Provider Interface (SSPI) calls.
• It addresses an issue that causes the configuration for multiple artifact DB support across datacenters to fail for Security Assertion Markup Language (SAML) artifacts.
• It addresses an issue that causes the LsaLookupSids() function to fail. This occurs when there are security identifiers (SID) for users that no longer exist in a group that contains cross-domain trusted users.
• It addresses an issue that fails to apply the post_logout_redirect_uri= parameter when you use an External Claims Provider.
• It addresses an issue that might create duplicate built-in local accounts, such as an administrator or guest account, during an in-place upgrade. This issue occurs if you previously renamed those accounts. As a result, the Local Users and Groups MMC snap-in (lusrmgr.msc) appears blank with no accounts after the upgrade. This update removes the duplicate accounts from the local Security Account Manager (SAM) database on the affected machines. If the system detected and removed duplicate accounts, it logs a Directory-Services-SAM event, with ID 16986, in the System event log.
• It adds the ability to configure period or dot (.) delimited IP addresses interchangeably with fully qualified host names in the Package Point and Print – Approved Servers and Point and Print Restrictions Group Policy settings.

This update also introduces the RestrictDriverInstallationToAdministrators registry value with data configured as 1 in HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5005575 September 14, 2021

The september 14, 2021 update for Windows Server 2022 (KB5005575), updating the OS build number to 20348.230 is a monthly cumulative update.

It includes one Identity-related quality improvement. It addresses an issue that prevents the ShellHWDetection service from starting on a Privileged Access Workstation (PAW) device and prevents you from managing BitLocker drive encryption.

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates.

KB5005619 September 27, 2021 Preview

The September 27, 2021 update for Windows Server 2022 (KB5005619), updating the OS build number to 20348.261 is a preview update.

It includes the following Identity-related quality improvements:

1. It addresses an issue with forcibly resetting a device when a Group Policy is being updated. As a result, the device stops responding.
2. It addresses an issue that causes a memory leak in lsass.exe when the pTokenPrivileges buffer is not released.
3. It addresses a Primary Refresh Token (PRT) update issue that occurs if VPN users sign in using Windows Hello for Business when the VPN connection is offline. Users receive unexpected authentication prompts for online resources that are configured for user sign-in frequency in Conditional Access.
4. It addresses an issue with a non-paged pool (NPP) leak from the UxSF pool tag. This leak occurs when lsass.exe stops processing asynchronous Security Support Provider Interface (SSPI) calls.
5. It addresses an issue that might prevent users from signing in to a domain controller with Directory Services Restore Mode (DSRM) over Remote Desktop or Hyper-V Enhanced Session.
6. It addresses an issue that causes LogonUI.exe to stop working because Direct Manipulation fails to start
7. It addresses an issue that prevents access to files that are on a Server Message Block (SMB) share when you enable Access-based Enumeration.
   • It adds the ability to configure period or dot (.) delimited IP addresses interchangeably with fully qualified host names in the Package Point and Print – Approved Servers and Point and Print Restrictions Group Policy settings.

This update also introduces the RestrictDriverInstallationToAdministrators registry value with data configured as 1 in HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. It addresses an issue that might prevent the February 11, 2021 update against a Secure Boot Security Feature Bypass Vulnerability CVE-2020-0689 from installing and generates the following error in the Windows cbs.log file:

TRUST_E_NOSIGNATURE