On-premises Identity-related updates and fixes for February 2022

Reading Time: 5 minutes

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

For December 2021, Microsoft announced that the preview updates would be skipped, because of minimal operations during the holidays and the upcoming Western new year. These is the short list of Identity-related updates and fixes we saw for February 2022:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5010359 February 8, 2022

The February 8, 2022 update for Windows Server 2016 (KB5010359 ), updating the OS build number to 14393.4946 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that affects Administrative Templates settings configured using one or more Group Policy Objects (GPOs). When you change the value of the policy setting to Not configured, the system fails to remove the previous setting. This issue is most noticeable for roaming user profiles.
  • IT adds an audit event to Active Directory domain controllers that identifies clients that are not compliant with RFC 4456. For more information, see KB5005408: Smart card authentication might cause print and scan failures.
  • It addresses an issue that might cause Kerberos.dll to stop working within the Local Security Authority Subsystem Service (LSASS). This occurs when LSASS processes simultaneous Service for User (S4U) user-to-user (U2U) requests for the same client user.
  • It addresses an issue that causes a Lightweight Directory Access Protocol (LDAP) modify operation to fail if the operation contains the SamAccountName and UserAccountControl attributes. The error message is:

Error: 0x20EF. The directory service encountered an unknown failure

Windows Server 2019

We observed the following update for Windows Server 2019:

KB5010351 February 8, 2022

The February 8, 2022 update for Windows Server 2019 (KB5010351), updating the OS build number to 17763.2565 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that might cause Kerberos.dll to stop working within the Local Security Authority Subsystem Service (LSASS). This occurs when LSASS processes simultaneous Service for User (S4U) and user-to-user (U2U) requests for the same client user.
  • It addresses an issue that causes lsass.exe to stop working and the device restarts. This issue occurs when you query Windows NT Directory Services (NTDS) counters after the NTDS service has stopped.
  • It addresses an issue that might occur when you enable verbose Active Directory Federation Services (AD FS) audit logging and an invalid parameter is logged. As a result, events with Event ID 207 are logged, which indicates that a failure to write to the audit log occurred.
  • It adds an audit event to Active Directory domain controllers that identifies clients that are not compliant with RFC 4456. For more information, see KB5005408: Smart card authentication might cause print and scan failures.
  • It addresses an issue that causes a Lightweight Directory Access Protocol (LDAP) modify operation to fail if the operation contains the SamAccountName and UserAccountControl attributes. The error message is:

Error: 0x20EF. The directory service encountered an unknown failure

KB5010427 February 15, 2022 Preview

The February 15, 2022 update for Windows Server 2019 (KB5010427) updating the OS build number to 17763.2628 is a preview update that includes the following Identity-related improvements:

  • It addresses an issue that returns an error message when you browse for a domain or organizational unit (OU). This issue occurs because of improper zeroing out of memory.
  • It addresses an issue that causes certificate enrollment to fail with the error message:

0x800700a0 (ERROR _BAD_ARGUMENTS)

  • It addresses an issue that occurs when you try to write a service principal name (SPN) alias (such as www/FOO) and the HOST/FOO SPN already exists on another object. If the RIGHT_DS_WRITE_PROPERTY is on the SPN attribute of the colliding object, you receive the following error:

Access Denied

  • It addresses an issue that prevents administrators and content owners from opening expired Active Directory Rights Management Services (AD RMS) content.
  • It addresses an issue that causes the Remote Desktop Service (RDS) server to become unstable when the number of signed in users exceeds 100. This prevents you from accessing published applications using RDS on Windows Server 2019.

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5010354 February 8, 2022

The February 8, 20222 update for Windows Server 2022 (KB5010354), updating the OS build number to 20348.524 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that causes a device to incorrectly report itself as noncompliant with Conditional Access because of an antivirus or firewall configuration.
  • It addresses an issue that might cause Kerberos.dll to stop working within the Local Security Authority Subsystem Service (LSASS). This occurs when LSASS processes simultaneous Service for User (S4U) and user-to-user (U2U) requests for the same client user.
  • It addresses an issue that affects the Fast Identity Online 2.0 (FIDO2) credential provider and prevents the display of the PIN entry field.
  • It addresses an issue that causes lsass.exe to stop working and the device restarts. This issue occurs when you query Windows NT Directory Services (NTDS) counters after the NTDS service has stopped.
  • It addresses an issue that fails to apply the Group Policy Object setting Do not allow compression on all NTFS Volume in some cases.
  • It addresses an issue that might occur when you enable verbose Active Directory Federation Services (AD FS) audit logging and an invalid parameter is logged. As a result, events with Event ID 207 are logged, which indicates that a failure to write to the audit log occurred.
  • It adds an audit event to Active Directory domain controllers that identifies clients that are not compliant with RFC 4456. For more information, see KB5005408: Smart card authentication might cause print and scan failures.
  • It addresses an issue that causes a Lightweight Directory Access Protocol (LDAP) modify operation to fail if the operation contains the SamAccountName and UserAccountControl attributes. The error message is:

Error: 0x20EF. The directory service encountered an unknown failure

KB5010421 February 15, 2022 Preview

The February 2022 update for Windows Server 2022 (KB5010421) updating the OS build number to 20348.558 is a preview update that includes the following Identity-related improvements:

  • It addresses an issue that causes Group Policy Management to stop working after you close it. The system logs Application Error Event ID 1000 and the error:

0xc0000005 (STATUS_ACCESS_VIOLATION)

  • the failing module is GPOAdmin.dll.
  • It addresses an issue that affects applications that are written to only integrate with Azure Active Directory (Azure AD). These applications will not work on machines that are joined to Active Directory Federation Services (AD FS).
  • It introduces support for Windows Hello for Business (WHfB) Cloud Trust. This is a new deployment model for hybrid deployments of WHfB. It uses the same technology and deployment steps that support on-premises single sign-on (SSO) for Fast IDentity Online (FIDO) security keys. Cloud Trust removes the public-key infrastructure (PKI) requirements for deploying Windows and simplifies the WHfB deployment experience.
  • It addresses an issue that prevents administrators and content owners from opening expired Active Directory Rights Management Services (AD RMS) content.
  • It addresses an issue that displays the authentication dialog twice when you mount a network drive.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.