On-premises Identity-related updates and fixes for March 2022

Reading Time: 5 minutes

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

This is the list of Identity-related updates and fixes we saw for March 2022:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5011495 March 8, 2022

The March 8, 2022 update for Windows Server 2016 (KB5011495), updating the OS build number to 14393.5006 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that occurs when you try to write a service principal name (SPN) alias (such as www/FOO) and HOST/FOO already exists on another object. If the RIGHT_DS_WRITE_PROPERTY is on the SPN attribute of the colliding object, you receive the following error:

Access Denied

  • It addresses an issue that causes the DnsServerPsProvider module to leak memory inside a WmiPrvSE.exe process.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5011503 March 8, 2022

The March 8, 2022 update for Windows Server 2019 (KB5011503), updating the OS build number to 17763.2686 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that returns an error message when you browse for a domain or organizational unit (OU). This issue occurs because of improper zeroing out of memory.
  • It addresses an issue that causes certificate enrollment to fail with the error message:

0x800700a0 (ERROR _BAD_ARGUMENTS)

  • It addresses an issue that occurs when you try to write a service principal name (SPN) alias (such as www/FOO) and the HOST/FOO SPN already exists on another object. If the RIGHT_DS_WRITE_PROPERTY is on the SPN attribute of the colliding object, you receive the following error:

Access Denied

  • It addresses an issue that prevents administrators and content owners from opening expired Active Directory Rights Management Services (AD RMS) content.
  • It addresses an issue that causes the Remote Desktop Service (RDS) server to become unstable when the number of signed in users exceeds 100. This prevents you from accessing published applications using RDS on Windows Server 2019.

KB5011551 March 22, 2022 Preview

The March 22, 2022 update for Windows Server 2019 (KB5011551) updating the OS build number to 17763.2746 is a preview update that includes the following Identity-related improvements:

  • It addresses a heap leak in PacRequestorEnforcement that degrades the performance of a domain controller.
  • It addresses an issue that affects the Key Distribution Center (KDC) Proxy. The KDC Proxy cannot properly obtain Kerberos tickets for signing in to Key Trust Windows Hello for Business.
  • It addresses an issue that causes the Move-ADObject command to fail when you move computer accounts across domains. The error message is:

Multiple values were specified for an attribute that can have only one value

  • It addresses an issue that might prevent a DNS Server query resolution policy from working as expected when you specify a fully qualified domain name (FQDN) and subnet conditions.
  • It addresses an issue that might cause domain joining to fail in environments that use disjoint DNS hostnames.
  • It addresses an issue in which modern browsers fail to correctly render HTML that is generated by gpresult/h.
  • It addresses an issue that causes the Group Policy Management Console to stop working after you close it as the GPOAdmin.dll fails. The system logs Application Error Event ID 1000 and error:

0xc0000005 (STATUS_ACCESS_VIOLATION)

  • It addresses an issue that might cause the Group Policy Service to stop processing telemetry information for Group Policy Registry Preferences.
  • It addresses an issue that prevents events with Event ID 4739 from displaying the new values of certain attributes after a policy change.
  • It addresses an issue that prevents you from accessing Server Message Block (SMB) shares using an IP Address when SMB hardening is enabled.
  • It addresses an issue that causes stop error 0x1E in the SMB Server (srv2.sys).
  • It addresses an issue that occurs when the Best Practices Analyzer (BPA) values for SMB have not been updated for more recent platforms.
  • It addresses an issue in Active Directory Federation Services (AD FS) that prevents Android device users from signing in to some Microsoft applications, such as Microsoft Outlook or Microsoft Teams. This issue occurs after rolling over token signing and decrypting certificates, resetting a user's password, or when an administrator has revoked refresh tokens.
  • It addresses an issue that prevents the Back button of the credentials window as part of the AD FS sign-in pages, from being visible in high contrast black mode.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5011497 March 8, 2022

The March 8, 20222 update for Windows Server 2022 (KB5011497), updating the OS build number to 20348.587 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that causes the Group Policy Management Console to stop working after you close it as the GPOAdmin.dll fails. The system logs Application Error Event ID 1000 and error:

0xc0000005 (STATUS_ACCESS_VIOLATION)

  • It addresses an issue that affects applications that are written to only integrate with Azure Active Directory (Azure AD). These applications will not work on machines that are joined to Active Directory Federation Services (AD FS).
  • It introduces support for Windows Hello for Business (WHfB) Cloud Trust. This is a new deployment model for hybrid deployments of WHfB. It uses the same technology and deployment steps that support on-premises single sign-on (SSO) for Fast IDentity Online (FIDO) security keys. Cloud Trust removes the public-key infrastructure (PKI) requirements for deploying Windows and simplifies the WHfB deployment experience.
  • It addresses an issue that prevents administrators and content owners from opening expired Active Directory Rights Management Services (AD RMS) content.
  • It addresses an issue that displays the authentication dialog twice when you mount a network drive.

KB5011558 March 22, 2022 Preview

The March 22, 2022 update for Windows Server 2022 (KB5011558) updating the OS build number to 20348.617 is a preview update that includes the following Identity-related improvements:

  • It addresses a heap leak in PacRequestorEnforcement that degrades the performance of a domain controller.
  • It addresses an issue that returns an error message when you browse for a domain or organizational unit (OU). This issue occurs because of improper zeroing out of memory.
  • It addresses an issue that affects the Key Distribution Center (KDC) Proxy. The KDC Proxy cannot properly obtain Kerberos tickets for signing in to Key Trust Windows Hello for Business.
  • It addresses an issue that causes the Move-ADObject command to fail when you move computer accounts across domains. The error message is:

Multiple values were specified for an attribute that can have only one value

  • It addresses an issue that might prevent a DNS Server query resolution policy from working as expected when you specify a fully qualified domain name (FQDN) and subnet conditions.
  • It addresses an issue that might cause domain joining to fail in environments that use disjoint DNS hostnames.
  • It addresses an issue in which modern browsers fail to correctly render HTML that is generated by gpresult/h.
  • It addresses an issue that might cause the Group Policy Service to stop processing telemetry information for Group Policy Registry Preferences.
  • It addresses an issue that prevents events with Event ID 4739 from displaying the new values of certain attributes after a policy change.
  • It addresses an issue that prevents you from accessing Server Message Block (SMB) shares using an IP Address when SMB hardening is enabled.
  • It addresses an issue that occurs when the Best Practices Analyzer (BPA) values for SMB have not been updated for more recent platforms.
  • It addresses an issue in Active Directory Federation Services (AD FS) that prevents Android device users from signing in to some Microsoft applications, such as Microsoft Outlook or Microsoft Teams. This issue occurs after rolling over token signing and decrypting certificates, resetting a user's password, or when an administrator has revoked refresh tokens.
  • It addresses an issue that prevents the Back button of the credentials window as part of the AD FS sign-in pages, from being visible in high contrast black mode.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.