On-premises Identity-related updates and fixes for April 2022

Reading Time: 5 minutes

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

This is the list of Identity-related updates and fixes we saw for April 2022:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5012596 April 12, 2022

The April 12, 2022 update for Windows Server 2016 (KB5012596) updating the OS build number to 14393.5066 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses a heap leak in PacRequestorEnforcement that degrades the performance of a Domain Controller.
  • It addresses an issue that affects the Key Distribution Center (KDC) Proxy. The KDC Proxy cannot properly obtain Kerberos tickets for signing in to Key Trust Windows Hello for Business.
  • It addresses an issue that prevents you from changing a password that has expired when you sign in to a Windows device.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5012647 April 12, 2022

The April 12, 2022 update for Windows Server 2019 (KB5012647) updating the OS build number to 17763.2803is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses a known issue that causes DNS stub load failures on a Windows Server that is running a DNS Server.
  • It addresses an issue that prevents you from changing a password that has expired when you sign in to a Windows device.
  • It addresses a heap leak in PacRequestorEnforcement that degrades the performance of a domain controller.
  • It addresses an issue that affects the Key Distribution Center (KDC) Proxy. The KDC Proxy cannot properly obtain Kerberos tickets for signing in to Key Trust Windows Hello for Business.
  • It addresses an issue that causes the Move-ADObject command to fail when you move computer accounts across domains. The error message is:

Multiple values were specified for an attribute that can have only one value

  • It addresses an issue that might prevent a DNS Server query resolution policy from working as expected when you specify a fully qualified domain name (FQDN) and subnet conditions.
  • It addresses an issue that might cause domain joining to fail in environments that use disjoint DNS hostnames.
  • It addresses an issue in which modern browsers fail to correctly render HTML that is generated by gpresult/h.
  • It addresses an issue that causes the Group Policy Management Console to stop working after you close it as the GPOAdmin.dll fails. The system logs Application Error Event ID 1000 and error:

0xc0000005 (STATUS_ACCESS_VIOLATION)

  • It addresses an issue that might cause the Group Policy Service to stop processing telemetry information for Group Policy Registry Preferences.
  • It addresses an issue that prevents events with Event ID 4739 from displaying the new values of certain attributes after a policy change.
  • It addresses an issue that prevents you from accessing Server Message Block (SMB) shares using an IP Address when SMB hardening is enabled.
  • It addresses an issue that causes stop error 0x1E in the SMB Server (srv2.sys).
  • It addresses an issue that occurs when the Best Practices Analyzer (BPA) values for SMB have not been updated for more recent platforms.
  • It addresses an issue in Active Directory Federation Services (AD FS) that prevents Android device users from signing in to some Microsoft applications, such as Microsoft Outlook or Microsoft Teams. This issue occurs after rolling over token signing and decrypting certificates, resetting a user's password, or when an administrator has revoked refresh tokens.
  • It addresses an issue that prevents the Back button of the credentials window as part of the AD FS sign-in pages, from being visible in high contrast black mode.

KB5012636 April 21, 2022 Preview

The April 21, 2022 update for Windows Server 2019 (KB5012636) updating the OS build number to 17763.2867 is a preview update that includes the following Identity-related improvements:

  • It addresses an issue that causes the Key Distribution Center (KDC) code to incorrectly return the following error message during domain controller shutdown:

KDC_ERR_TGT_REVOKED

  • It addresses an issue that might fail to copy the security portion of a Group Policy to a machine.
  • It addresses an issue that causes the primary domain controller (PDC) of the root domain to generate warning and error events in the System log. This issue occurs when the PDC incorrectly tries to scan outgoing-only trusts.
  • It addresses an issue that might occur when you use Netdom.exe or the Active Directory Domains and Trusts snap-in to list or modify name suffixes routing. These procedures might fail. This issue occurs after installing the January 2022 security update on the primary domain controller emulator (PDCe). The error message is:

Insufficient system resources exist to complete the requested service.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5012604 April 12, 2022

The April 12, 20222 update for Windows Server 2022 (KB5012604), updating the OS build number to 20348.643 is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that prevents you from changing a password that has expired when you sign in to a Windows device.
  • It addresses a heap leak in PacRequestorEnforcement that degrades the performance of a domain controller.
  • It addresses an issue that returns an error message when you browse for a domain or organizational unit (OU). This issue occurs because of improper zeroing out of memory.
  • It addresses an issue that affects the Key Distribution Center (KDC) Proxy. The KDC Proxy cannot properly obtain Kerberos tickets for signing in to Key Trust Windows Hello for Business.
  • It addresses an issue that causes the Move-ADObject command to fail when you move computer accounts across domains. The error message is:

Multiple values were specified for an attribute that can have only one value

  • It addresses an issue that might prevent a DNS Server query resolution policy from working as expected when you specify a fully qualified domain name (FQDN) and subnet conditions.
  • It addresses an issue that might cause domain joining to fail in environments that use disjoint DNS hostnames.
  • It addresses an issue in which modern browsers fail to correctly render HTML that is generated by gpresult/h.
  • It addresses an issue that might cause the Group Policy Service to stop processing telemetry information for Group Policy Registry Preferences.
  • It addresses an issue that prevents events with Event ID 4739 from displaying the new values of certain attributes after a policy change.
  • It addresses an issue that prevents you from accessing Server Message Block (SMB) shares using an IP Address when SMB hardening is enabled.
  • It addresses an issue that occurs when the Best Practices Analyzer (BPA) values for SMB have not been updated for more recent platforms.
  • It addresses an issue in Active Directory Federation Services (AD FS) that prevents Android device users from signing in to some Microsoft applications, such as Microsoft Outlook or Microsoft Teams. This issue occurs after rolling over token signing and decrypting certificates, resetting a user's password, or when an administrator has revoked refresh tokens.
  • It addresses an issue that prevents the Back button of the credentials window as part of the AD FS sign-in pages, from being visible in high contrast black mode.

KB5012637 April 25, 2022 PREVIEW

The April 25, 2022 update for Windows Server 2022 (KB5012637) updating the OS build number to 20348.681 is a preview update that includes the following Identity-related improvements:

  • It addresses an issue that causes Kerberos authentication to fail when a client machine attempts to use the Remote Desktop Protocol (RDP) to connect to another machine while Remote Credential Guard is enabled. The error is:

0xc0030009 (RPC_NT_NULL_REF_POINTER)

  • It addresses an issue that might fail to copy the security portion of a Group Policy to a machine.
  • It addresses an issue that causes the Key Distribution Center (KDC) code to incorrectly return the following error message during domain controller shutdown:

KDC_ERR_TGT_REVOKED

  • It optimizes the Active Directory Federation Services (AD FS) artifact database by deleting expired artifacts
  • It addresses an issue that might occur when you use Netdom.exe or the Active Directory Domains and Trusts snap-in to list or modify name suffixes routing. These procedures might fail. This issue occurs after installing the January 2022 security update on the primary domain controller emulator (PDCe). The error message is:

Insufficient system resources exist to complete the requested service.

  • It addresses an issue that causes the primary domain controller (PDC) of the root domain to generate warning and error events in the System log. This issue occurs when the PDC incorrectly tries to scan outgoing-only trusts.

Posted on May 5, 2022 by Sander Berkouwer in Active Directory, What's New

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.