Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

This is the list of Identity-related updates and fixes we saw for June 2022:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5014702 June 14, 2022

The June 14, 2022 update for Windows Server 2016 (KB5014702) updating the OS build number to 14393.5192, is a monthly cumulative update that includes one Identity-related improvements. It provides a Group Policy setting that administrators can use to enable the use of the Ctrl + S (Save As) keyboard shortcut in Microsoft Edge IE Mode.

Note:
After installing this update, Windows Servers that offer the Routing and Remote Access Service (RRAS) might be unable to correctly direct internet traffic. Devices that connect to the server might fail to connect to the internet, and servers can lose connection to the internet after a client device connects.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5014692 June 14, 2022

The June 14, 2022 update for Windows Server 2019 (KB5014692) updating the OS build number to 17763.3046 is a monthly cumulative update that includes the following Identity-related improvements:

• It addresses an issue that affects remote procedure calls (RPC) to the Win32_User or Win32_Group WMI class. The domain member that runs the RPC contacts the domain controller holding the PDC emulator (PDCe) Flexible Single Master Operations (FSMO) role. When multiple RPCs occur simultaneously on many domain members, this might overwhelm the PDCe.
• It addresses an issue that occurs when adding a trusted user, group, or computer that has a one-way trust in place. The following error message appears:

The object selected doesn't match the type of destination source

• It addresses a known issue that might cause Windows Server-based hosts to log events with event ID 40 in the System event log, whenever you update or refresh a Group Policy on a server or client. The event Description is:

The event logging service encountered an error when attempting to apply one or more policy settings.

KB5014669 June 23, 2022 Preview

The June 23, 2022 update for Windows Server 2019 (KB5014669) updating the OS build number to 17763.3113, is a preview update that includes the following Identity-related improvements:

• It addresses an issue that causes a domain controller to incorrectly write Key Distribution Center (KDC) event 21 in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request with a self-signed certificate for key trust scenarios (Windows Hello for Business and Device Authentication).
• It addresses an issue that causes NTLM authentication using an external trust to fail. This issue occurs when a domain controller, that contains the January 11, 2022 or later Windows updates, services the authentication request, is not in a root domain, and does not hold the Global Catalog role. The affected operations might log the following errors:

The security database has not been started.

The domain was in the wrong state to perform the security operation.

0xc00000dd (STATUS_INVALID_DOMAIN_STATE)

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5014678 June 14, 2022

The June 14, 20222 update for Windows Server 2022 (KB5014678), updating the OS build number to 20348.768, is a monthly cumulative update that includes the following Identity-related improvements:

• It addresses an issue that affects remote procedure calls (RPC) to the Win32_User or Win32_Group WMI class. The domain member that runs the RPC contacts the domain controller holding the PDC emulator (PDCe) Flexible Single Master Operations (FSMO) role. When multiple RPCs occur simultaneously on many domain members, this might overwhelm the PDCe.
• It addresses an issue that occurs when adding a trusted user, group, or computer that has a one-way trust in place. The following error message appears:

The object selected doesn't match the type of destination source

KB5014665 June 23, 2022 Preview

The June 23, 2022 update for Windows Server 2022 (KB5014665), updating the OS build number to 20348.803, is a preview update that includes the following Identity-related improvements:

• It adds the ability to call SetCredentialsAttribute in user mode for SECPKG_ATTR_CLIENT_CERT_POLICY.
• It adds support for Transport Layer Security (TLS) 1.3 in Windows client and server Lightweight Directory Access Protocol (LDAP) implementations.
• It provides a Group Policy setting that administrators can use to enable the use of the Ctrl + S (Save As) keyboard shortcut in Microsoft Edge IE Mode: InternetExplorerModeEnableSavePageAs
• It addresses an issue that affects some certificates chains to Root Certification Authorities that are members of the Microsoft Root Certification Program. For these certificates, the certificate chain status can be:

This certificate was revoked by its certification authority.

• It addresses an issue that causes a domain controller to incorrectly write Key Distribution Center (KDC) event 21 in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request with a self-signed certificate for key trust scenarios (Windows Hello for Business and Device Authentication).
• It addresses an issue in which creating Install from Media (IFM) media for Active Directory fails and generates the following error:

-2101 JET_errCallbackFailed

1. It addresses an issue that occurs when the Active Directory Lightweight Directory Service (LDS) resets the password for userProxy objects. The password reset fails with the following error:

00000005: SvcErr: DSID-03380C23, problem 5003 (WILL_NOT_PERFORM), data 0

• It addresses an issue that causes the LocalUsersAndGroups configuration service provider (CSP) policy to fail when you modify the built-in Administrators group. This issue occurs if the local Administrator account isn't specified in the membership list when you perform a replace operation.
• It addresses an issue that causes NTLM authentication using an external trust to fail. This issue occurs when a domain controller, that contains the January 11, 2022 or later Windows updates, services the authentication request, is not in a root domain, and does not hold the Global Catalog role. The affected operations might log the following errors:

The security database has not been started.

The domain was in the wrong state to perform the security operation.

0xc00000dd (STATUS_INVALID_DOMAIN_STATE)