Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.
This is the list of Identity-related updates and fixes we saw for July 2022:
Windows Server 2016
We observed the following update for Windows Server 2016:
KB5015808 JUly 12, 2022
The July 12, 2022 update for Windows Server 2016 (KB5015808) updating the OS build number to 14393.5246, is a monthly cumulative update that includes the following Identity-related improvements:
-
It addresses an issue that causes Microsoft NT Lan Manager (NTLM) authentication using an external trust to fail. This issue occurs when a domain controller that runs the January 11, 2022 or later Windows updates, services the authentication request, is not in a root domain, and does not hold the Global Catalog (GC) role. The affected operations might log the following errors:
The security database has not been started
The domain was in the wrong state to perform the security operation
0xc00000dd (STATUS_INVALID_DOMAIN_STATE)
-
It addresses an issue that causes the domain controller holding the Primary Domain Controller emulator (PDCe) Flexible Single Master Operations (FSMO) role in the root domain to generate warning and error events in the System log. This issue occurs when the PDCe incorrectly tries to scan outgoing-only trusts.
Windows Server 2019
We observed the following updates for Windows Server 2019:
KB5015811 JUly 12, 2022
The July 12, 2022 update for Windows Server 2019 (KB5015811) updating the OS build number to 17763.3165 is a monthly cumulative update that includes the following Identity-related improvements:
- It addresses an issue that causes a domain controller to incorrectly write Key Distribution Center (KDC) event 21 in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request with a self-signed certificate for key trust scenarios (Windows Hello for Business and Device Authentication).
- It addresses an issue that causes NTLM authentication using an external trust to fail. This issue occurs when a domain controller, that contains the January 11, 2022 or later Windows updates, services the authentication request, is not in a root domain, and does not hold the Global Catalog role. The affected operations might log the following errors:
The security database has not been started
The domain was in the wrong state to perform the security operation
0xc00000dd (STATUS_INVALID_DOMAIN_STATE)
KB5015880 July 21, 2022 Preview
The July 12, 2022 update for Windows Server 2019 (KB5015880) updating the OS build number to 17763.3232 is a preview update that includes the following Identity-related improvements:
- It provides the option to configure an alternate login ID for the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) adapter for on-premises scenarios. By default, the adapter configuration will not ignore alternate login ID (IgnoreAlternateLoginId = $false) unless explicitly set to $true.
- It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.
Windows Server 2022
We observed the following updates for Windows Server 2022:
KB5015827 JUly 12, 2022
The July 12, 2022 update for Windows Server 2022 (KB5015827), updating the OS build number to 20348.825, is a monthly cumulative update that includes the following Identity-related improvements:
- It adds the ability to call SetCredentialsAttribute in user mode for SECPKG_ATTR_CLIENT_CERT_POLICY.
- It adds support for Transport Layer Security (TLS) 1.3 in Windows client and server Lightweight Directory Access Protocol (LDAP) implementations.
- It provides a Group Policy setting that administrators can use to enable the use of the Ctrl + S (Save As) keyboard shortcut in Microsoft Edge IE Mode: InternetExplorerModeEnableSavePageAs
- It addresses an issue that affects some certificates chains to Root Certification Authorities that are members of the Microsoft Root Certification Program. For these certificates, the certificate chain status can be:
This certificate was revoked by its certification authority.
- It addresses an issue that causes a domain controller to incorrectly write Key Distribution Center (KDC) event 21 in the System event log. This occurs when the KDC successfully processes a Kerberos Public Key Cryptography for Initial Authentication (PKINIT) authentication request with a self-signed certificate for key trust scenarios (Windows Hello for Business and Device Authentication).
- It addresses an issue in which creating Install from Media (IFM) media for Active Directory fails and generates the following error:
-2101 JET_errCallbackFailed
- It addresses an issue that occurs when the Active Directory Lightweight Directory Service (LDS) resets the password for userProxy objects. The password reset fails with the following error:
00000005: SvcErr: DSID-03380C23, problem 5003 (WILL_NOT_PERFORM), data 0
- It addresses an issue that causes the LocalUsersAndGroups configuration service provider (CSP) policy to fail when you modify the built-in Administrators group. This issue occurs if the local Administrator account isn't specified in the membership list when you perform a replace operation.
- It addresses an issue that causes NTLM authentication using an external trust to fail. This issue occurs when a domain controller, that contains the January 11, 2022 or later Windows updates, services the authentication request, is not in a root domain, and does not hold the Global Catalog role. The affected operations might log the following errors:
The security database has not been started
The domain was in the wrong state to perform the security operation
0xc00000dd (STATUS_INVALID_DOMAIN_STATE)
KB5015879 July 19, 2022 Preview
The July 19, 2022 update for Windows Server 2022 (KB5015879) updating the OS build number to 20348.859 is a preview update that includes the following Identity-related improvements:
- It addresses an issue that might cause Windows to stop working when you enable Windows Defender Application Control with the Intelligent Security Graph feature turned on.
- It addresses an issue that causes the Windows profile service to fail sporadically. The failure might occur when signing in. The error message is:
gpsvc service failed to sign in. Access denied
- It provides the option to configure an alternate login ID for the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) adapter for on-premises scenarios. By default, the adapter configuration will not ignore alternate login ID (IgnoreAlternateLoginId = $false) unless explicitly set to $true.
- It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.
Login