Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

This is the list of Identity-related updates and fixes we saw for August 2022:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5016622 August 9, 2022

The August 9, 2022 update for Windows Server 2016 (KB5016622) updating the OS build number to 14393.5291, is a monthly cumulative update that includes the following Identity-related improvements:

• It addresses an issue that prevents the Key Distribution Center (KDC) Proxy from properly receiving Kerberos tickets for Windows Hello for Business authentications in Hybrid Key Trust implementations.
• It addresses an issue that causes the KDC code on Domain Controllers to incorrectly return the following error message during shutdown:

KDC_ERR_TGT_REVOKED

• It addresses an issue that might cause the Local Security Authority Server Service (lsass.exe) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 and later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
• It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5016623 August 9, 2022

The August 9, 2022 update for Windows Server 2019 (KB5016623) updating the OS build number to 17763.3287 is a monthly cumulative update that includes the following Identity-related improvements:

• It provides the option to configure an alternate login ID for the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) adapter for on-premises scenarios.  By default, the adapter configuration will not ignore alternate login ID (IgnoreAlternateLoginId = $false) unless explicitly set to $true.
• It addresses an issue that might cause the Local Security Authority Server Service (lsass.exe) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 and later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
• It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.

KB5016690 August 23, 2022 Preview

The August 23, 2022 update for Windows Server 2019 (KB5016690) updating the OS build number to 17763.3346 is a preview update that includes the following Identity-related improvements:

• It addresses an issue that causes the Resultant Set of Policy tool (rsop.msc) to stop working when it processes 1,000 or more File System security settings.
• It addresses an issue that causes the Settings app to stop working on Domain Controllers when accessing the Privacy > Activity history page.
• It addresses a race condition that causes the Local Security Authority Subsystem Service (lsass.exe) to stop working on Domain Controllers. This issue occurs when LSASS processes simultaneous Lightweight Directory Access Protocol (LDAP) over Transport Layer Security (TLS) requests that fail to decrypt. The exception code is:

0xc0000409 (STATUS_STACK_BUFFER_OVERRUN)

• It addresses an issue that affects a lookup for a non-existent security ID (sID) from the local Active Directory domain using a read-only Domain Controller. The lookup unexpectedly returns the STATUS_TRUSTED_DOMAIN_FAILURE error instead of STATUS_NONE_MAPPED or STATUS_SOME_MAPPED.
• It addresses an issue that causes a read-only Domain Controller to unexpectedly restart. In the event log, you’ll find the following:
• Event 1074 with the message: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073740286. The system will now shut down and restart.
• Event 1015 with the message: A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000602. The machine must now be restarted.
• Event 1000 with the message: Faulting application name: lsass.exe, Faulting module name: ESENT.dll, Exception code: 0xc0000602.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5016627 August 9, 2022

The August 9, 2022 update for Windows Server 2022 (KB5016627), updating the OS build number to 20348.887, is a monthly cumulative update that includes the following Identity-related improvements:

• It addresses an issue that might cause Windows to stop working when you enable Windows Defender Application Control with the Intelligent Security Graph feature turned on.
• It addresses an issue that causes the Windows profile service to fail sporadically. The failure might occur when signing in. The error message is:

gpsvc service failed to sign in. Access denied

• It provides the option to configure an alternate login ID for the Azure Multi-Factor Authentication (MFA) Active Directory Federation Services (AD FS) adapter for on-premises scenarios.  By default, the adapter configuration will not ignore alternate login ID (IgnoreAlternateLoginId = $false) unless explicitly set to $true.
• It addresses an issue that might cause the Local Security Authority Server Service (lsass.exe) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 and later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
• It enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, domain controllers will not authenticate them.

KB5016693 August 16, 2022 PREVIEW

The August 16, 2022 update for Windows Server 2022 (KB5016693) updating the OS build number to 20348.946 is a preview update that includes the following Identity-related improvements:

• It addresses an issue that causes Kerberos authentication to fail when a client uses the Remote Desktop Protocol (RDP) to connect to a device that has Remote Credential Guard enabled . The error is:
• 0xc000009a (STATUS_INSUFFICIENT_RESOURCES “Insufficient system resources exist to complete the API”)
• It addresses an issue that might cause the deployment of the Windows Hello for Business certificate to fail in certain circumstances after you reset a device.
• It addresses an issue that causes the Resultant Set of Policy tool (rsop.msc) to stop working when it processes 1,000 or more File System security settings.
• It addresses an issue that causes the Settings app to stop working on Domain Controllers when accessing the Privacy > Activity history page.
• It addresses a race condition that causes the Local Security Authority Subsystem Service (lsass.exe) to stop working on Domain Controllers. This issue occurs when LSASS processes simultaneous Lightweight Directory Access Protocol (LDAP) over Transport Layer Security (TLS) requests that fail to decrypt. The exception code is:

0xc0000409 (STATUS_STACK_BUFFER_OVERRUN)

• It addresses an issue that affects a lookup for a non-existent security ID (sID) from the local Active Directory domain using a read-only Domain Controller. The lookup unexpectedly returns the STATUS_TRUSTED_DOMAIN_FAILURE error instead of STATUS_NONE_MAPPED or STATUS_SOME_MAPPED.