On-premises Identity-related updates and fixes for September 2022

Reading Time: 4 minutes

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates.

This is the list of Identity-related updates and fixes we saw for September 2022:

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5017305 September 13, 2022

The September 13, 2022 update for Windows Server 2016 (KB5017305) updating the OS build number to 14393.5336, is a monthly cumulative update that includes the following Identity-related improvements:

  • It provides a Group Policy setting that affects Microsoft Edge IE mode. Administrators can use this Group Policy setting to let you use the Ctrl + S shortcut (Save As) in Microsoft Edge IE mode.
  • It addresses an issue that might log authentication requests against the wrong AD FS endpoint.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB5017315 September 13, 2022

The September 13, 2022 update for Windows Server 2019 (KB5017315) updating the OS build number to 17763.3406 is a monthly cumulative update that includes

the following Identity-related improvements:

  • It addresses an issue that causes the Resultant Set of Policy tool (rsop.msc) to stop working when it processes 1,000 or more File System security settings.
  • It addresses an issue that causes the Settings app to stop working on Domain Controllers when accessing the Privacy > Activity history page.
  • It addresses a race condition that causes the Local Security Authority Subsystem Service (lsass.exe) to stop working on Domain Controllers. This issue occurs when LSASS processes simultaneous Lightweight Directory Access Protocol (LDAP) over Transport Layer Security (TLS) requests that fail to decrypt. The exception code is:

0xc0000409 (STATUS_STACK_BUFFER_OVERRUN)

  • It addresses an issue that affects a lookup for a non-existent security ID (sID) from the local Active Directory domain using a read-only Domain Controller. The lookup unexpectedly returns the STATUS_TRUSTED_DOMAIN_FAILURE error instead of STATUS_NONE_MAPPED or STATUS_SOME_MAPPED.
  • It addresses an issue that causes a read-only Domain Controller to unexpectedly restart. In the event log, you’ll find the following:
    • Event 1074 with the message: The system process 'C:\Windows\system32\lsass.exe' terminated unexpectedly with status code -1073740286. The system will now shut down and restart.
    • Event 1015 with the message: A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000602. The machine must now be restarted.
    • Event 1000 with the message: Faulting application name: lsass.exe, Faulting module name: ESENT.dll, Exception code: 0xc0000602.

KB5016690 September 20, 2022 PREVIEW

The September 20, 2022 update for Windows Server 2019 (KB5017379) updating the OS build number to 17763.3469 is the last preview update for Windows Server 2019. It includes the following Identity-related improvements:

  • This update turns off Transport Layer Security (TLS) 1.0 and 1.1 by default in Microsoft browsers and applications.
  • It introduces a Group Policy setting that enables or disables Microsoft HTML Application (MSHTA) files.
  • It addresses an issue that affects non-Windows devices. It stops these devices from authenticating. This issue occurs when they connect to a Windows-based remote desktop and use a smart card to authenticate.
  • It addresses an issue that affects the Local Security Authority Subsystem Service (LSASS). LSASS might stop working on a domain controller for a child domain. This might occur when you lose the connection to a domain controller in the parent domain while you are searching for a name that is in many forests or a security identifier (sID).
  • It addresses an issue that affects Group Policy Objects (GPOs). Because of this, the system might stop working.

Windows Server 2022

We observed the following updates for Windows Server 2022:

KB5017316 September 13, 2022

The September 13, 2022 update for Windows Server 2022 (KB5017316), updating the OS build number to 20348.1006, is a monthly cumulative update that includes the following Identity-related improvements:

  • It addresses an issue that causes Kerberos authentication to fail when a client uses the Remote Desktop Protocol (RDP) to connect to a device that has Remote Credential Guard enabled . The error is:

    0xc000009a (STATUS_INSUFFICIENT_RESOURCES “Insufficient system resources exist to complete the API”)

  • It addresses an issue that might cause the deployment of the Windows Hello for Business certificate to fail in certain circumstances after you reset a device.
  • It addresses an issue that causes the Resultant Set of Policy tool (rsop.msc) to stop working when it processes 1,000 or more File System security settings.
  • It addresses an issue that causes the Settings app to stop working on Domain Controllers when accessing the Privacy > Activity history page.
  • It addresses a race condition that causes the Local Security Authority Subsystem Service (lsass.exe) to stop working on Domain Controllers. This issue occurs when LSASS processes simultaneous Lightweight Directory Access Protocol (LDAP) over Transport Layer Security (TLS) requests that fail to decrypt. The exception code is:

0xc0000409 (STATUS_STACK_BUFFER_OVERRUN)

  • It addresses an issue that affects a lookup for a non-existent security ID (sID) from the local Active Directory domain using a read-only Domain Controller. The lookup unexpectedly returns the STATUS_TRUSTED_DOMAIN_FAILURE error instead of STATUS_NONE_MAPPED or STATUS_SOME_MAPPED.

KB5017381 September 20, 2022 PREVIEW

The September 20, 2022 update for Windows Server 2022 (KB5017381) updating the OS build number to 20348.1070 is a preview update that includes the following Identity-related improvements:

  • This update introduces WebAuthn redirection. It lets you authenticate in apps and on websites without a password when you use Remote Desktop. Then, you can use Windows Hello or security devices, such as Fast Identity Online 2.0 (FIDO2) keys.
  • It addresses an issue that affects cached credentials for security keys and FIDO2 authentications. On hybrid domain-joined devices, the system removes these cached credentials.
  • It introduces a Group Policy setting that enables or disables Microsoft HTML Application (MSHTA) files.
  • It addresses an issue that affects Group Policy Objects (GPOs). Because of this, the system might stop working.
  • It addresses an issue that affects non-Windows devices. It stops these devices from authenticating. This issue occurs when they connect to a Windows-based remote desktop and use a smart card to authenticate.
  • It addresses an issue that affects the Settings app on domain controllers. When you access System > Display, the Settings app stops working.
  • It addresses an issue that affects the Local Security Authority Subsystem Service (LSASS). LSASS might stop working on a domain controller for a child domain. This might occur when you lose the connection to a domain controller in the parent domain while you are searching for a name that is in many forests or a security identifier (sID).

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.