Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.
This is the list of Identity-related updates and fixes we saw for August 2024:
Windows Server 2016
We observed the following update for Windows Server 2016:
KB5041773 August 13, 2024
The August 13, 2024, update for Windows Server 2016 (KB5041773), updating the OS build number to 14393.7259, is a monthly cumulative update. It includes the following Identity-related improvements:
- This update removes the NetJoinLegacyAccountReuse registry key in the context of the Domain join hardening changes as described in KB5020276. The hardening behavior will persist regardless of the key setting.
- This update hardens Windows DNS server security to address the Windows DNS Spoofing Vulnerability detailed in CVE-2024-37968. If the configurations of domains are not up to date, admins might get the SERVFAIL error or time out.
Windows Server 2019
We observed the following update for Windows Server 2019:
KB5041578 August 13, 2024
The August 13, 2024, update for Windows Server 2019 (KB5041578), updating the OS build number to 17763.6189, is a monthly cumulative update. It includes the following Identity-related improvements:
- This update addresses a security feature bypass vulnerability in Protected Process Light (PPL). After installing this update, LSA Protection (RunAsPPL) can no longer be bypassed.
- This update removes the NetJoinLegacyAccountReuse registry key in the context of the Domain join hardening changes as described in KB5020276. The hardening behavior will persist regardless of the key setting.
- This update hardens Windows DNS server security to address the Windows DNS Spoofing Vulnerability detailed in CVE-2024-37968. If the configurations of domains are not up to date, admins might get the SERVFAIL error or time out.
Windows Server 2022
We observed the following update for Windows Server 2022:
KB5041160 August 13, 2024
The August 13, 2024, update for Windows Server 2022 (KB5041160), updating the OS build number to 20348.2655, is a monthly cumulative update. It includes the following Identity-related improvements:
- This update addresses a security feature bypass vulnerability in Protected Process Light (PPL). After installing this update, LSA Protection (RunAsPPL) can no longer be bypassed.
- This update removes the NetJoinLegacyAccountReuse registry key in the context of the Domain join hardening changes as described in KB5020276. The hardening behavior will persist regardless of the key setting.
- This update hardens Windows DNS server security to address the Windows DNS Spoofing Vulnerability detailed in CVE-2024-37968. If the configurations of domains are not up to date, admins might get the SERVFAIL error or time out.
The guidance around CVE-2024-37968 has been very disappointing. The official guidance is totally useless and the only real actionable information comes from a helpful Reddit user who relayed information from a MS support ticket.
And yet it is still unknown if SERVFAIL will happen in the total absence of delegation from parent zone to the AD domain zone.