On-premises Identity-related updates and fixes for August 2024

Reading Time: 2 minutes

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, Windows Server 2016, Windows Server 2019 and Windows Server 2022 still receive updates to improve the experiences and security of Microsoft’s on-premises powerhouses.

This is the list of Identity-related updates and fixes we saw for August 2024:

 

Windows Server 2016

We observed the following update for Windows Server 2016:

KB5041773 August 13, 2024

The August 13, 2024, update for Windows Server 2016 (KB5041773), updating the OS build number to 14393.7259, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update removes the NetJoinLegacyAccountReuse registry key in the context of the Domain join hardening changes as described in KB5020276. The hardening behavior will persist regardless of the key setting.
  • This update hardens Windows DNS server security to address the Windows DNS Spoofing Vulnerability detailed in CVE-2024-37968. If the configurations of domains are not up to date, admins might get the SERVFAIL error or time out.

 

Windows Server 2019

We observed the following update for Windows Server 2019:

KB5041578 August 13, 2024

The August 13, 2024, update for Windows Server 2019 (KB5041578), updating the OS build number to 17763.6189, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses a security feature bypass vulnerability in Protected Process  Light (PPL). After installing this update, LSA Protection (RunAsPPL) can no longer be bypassed.
  • This update removes the NetJoinLegacyAccountReuse registry key in the context of the Domain join hardening changes as described in KB5020276. The hardening behavior will persist regardless of the key setting.
  • This update hardens Windows DNS server security to address the Windows DNS Spoofing Vulnerability detailed in CVE-2024-37968. If the configurations of domains are not up to date, admins might get the SERVFAIL error or time out.

 

Windows Server 2022

We observed the following update for Windows Server 2022:

KB5041160 August 13, 2024

The August 13, 2024, update for Windows Server 2022 (KB5041160), updating the OS build number to 20348.2655, is a monthly cumulative update. It includes the following Identity-related improvements:

  • This update addresses a security feature bypass vulnerability in Protected Process  Light (PPL). After installing this update, LSA Protection (RunAsPPL) can no longer be bypassed.
  • This update removes the NetJoinLegacyAccountReuse registry key in the context of the Domain join hardening changes as described in KB5020276. The hardening behavior will persist regardless of the key setting.
  • This update hardens Windows DNS server security to address the Windows DNS Spoofing Vulnerability detailed in CVE-2024-37968. If the configurations of domains are not up to date, admins might get the SERVFAIL error or time out.

One Response to On-premises Identity-related updates and fixes for August 2024

  1.  

    The guidance around CVE-2024-37968 has been very disappointing. The official guidance is totally useless and the only real actionable information comes from a helpful Reddit user who relayed information from a MS support ticket.

    And yet it is still unknown if SERVFAIL will happen in the total absence of delegation from parent zone to the AD domain zone.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.