Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for July 2019:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4507459 July 16, 2019

The July 16, 2019 update for Windows Server 2016 (KB4507459) updating the OS Build number to 14393.3115 includes the following Identity-related fixes:

• It addresses an issue that may prevent the Netlogon service from establishing a secure channel and reports the error, “0xC000007A – ERROR_PROC_NOT_FOUND.”
• It addresses an issue that may prevent some applications from running as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installing KB4493473 on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.
• It addresses an issue that prevents Microsoft Application Virtualization (App-V) scripting from working if you run it when you’re not connected to a domain controller (DC). App-V scripting also fails when you run it in an environment that only contains Microsoft Azure Active Directory.

Unfortunately, it also introduces a known issue:

• Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of this update. Devices that are domain controllers or domain members are both affected.

KB4507460 July 9, 2019

The July 9, 2019 update for Windows Server 2016 (KB4507460) updating the OS Build number to 14393.3085 provides protections against a variant (CVE-2019-1125) of the Spectre Variant 1 speculative execution side channel vulnerability, along with other security updates.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4505658 July 22, 2019

The July 22, 2019 update for Windows Server 2019 (KB4505658) updating the OS Build number to 17763.652 includes the following Identity-related fixes:

• It addresses an issue that prevents the Windows Event Log service from processing notifications that the log is full. This causes issues with some Event Log behaviors such as archiving the log when it reaches a maximum file size and you’ve configured the “Archive the log when full, do not overwrite events” setting. Additionally, the Local Security Authority (LSA) cannot handle CrashOnAuditFail scenarios when the Security Log is full, and events cannot be written.
• It addresses an issue that prevents a system from recognizing a Microsoft account or Azure Active Directory account until the user signs out and signs in again.
• It addresses an issue that may prevent the Netlogon service from establishing a secure channel and reports the error, “0xC000007A – ERROR_PROC_NOT_FOUND.”
• It addresses an issue that may cause authentication to fail when using Windows Hello for Business on a server running Windows Server 2016 with the Server Core option installed.
• It addresses an issue that doesn’t update the personal identification number (PIN) policy (minimum length, required digits, special characters, and so on) for Windows Hello for Business when a PIN already exists on the machine.
• It reinforces the Certificate Revocation List (CRL) on Internet Key Exchange version 2 (IKEv2) machines for certificate-based virtual private network (VPN) connections, such as Device Tunnel, in an Always On VPN deployment.
• It addresses an issue that prevents Microsoft Application Virtualization (App-V) scripting from working if you run it when you’re not connected to a domain controller (DC). App-V scripting also fails when you run it in an environment that only contains Microsoft Azure Active Directory.
• It addresses an issue that exhausts User Datagram Protocol (UDP) ports on several hundred machines in a forest when there is very high Domain Controller Locator traffic. As a result, servers stop responding.

KB4507469 July 9, 2019

The July 9, 2019 update for Windows Server 2019 (KB4507469) updating the OS Build number to 17763.615 provides protections against a variant (CVE-2019-1125) of the Spectre Variant 1 speculative execution side channel vulnerability, along with other security updates.

The post On-premises Microsoft Identity-related updates and fixes for July 2019 appeared first on The things that are better left unspoken.