Archive for the ‘NOC Services’ Category

Flexis October 2019 Patch Review And Recommendations

  • KB4519998 – 2019-10 Cumulative Update for Windows Server 2016 for x64-based Systems
  • KB4521858 – 2019-10 Servicing Stack Update for Windows Server 2016 for x64-based Systems
  • KB4520007 – 2019-10 Security Monthly Quality Rollup for Windows Server 2012 for x64-based Systems
  • KB4520005 – 2019-10 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4519976 – 2019-10 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems

Impacted Products:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • SQL Server Management Studio
  • Open Source Software
  • Microsoft Dynamic 365
  • Windows Update Assistant

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Starting in May 2019, Internet Explorer 11 is available on Windows Server 2012. This configuration is only present in only the IE Cumulative package.

 

Known Issues:

 

KB4519338 Applies to: Windows 10 version 1809; Windows Server version 1809; Windows Server 2019 all versions

https://support.microsoft.com/en-us/help/4519338/windows-10-update-kb4519338

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

 

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

 

After installing this update, Windows Mixed Reality Portal users may intermittently receive a “15-5” error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

  1. Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.
  2. Select Check for Updatesand install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

  1. Go to the Settings app > Recovery.
  2. Select Get Startedunder the Reset this PC recovery option.
  3. Select Keep my Files.

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, use the following steps:

  1. Close the Windows Mixed Reality Portal, if it is running.
  2. Open Task Manager by selecting the Start button and typing “task manager”.
  3. In Task Manager, under the Processes tab, right-click Windows Explorer and select Restart.
  4. Open the Windows Mixed Reality Portal.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4519976 Applies to: Windows 7 Service Pack 1; Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4519976/windows-7-update-kb4519976

Improvement and Fixes:

This security update includes improvements and fixes that were a part of update KB4516048 (released September 24, 2019) and addresses the following issues:

  • Addresses an issue that may fail to disable VBScript in Internet Explorer by default after installing KB4507437 (Preview of Monthly Rollup) or KB4511872 (Internet Explorer Cumulative Update) and later.
  • Addresses an issue with applications and printer drivers that utilize the Windows JavaScript engine (jscript.dll) for processing print jobs.
  • Security updates to Windows Authentication, Microsoft JET Database Engine, Windows Kernel, Internet Information Services, the Microsoft Scripting Engine, and Windows Server.

 

For more information about the resolved security vulnerabilities, please refer to the Security Update Guide.

 

Microsoft is not currently aware of any issues with this update.

 

KB4519985 Applies to: Windows Server 2012; Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4519985/windows-server-2012-update-kb4519985

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4519990 Applies to: Windows 8.1; Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4519990/windows-8-1-kb4519990

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4519998 Applies to: Windows 10 version 1607; Windows Server 2016

https://support.microsoft.com/en-us/help/4519998/windows-10-update-kb4519998

Symptoms:

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

 

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4520004 Applies to: Windows 10 version 1709

https://support.microsoft.com/en-us/help/4520004/windows-10-update-kb4520004

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4520005 Applies to: Windows 8.1; Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4520005/windows-8-1-kb4520005

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4520007 Applies to: Windows Server 2012; Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4520007/windows-server-2012-update-kb4520007

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4520008 Applies to: Windows 10 version 1803

https://support.microsoft.com/en-us/help/4520008/windows-10-update-kb4520008

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

 

After installing this update, Windows Mixed Reality Portal users may intermittently receive a “15-5” error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, use the following steps:

  • Close the Windows Mixed Reality Portal, if it is running.
  • Open Task Manager by selecting the Start button and typing “task manager”.
  • In Task Manager, under the Processes tab, right-click Windows Explorer and select Restart.
  • Open the Windows Mixed Reality Portal.

 

We are working on a resolution and will provide an update in an upcoming release.

 

KB4520010 Applies to: Windows 10 version 1703

https://support.microsoft.com/en-us/help/4520010/windows-10-update-kb4520010

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4520011 Applies to: Windows 10

https://support.microsoft.com/en-us/help/4520011/windows-10-update-kb4520011

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Flexis September 2019 Patch Review And Recommendations

  • KB4512574 – 2019-09 Servicing Stack update for Windows Server 2016 for x64- based Systems
  • KB4516044 – 2019-09 Cumulative Update for Windows Server 2016 for x64-based systems
  • KB4516067 – Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4474419 – 2019-09 Security update for Windows Server 2008 R2 for x64-based Systems
  • KB4516065 – 2019-09 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems

Impacted Products:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Adobe Flash Player
  • Microsoft Lync
  • Visual Studio
  • Microsoft Exchange Server
  • .NET Framework
  • Microsoft Yammer
  • ASP.NET
  • Team Foundation Server

 

Please note the following information regarding the security updates:

  •  A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Starting in May 2019, Internet Explorer 11 is available on Windows Server 2012. This configuration is only present in only the IE Cumulative package.

 

Microsoft Security Advisories:

  • ADV190022 | September 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190022

  • ADV990001 | Latest Servicing Stack Updates

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001

 

Known Issues:

 

KB4512578 Applies to: Windows 10 version 1809; Windows Server version 1809; Windows Server 2019 all versions

 https://support.microsoft.com/en-us/help/4512578/windows-10-update-kb4512578

 Symptoms:

 

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

 

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

 

Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” This issue occurs in this update and in all the updates before June 18, 2019.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

  1. Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.
  2. Select Check for Updatesand install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

  1. Go to the Settings app > Recovery.
  2. Select Get Startedunder the Reset this PC recovery option.
  3. Select Keep my Files.

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

 

We are working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, use the following steps:

  1. Close the Windows Mixed Reality Portal, if it is running.
  2. Open Task Manager by selecting the Start button and typing “task manager”.
  3. In Task Manager, under the Processes tab, right-click Windows Explorer and select Restart.
  4. Open the Windows Mixed Reality Portal.

 

We are working on a resolution and will provide an update in an upcoming release.

 

KB4515384 Applies to: Windows 10 version 1903; Windows Server version 1903

https://support.microsoft.com/en-us/help/4515384/windows-10-update-kb4515384

 

Improvement and Fixes:

This security update includes quality improvements. Key changes include:

  • Provides protections against a new subclass of speculative execution side-channel vulnerabilities, known as Microarchitectural Data Sampling, for 32-Bit (x86) versions of Windows (CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions.)
  • Addresses an issue that causes high CPU usage from SearchUI.exe for a small number of users. This issue only occurs on devices that have disabled searching the web using Windows Desktop Search.
  • Security updates to Microsoft Edge, Internet Explorer, Microsoft Scripting Engine, Windows App Platform and Frameworks, Windows Input and Composition, Windows Media, Windows Fundamentals, Windows Authentication, Windows Cryptography, Windows Datacenter Networking, Windows Storage and Filesystems, Windows Wireless Networking, the Microsoft JET Database Engine, Windows Kernel, Windows Virtualization, and Windows Server.

 

If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.

 

KB4515832 Applies to: Exchange Server 2019; Exchange Server 2016

 https://support.microsoft.com/en-us/help/4515832/security-update-for-exchange-server-2019-and-2016

 Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.

 

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

 

To avoid this issue, follow these steps to manually install this security update:

  1. Select Start, and type cmd.
  2. In the results, right-click Command Prompt, and then select Run as administrator.
  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  4. Type the full path of the .msp file, and then press Enter.

 

This issue does not occur when you install the update through Microsoft Update.

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

 

Workaround:

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

 

KB4516044 Applies to: Windows 10 version 1607; Windows Server 2016

 https://support.microsoft.com/en-us/help/4516044/windows-10-update-kb4516044

 Symptoms:

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

 

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4516046 Applies to: Internet Explorer 11 on Windows Server 2012 R2; Internet Explorer 11 on Windows Server 2012; Internet Explorer 11 on Windows Server 2008 R2 SP1; Internet Explorer 11 on Windows 8.1 Update; Internet Explorer 11 on Windows 7 SP1; Internet Explorer 10 on Windows Server 2012; Internet Explorer 9 on Windows Server 2008 SP2

 https://support.microsoft.com/en-us/help/4516046/cumulative-security-update-for-internet-explorer

Symptoms:

Users who have upgraded to Internet Explorer 11 by installing KB4492872 on Windows Server 2012 and Windows Embedded 8 Standard may still be offered “Cumulative Security Update for Internet Explorer 10” through Windows Server Update Services (WSUS) or other update management solutions.

 

For Windows 7 SP1 and Windows Server 2008 R2 SP1, VBscript in Internet Explorer 11 should be disabled by default after installing updates starting with KB4507437 (Preview of Monthly Rollup released July 16, 2019) or KB4511872 (Internet Explorer Cumulative Update released August 13, 2019) but in some circumstances, may not be disabled as intended.

 

Workaround:

This issue is now resolved on the server-side and requires no action from users. The Internet Explorer 10 version of this update should no longer be offered if you have Internet Explorer 11 installed.

 

To work around this issue, follow these steps:

  1. In Internet Explorer 11, select Tools or press and hold the Alt key on your keyboard and then select the letter X to see the menu.
  2. Select Internet Options.
  3. Select the Security tab.
  4. Select the Internet icon in the Select a zone to view or change security settings field.
  5. Select the Default Level button.
  6. Select the Ok button to accept settings and close the dialog box.
  7. Close Internet Explorer 11, on next start, VBScript will now be disabled.

 

We are working on a resolution and will provide an update in an upcoming release.

KB4516055 Applies to: Windows Server 2012; Windows Embedded 8 Standard

 https://support.microsoft.com/en-us/help/4516055/windows-server-2012-update-kb4516055

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4516058 Applies to: Windows 10 version 1803

 https://support.microsoft.com/en-us/help/4516058/windows-10-update-kb4516058

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

 

After installing this update, Windows Mixed Reality Portal users may intermittently receive a “15-5” error code. In some cases, Windows Mixed Reality Portal may report that the headset is sleeping and pressing “Wake up” may appear to produce no action.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

 

We are working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, use the following steps:

  1. Close the Windows Mixed Reality Portal, if it is running.
  2. Open Task Manager by selecting the Start button and typing “task manager”.
  3. In Task Manager, under the Processes tab, right-click Windows Explorer and select Restart.
  4. Open the Windows Mixed Reality Portal.

 

We are working on a resolution and will provide an update in an upcoming release.

KB4516062 Applies to: Windows Server 2012; Windows Embedded 8 Standard

 https://support.microsoft.com/en-us/help/4516062/windows-server-2012-update-kb4516062

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4516064 Applies to: Windows 8.1; Windows Server 2012 R2

 https://support.microsoft.com/en-us/help/4516064/windows-8-1-kb4516064

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4516065 Applies to: Windows 7 Service Pack 1; Windows Server 2008 R2 Service Pack 1

 https://support.microsoft.com/en-us/help/4516065/windows-7-update-kb4516065

 Symptoms:

VBScript in Internet Explorer 11 should be disabled by default after installing KB4507437 (Preview of Monthly Rollup) or KB4511872 (Internet Explorer Cumulative Update) and later. However, in some circumstances, VBScript may not be disabled as intended.

 

After installing this update, you may receive an error when opening or using the Toshiba Qosmio AV Center. You may also receive an error in the Event Log related to cryptnet.dll.

 

Workaround:

To mitigate this issue, follow these steps:

  1. In Internet Explorer 11 select the Tools icon or press and hold the alt key on your keyboard and press the letter x to see the menu.
  2. Select Internet Options.
  3. Select the Security tab.
  4. Select the Internet icon in the Select a zone to view or change security settings field.
  5. Select the Default Level button.
  6. Select the Ok button to accept settings and close the dialog.
  7. Close Internet Explorer 11. On the next start, VBScript will be disabled.

 

We are working on a resolution and will provide an update in an upcoming release.

Microsoft is working with Dynabook to resolve this issue and estimates a solution will be available in late September.

 

KB4516066 Applies to: Windows 10 version 1709

 https://support.microsoft.com/en-us/help/4516066/windows-10-update-kb4516066

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

KB4516067 Applies to: Windows 8.1; Windows Server 2012 R2

 https://support.microsoft.com/en-us/help/4516067/windows-8-1-kb4516067

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4516068 Applies to: Windows 10 version 1703

 https://support.microsoft.com/en-us/help/4516068/windows-10-update-kb4516068

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4516070 Applies to: Windows 10

 https://support.microsoft.com/en-us/help/4516070/windows-10-update-kb4516070

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

 

Flexis August 2019 Patch Review And Recommendations

  • KB4512517 – 2019-08 Cumulative Update for Windows Server 2016 for x64-based Systems
  • KB4512488 – 2019-08 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4512506 – 2019-08 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based System

Impacted Products:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Visual Studio
  • Online Services
  • Active Directory
  • Microsoft Dynamics

 

Please note the following information regarding the security updates:

  •  A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Starting in May 2019, Internet Explorer 11 is available on Windows Server 2012. This configuration is only present in only the IE Cumulative package.

 

Microsoft Security Advisories:

  • ADV190014 | Microsoft Live Accounts Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190014

 

Known Issues:

 

KB4511553 Applies to: Windows 10 version 1809, Windows Server version 1809, Windows Server 2019 all versions

 https://support.microsoft.com/en-us/help/4511553/windows-10-update-kb4511553

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

 

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” This issue occurs in this update and in all the updates before June 18, 2019.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

  1. Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.
  2. Select Check for Updatesand install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

  1. Go to the Settings app > Recovery.
  2. Select Get Startedunder the Reset this PC recovery option.
  3. Select Keep my Files.

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

 

We are working on a resolution and will provide an update in an upcoming release.

 

For mitigation instructions, see KB4512816.

 

We are working on a resolution and will provide an update in an upcoming release.

 

This issue is resolved in KB4512534, which is an optional update. It is available on the following release channels:

Microsoft Update Catalog.

Windows Update.

Microsoft Update.

Windows Server Update Services (WSUS).

As with any optional update, you will need to Check for updates to receive and install KB4512534. For instructions, see Update Windows 10.

 

Note Windows Update for Business customers should apply the update using the Microsoft Update Catalog or Windows Server Update Services (WSUS).

 

KB4511872 Applies to: Internet Explorer 11 on Windows Server 2012 R2, Internet Explorer 11 on Windows Server 2012, Internet Explorer 11 on Windows Server 2008 R2 SP1, Internet Explorer 11 on Windows 8.1 Update, Internet Explorer 11 on Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on Windows Server 2008 SP2

https://support.microsoft.com/en-us/help/4511872/cumulative-security-update-for-internet-explorer

Symptoms:

This cumulative security update 4511872 for Internet Explorer 10 might be offered for installation through Windows Server Update Services (WSUS) or other update management solutions, even after you install KB4492872 (Internet Explorer 11 for Windows Server 2012 and Windows Embedded 8 Standard) and upgrade to Internet Explorer 11.

 

For Windows 7 SP1 and Windows Server 2008 R2 SP1, VBscript in Internet Explorer 11 should be disabled by default after installing updates starting with KB4507437 (Preview of Monthly Rollup released July 16, 2019) or KB4511872 (Internet Explorer Cumulative Update released August 13, 2019) but in some circumstances, may not be disabled as intended.

 

Workaround:

Although this cumulative security update for Internet Explorer 10 might be offered for installation, this issue will not affect the functionality of Internet Explorer 11. However, you should also install KB4511872 to apply the security fixes that are resolved this month for Internet Explorer 11.

Microsoft is working on a resolution for this issue and will provide an update in an upcoming release.

 

To work around this issue, follow these steps:

  1. In Internet Explorer 11, select Tools or press and hold the Alt key on your keyboard and then select the letter X to see the menu.
  2. Select Internet Options.
  3. Select the Security tab.
  4. Select the Internet icon in the Select a zone to view or change security settings field.
  5. Select the Default Level button.
  6. Select the Ok button to accept settings and close the dialog box.
  7. Close Internet Explorer 11, on next start, VBScript will now be disabled.

 

We are working on a resolution and will provide an update in an upcoming release.

 

KB4512476 Applies to: Windows Server 2008 Service Pack 2

 https://support.microsoft.com/en-us/help/4512476/windows-server-2008-update-kb4512476

 Symptoms:

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

For mitigation instructions, see KB4512816.

We are working on a resolution and will provide an update in an upcoming release.

This issue is resolved in KB4517301, which is an optional update. It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

 

KB4512482 Applies to: Windows Server 2012, Windows Embedded 8 Standard

 https://support.microsoft.com/en-us/help/4512482/windows-server-2012-update-kb4512482

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

For mitigation instructions, see KB4512816.

 

We are working on a resolution and will provide an update in an upcoming release.

 

This issue is resolved in KB4517302, which is an optional update. It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

 

KB4512486 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

 https://support.microsoft.com/en-us/help/4512486/windows-7-update-kb4512486

Symptoms:

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:

 

“File: \Windows\system32\winload.efi

Status: 0xc0000428

Info: Windows cannot verify the digital signature for this file.”

 

Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

For mitigation instructions, see KB4512816.

We are working on a resolution and will provide an update in an upcoming release.

To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.

Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.

Guidance for Symantec customers can be found in the Symantec support article.

 

This issue is resolved in KB4517297, which is an optional update. It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

 

KB4512488 Applies to: Windows 8.1, Windows Server 2012 R2

 https://support.microsoft.com/en-us/help/4512488/windows-8-1-update-kb4512488

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

For mitigation instructions, see KB4512816.

We are working on a resolution and will provide an update in an upcoming release.

 

This issue is resolved in KB4517298, which is an optional update. It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

 

KB4512489 Applies to: Windows 8.1, Windows Server 2012 R2

 https://support.microsoft.com/en-us/help/4512489/windows-8-1-update-kb4512489

Symptoms:

 

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

For mitigation instructions, see KB4512816.

 

We are working on a resolution and will provide an update in an upcoming release.

 

This issue is resolved in KB4517298, which is an optional update. It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

KB4512491 Applies to: Windows Server 2008 Service Pack 2

 https://support.microsoft.com/en-us/help/4512491/windows-server-2008-update-kb4512491

 Symptoms:

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

For mitigation instructions, see KB4512816.

We are working on a resolution and will provide an update in an upcoming release.

 

This issue is resolved in KB4517301, which is an optional update. It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

 

KB4512497 Applies to: Windows 10

 https://support.microsoft.com/en-us/help/4512497/windows-10-update-kb4512497

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

This issue is resolved in KB4517276, which is an optional update. It is available on the following release channels:

  • Microsoft Update Catalog.
  • Windows Update.
  • Microsoft Update.
  • Windows Server Update Services (WSUS).

As with any optional update, you will need to Check for updates to receive and install KB4517276. For instructions, see Update Windows 10.

 

Note Windows Update for Business customers should apply the update using the Microsoft Update Catalog or Windows Server Update Services (WSUS).

 

KB4512501 Windows 10 version 1803

 https://support.microsoft.com/en-us/help/4512501/windows-10-update-kb4512501

 Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

We are working on a resolution and will provide an update in an upcoming release.

 

For mitigation instructions, see KB4512816.

 

We are working on a resolution and will provide an update in an upcoming release.

 

Microsoft is working on a resolution and estimates a solution will be available in the coming days. This optional update will be available on the following release channels:

  • Microsoft Update Catalog.
  • Windows Update.
  • Microsoft Update.
  • Windows Server Update Services (WSUS).

As with any optional update, you will need to Check for updates to receive the update once it is released.

 

Note Windows Update for Business customers should apply the update using the Microsoft Update Catalog or Windows Server Update Services (WSUS).

 

KB4512506 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

 https://support.microsoft.com/en-us/help/4512506/windows-7-update-kb4512506

 Symptoms:

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

IA64 devices (in any configuration) and x64 devices using EFI boot that were provisioned after the July 9th updates and/or skipped the recommended update (KB3133977), may fail to start with the following error:

“File: \Windows\system32\winload.efi

Status: 0xc0000428

Info: Windows cannot verify the digital signature for this file.”

 

Microsoft and Symantec have identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

VBScript in Internet Explorer 11 should be disabled by default after installing KB4507437 (Preview of Monthly Rollup) or KB4511872 (Internet Explorer Cumulative Update) and later. However, in some circumstances, VBScript may not be disabled as intended.

 

Workaround:

For mitigation instructions, see KB4512816.

We are working on a resolution and will provide an update in an upcoming release.

To resolve this issue please follow the steps outlined in the SHA-2 support FAQ article for error code 0xc0000428.

Microsoft has temporarily placed a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.

Guidance for Symantec customers can be found in the Symantec support article.

 

This issue is resolved in KB4517297, which is an optional update. It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

 

To mitigate this issue, follow these steps:

  1. In Internet Explorer 11 select the Tools icon or press and hold the alt key on your keyboard and press the letter x to see the menu.
  2. Select Internet Options.
  3. Select the Security tab.
  4. Select the Internet icon in the Select a zone to view or change security settings field.
  5. Select the Default Level button.
  6. Select the Ok button to accept settings and close the dialog.
  7. Close Internet Explorer 11. On the next start, VBScript will be disabled.

 

We are working on a resolution and will provide an update in an upcoming release.

 

KB4512507 Applies to: Windows 10 Version 1703

 https://support.microsoft.com/en-us/help/4512507/windows-10-update-kb4512507

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

This issue is resolved in KB4512474, which is an optional update. It is available on the following release channels:

  • Microsoft Update Catalog.
  • Windows Update.
  • Microsoft Update.
  • Windows Server Update Services (WSUS).

As with any optional update, you will need to Check for updates to receive and install KB4512474. For instructions, see Update Windows 10.

Note Windows Update for Business customers should apply the update using the Microsoft Update Catalog or Windows Server Update Services (WSUS).

 

KB4512508 Applies to: Windows 10 Version 1903, Windows Server version 1903

 https://support.microsoft.com/en-us/help/4512508/windows-10-update-kb4512508

 Symptoms:

Windows Sandbox may fail to start with “ERROR_FILE_NOT_FOUND (0x80070002)” on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Devices connected to a domain that is configured to use MIT Kerberos realms may not start up or may continue to restart after installation of this update. Devices that are domain controllers or domain members are both affected.

 

If you are not sure if your device is affected, contact your administrator. Advanced users can check if this registry key exists HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\MitRealms or for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Microsoft is working on a resolution and will provide an update in an upcoming release.

For mitigation instructions, see KB4512816.

At this time, we suggest that devices in an affected environment do not install this update. We are working on a resolution and estimate a solution will be available in late August.

 

Microsoft is working on a resolution and estimates a solution will be available in late August. This optional update will be available on the following release channels:

  • Microsoft Update Catalog.
  • Windows Update.
  • Microsoft Update.
  • Windows Server Update Services (WSUS).

 

As with any optional update, you will need to Check for updates to receive the update once it is released.

Note Windows Update for Business customers should apply the update using the Microsoft Update Catalog or Windows Server Update Services (WSUS).

 

KB4512516 Applies to: Windows 10 version 1709

 https://support.microsoft.com/en-us/help/4512516/windows-10-update-kb4512516

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

For mitigation instructions, see KB4512816.

 

This issue is resolved in KB4512494, which is an optional update. It is available on the following release channels:

  • Microsoft Update Catalog.
  • Windows Update.
  • Microsoft Update.
  • Windows Server Update Services (WSUS).

As with any optional update, you will need to Check for updates to receive and install KB4512494. For instructions, see Update Windows 10.

 

Note Windows Update for Business customers should apply the update using the Microsoft Update Catalog or Windows Server Update Services (WSUS).

 

KB4512517 Applies to: Windows 10 version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4512517/windows-10-update-kb4512517

Symptoms:

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

 

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

For mitigation instructions, see KB4512816.

 

This issue is resolved in KB4512495, which is an optional update. It is available on the following release channels:

  • Microsoft Update Catalog.
  • Windows Update.
  • Microsoft Update.
  • Windows Server Update Services (WSUS).

As with any optional update, you will need to Check for updates to receive and install KB4512495. For instructions, see Update Windows 10.

 

Note Windows Update for Business customers should apply the update using the Microsoft Update Catalog or Windows Server Update Services (WSUS).

 

KB4512518 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4512518/windows-server-2012-update-kb4512518

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an “invalid procedure call error.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

For mitigation instructions, see KB4512816.

 

This issue is resolved in KB4517302, which is an optional update. It is now available on Microsoft Update Catalog and Windows Server Update Services (WSUS).

 

 

Flexis July 2019 Patch Review And Recommendations

  • KB4507460 – 2019-07 Cumulative Update for Windows Server 2016 for x64-based Systems
  • KB4509091 – 2019-07 Servicing Stack Update for Windows Server 2016 for x64-based Systems
  • KB4507448 – 2019-07 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4507449 – 2019-07 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems

Impacted Products:

  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Azure DevOps
  • .NET Framework
  • Azure
  • SQL Server
  • NET
  • Visual Studio
  • Microsoft Exchange Server

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Starting in May 2019, Internet Explorer 11 is available on Windows Server 2012. This configuration is only present in only the IE Cumulative package.

 

Known Issues:

 

KB4493730 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493730/servicing-stack-update-for-windows-server-2008-sp2

Symptoms:

Restart stuck on “Stage 2 of 2” or “Stage 3 of 3”

After you install a servicing stack update together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck at a particular stage and see a “Stage 2 of 2” or “Stage 3 of 3” message.

Workaround:

If you experience this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

 

Note In managed environments, such as by using Windows Server Update Services (WSUS), you can avoid this issue by deploying this update as a standalone update.

 

KB4507434 Applies to: Internet Explorer 11 on Windows Server 2012 R2, Internet Explorer 11 on Windows Server 2012, Internet Explorer 11 on Windows Server 2008 R2 SP1, Internet Explorer 11 on Windows 8.1 Update, Internet Explorer 11 on Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on Windows Server 2008 SP2

https://support.microsoft.com/en-us/help/4507434/cumulative-security-update-for-internet-explorer

Symptoms:

This cumulative security update 4507434 for Internet Explorer 10 might be offered for installation through Windows Server Update Services (WSUS) or other update management solutions, even after you install KB4492872 (Internet Explorer 11 for Windows Server 2012 and Windows Embedded 8 Standard) and upgrade to Internet Explorer 11.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Workaround:

Although this cumulative security update for Internet Explorer 10 might be offered for installation, this issue will not affect the functionality of Internet Explorer 11. However, you should also install KB4507434 to apply the security fixes that are resolved this month for Internet Explorer 11.

Status: Microsoft is working on a resolution for this issue and will provide an update in an upcoming release.

 

KB4507435 Applies to: Windows 10 version 1803

https://support.microsoft.com/en-us/help/4507435/windows-10-update-kb4507435

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

We are working on a resolution and will provide an update in an upcoming release.

 

KB4507448 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4507448/windows-8-1-update-kb4507448

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Also we are presently investigating this issue with McAfee.

 

KB4507449 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4507449/windows-7-update-kb4507449

Symptoms:

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

We are presently investigating this issue with McAfee.

Also we are working on a resolution and will provide an update in an upcoming release.

 

KB4507450 Applies to: Windows 10 version 1703

https://support.microsoft.com/en-us/help/4507450/windows-10-update-kb4507450

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507453 Applies to: Windows 10 version 1903, Windows Server version 1903

https://support.microsoft.com/en-us/help/4507453/windows-10-update-kb4507453

Symptoms:

Windows Sandbox may fail to start with “ERROR_FILE_NOT_FOUND (0x80070002)” on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

 

The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0. You may also receive an error in the Application section of Windows Logs in Event Viewer with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.

 

This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate this issue, use one of the steps below, either the group policy step or the registry step, to configure one of the default telemetry settings.

Set the value for the following group policy settings:

  1. Group Policy Path: Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry
  2. Safe Policy Setting: Enabled and set to 1 (Basic) or 2 (Enhanced) or 3 (Full)

Or set the following registry value:

SubKey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection

Setting: AllowTelemetry

Type: REG_DWORD

Value: 1, 2 or 3

 

Note If the Remote Access Connection Manager service is not running after setting the Group Policy or registry key, you will need to manually start the service or restart the device.

 

We are working on a resolution and estimate a solution will be available in late July.

 

KB4507455 Applies to: Windows 10 version 1709

https://support.microsoft.com/en-us/help/4507455/windows-10-update-kb4507455

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507457 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4507457/windows-8-1-update-kb4507457

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507458 Applies to: Windows 10

https://support.microsoft.com/en-us/help/4507458/windows-10-update-kb4507458

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507460 Applies to: Windows 10 version 1607, Windows Server 2016 

https://support.microsoft.com/en-us/help/4507460/windows-10-update-kb4507460

Symptoms:

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

 

Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.

 

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

 

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of this update on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Run mofcomp on the following mof files on the affected host:

  • Scvmmswitchportsettings.mof
  • VMMDHCPSvr.mof

Follow the best practices while patching to avoid a stop error in vfpext.sys in an SDN v2 environment (NC managed hosts).

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue “allow-from https://example.com”

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507462 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4507462/windows-server-2012-update-kb4507462

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507464 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4507464/windows-server-2012-update-kb4507464

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4507469 Applies to: Windows 10 version 1809, Windows Server version 1809, Windows Server 2019 all versions

https://support.microsoft.com/en-us/help/4507469/windows-10-update-kb4507469

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

 

We are investigating reports that a small number of devices may startup to a black screen during the first logon after installing updates.

 

After installing this update, opening or using the Window-Eyes screen reader app may result in an error and some features may not function as expected.

 

Note Users who have already migrated from Window-Eyes to Freedom Scientific’s other screen reader, JAWS, should not be affected by this issue.

 

Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error “Status: 0xc0000001, Info: A required device isn’t connected or can’t be accessed” after installing this update on a WDS server.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

  1. Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.
  2. Select Check for Updates and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

 

Note: If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

  1. Go to the Settings app > Recovery.
  2. Select Get Started under the Reset this PC recovery option.
  3. Select Keep my Files.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate this issue, press Ctrl+Alt+Delete, then select the Power button in the lower right corner of the screen and select Restart. Your device should now restart normally.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4509408 Applies to: Exchange Server 2019

https://support.microsoft.com/en-us/help/4509408/description-of-the-security-update-for-microsoft-exchange-server-2019

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “Normal mode” (that is, not as an administrator), some files are not correctly updated.

 

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

 

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  1. Select Start, and type cmd.
  2. In the results, right-click Command Prompt, and then select Run as administrator.
  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  4. Type the full path of the .msp file, and then press Enter.

 

This issue does not occur when you install the update through Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

 

KB4509409 Applies to: Exchange Server 2016, Exchange Server 2013

https://support.microsoft.com/en-us/help/4509409/description-of-the-security-update-for-microsoft-exchange-server-2013

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “Normal mode” (that is, not as an administrator), some files are not correctly updated.

 

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

 

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  1. Select Start, and type cmd.
  2. In the results, right-click Command Prompt, and then select Run as administrator.
  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  4. Type the full path of the .msp file, and then press Enter.

 

This issue does not occur when you install the update through Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

 

KB4509410 Applies to: Exchange Server 2010 Service Pack 3

https://support.microsoft.com/en-us/help/4509410/description-of-the-security-update-for-microsoft-exchange-server-2010

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “Normal mode” (that is, not as an administrator), some files are not correctly updated.

 

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

 

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  1. Select Start, and type cmd.
  2. In the results, right-click Command Prompt, and then select Run as administrator.
  3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  4. Type the full path of the .msp file, and then press Enter.

 

This issue does not occur when you install the update through Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

 

 

Flexis June 2019 Patch Review And Recommendations

  • KB4501835 – 2019-05 Cumulative Update for Windows Server 2019 for x64-based Systems.
  • KB4494440 – 2019-05 Cumulative Update for Windows Server 2016 for x64-based Systems.
  • KB4498947 – 2019-05 Servicing Stack Update for Windows Server 2016 for x64-based Systems.
  • KB4499151 – 2019-05 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems.
  • KB4499164 – 2019-05 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems.

Impacted Products:

  • Adobe Flash Player
  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Skype for Business and Microsoft Lync
  • Microsoft Exchange Server
  • Azure

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

 

Microsoft Security Advisories:

  • ADV190015 | June 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190015

  • ADV990001 | Latest Servicing Stack Updates

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001

 

Known Issues:

 

KB4493730 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493730/servicing-stack-update-for-windows-server-2008-sp2

 Symptoms:

Restart stuck on “Stage 2 of 2” or “Stage 3 of 3”

After you install a servicing stack update together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck at a particular stage and see a “Stage 2 of 2” or “Stage 3 of 3” message.

Workaround:

If you experience this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

Note In managed environments, such as by using Windows Server Update Services (WSUS), you can avoid this issue by deploying this update as a standalone update.

 

KB4503027 Applies to: Exchange Server 2019, Exchange Server 2016

https://support.microsoft.com/en-us/help/4503027/security-update-for-microsoft-exchange-server-2019-june-11-2019

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

To avoid this issue, follow these steps to manually install this security update:

  • Select Start, and type cmd.
  • In the results, right-click Command Prompt, and then select Run as administrator.
  • If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  • Type the full path of the .msp file, and then press Enter.
  • This issue does not occur when you install the update from Microsoft Update.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated command prompt, see Start a Command Prompt as an Administrator.

 

Workaround:

Method 1: Microsoft Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ.

 

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website.

 

Method 3: Microsoft Download Center

You can get the standalone update package through the Microsoft Download Center.

 

KB4503028 Applies to: Exchange Server 2010 Service Pack 3, Exchange Server 2013

https://support.microsoft.com/en-us/help/4503028/security-update-for-microsoft-exchange-server-2013-and-2010

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

 

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

 

To avoid this issue, follow these steps to manually install this security update:

  • Select Start, and type cmd.
  • In the results, right-click Command prompt, and then select Run as administrator.
  • If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  • Type the full path of the .msp file, and then press Enter.

 

This issue does not occur if you install the update from Microsoft Update.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

 

Workaround:

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

 

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website.

 

Method 3: Microsoft Download Center

You can get the standalone update package through the Microsoft Download Center.

 

KB4503263 Applies to: Windows Server 2012, Windows Embedded 8 Standard

 https://support.microsoft.com/en-us/help/4503263/windows-server-2012-update-kb4503263

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503267 Applies to: Windows 10 version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4503267/windows-10-update-kb4503267

Symptoms:

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

 

Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.

 

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

 

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update and restarting, some devices running Windows Server 2016 with Hyper-V enabled may enter Bitlocker recovery mode and receive an error, “0xC0210000”.

 

Note Windows 10, version 1607 may also be affected when Bitlocker and Hyper-V are enabled.

 

Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of this update on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

 

Workaround:

Run mofcomp on the following mof files on the affected host:

  • Scvmmswitchportsettings.mof
  • VMMDHCPSvr.mof

 

Follow the best practices while patching to avoid a stop error in vfpext.sys in an SDN v2 environment (NC managed hosts).

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

For a workaround for this issue, please see KB4505821.

Microsoft is working on a resolution and will provide an update in an upcoming release.

You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue “allow-from https://example.com”

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503276 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4503276/june-11-2019-kb4503276-os-build-monthly-rollup

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

We are presently investigating this issue with McAfee.

Guidance for McAfee customers can be found in the following McAfee support articles:

  • McAfee Security (ENS) Threat Prevention 10.x
  • McAfee Host Intrusion Prevention (Host IPS) 8.0
  • McAfee VirusScan Enterprise (VSE) 8.8

 

To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.

 

We are working on a resolution and estimate a solution will be available in mid-July.

 

KB4503279 Applies to: Windows 10 version 1703

https://support.microsoft.com/en-us/help/4503279/windows-10-update-kb4503279

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503284 Applies to: Windows 10 version 1709

https://support.microsoft.com/en-us/help/4503284/windows-10-update-kb4503284

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503285 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4503285/windows-server-2012-kb4503285

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.

 

We are working on a resolution and estimate a solution will be available in mid-July.

 

KB4503286 Applies to: Windows 10 version 1803

https://support.microsoft.com/en-us/help/4503286/june112019kb4503286osbuild17134821

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503290 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4503290/windows-8-1-update-kb4503290

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503291 Applies to: Windows 10

https://support.microsoft.com/en-us/help/4503291/windows-10-update-kb4503291

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503292 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4503292/windows-7-update-kb4503292

Symptoms:

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.

Workaround:

We are presently investigating this issue with McAfee.

Guidance for McAfee customers can be found in the following McAfee support articles:

  • McAfee Security (ENS) Threat Prevention 10.x
  • McAfee Host Intrusion Prevention (Host IPS) 8.0
  • McAfee VirusScan Enterprise (VSE) 8.8

To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.

 

We are working on a resolution and estimate a solution will be available in mid-July.

 

KB4503293 Applies to: Windows 10, version 1903, Windows Server version 1903

https://support.microsoft.com/en-us/help/4503293/windows-10-update-kb4503293

Symptoms:

Windows Sandbox may fail to start with “ERROR_FILE_NOT_FOUND (0x80070002)” on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Workaround:

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503327 Applies to: Windows 10, version 1809, Windows Server 2019 all versions

https://support.microsoft.com/en-us/help/4503327/windows-10-update-kb4503327

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive the error, “Your printer has experienced an unexpected configuration problem. 0x80070007e.”

After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

You can use another browser, such as Internet Explorer to print your documents.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

  1. Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.
  2. Select Check for Updates and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

 

Note If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

  1. Go to the Settings app > Recovery.
  2. Select Get Started under the Reset this PC recovery option.
  3. Select Keep my Files.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Flexis May 2019 Patch Review And Recommendations

  • KB4494440 – 2019-05 Cumulative Update for Windows Server 2016 for x64-based Systems
  • KB4498947 – 2019-05 Servicing Stack Update for Windows Server 2016 for x64-based Systems
  • KB4499151 – 2019-05 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4499164 – 2019-05 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems

 

Impacted Products:

  • Adobe Flash Player
  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Team Foundation Server
  • Visual Studio
  • Azure DevOps Server
  • SQL Server
  • .NET Framework
  • .NET Core
  • ASP.NET Core
  • ChakraCore
  • Online Services
  • Azure
  • NuGet
  • Skype for Android

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Starting in May 2019, Internet Explorer 11 is available on Windows Server 2012. This configuration is only present in only the IE Cumulative package 4498206.

 

Microsoft Security Advisories:

  • ADV190012 | May 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190012

  • ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013

 

Known Issues:

 

KB4493730 Applies to: Windows Server 2008 Service Pack 2

 https://support.microsoft.com/en-us/help/4493730/servicing-stack-update-for-windows-server-2008-sp2

 Symptoms:

Restart stuck on “Stage 2 of 2” or “Stage 3 of 3”

After you install a servicing stack update together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck at a particular stage and see a “Stage 2 of 2” or “Stage 3 of 3” message.

Workaround:

If you experience this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

Note In managed environments, such as by using Windows Server Update Services (WSUS), you can avoid this issue by deploying this update as a standalone update.

 

 KB4494440 Applies to: Windows 10 – version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4494440/windows-10-update-kb4494440

Symptoms:

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

  1. Run mofcomp on the following mof files on the affected host:
  • Scvmmswitchportsettings.mof
  • VMMDHCPSvr.mof
  1. Follow the best practices while patching to avoid a stop error in vfpext.sys in an SDN v2 environment (NC managed hosts).

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4494441 Applies to: Windows 10 – version 1809, Windows Server 2019 – all versions

 https://support.microsoft.com/en-us/help/4494441/windows-10-update-kb4494441

 Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive the error, “Your printer has experienced an unexpected configuration problem. 0x80070007e.”

After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

Some customers report that KB4494441 installed twice on their device.

In certain situations, installing an update requires multiple download and restart steps. If two intermediate steps of the installation complete successfully, the View your Update history page will report that installation completed successfully twice.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

You can use another browser, such as Internet Explorer to print your documents.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.

Select Check for Updates and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

Note If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

Go to the Settings app > Recovery.

Select Get Started under the Reset this PC recovery option.

Select Keep my Files.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

No action is required on your part. The update installation may take longer and may require more than one restart, but will install successfully after all intermediate installation steps have completed.

We are working on improving this update experience to ensure the Update history correctly reflects the installation of the latest cumulative update (LCU).

 

KB4497936 Applies to: Windows 10 – version 1903

https://support.microsoft.com/en-us/help/4497936/windows-10-update-kb4497936

Symptoms:

After installing this update, users may experience error “0x800705b4” when launching Windows Defender Application Guard or Windows Sandbox.

Workaround:

Use the credentials of a local admin to create and set the following registry keys on the Host OS then restart the Host:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Containers\CmService\Policy]

“DisableClone”=dword:00000001

“DisableSnapshot”=dword:00000001

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4498206 Applies to: Internet Explorer 11 on Windows Server 2012 R2, Internet Explorer 11 on Windows Server 2012, Internet Explorer 11 on Windows Server 2008 R2 SP1, Internet Explorer 11 on Windows 8.1 Update, Internet Explorer 11 on Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on Windows Server 2008 SP2

https://support.microsoft.com/en-us/help/4498206/cumulative-security-update-for-internet-explorer-may-14-2019

Symptoms:

After this security update is installed for Internet Explorer 11 on supported operating systems, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

This cumulative security update 4498206 for Internet Explorer 10 might be offered for installation through Windows Server Update Services (WSUS) or other update management solutions, even after you install KB4492872 (Internet Explorer 11 for Windows Server 2012 and Windows Embedded 8 Standard) and upgrade to Internet Explorer 11.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or:

Enable Protected mode in Internet Explorer for local intranet and trusted sites:

Go to Tools > Internet options > Security.

In the Select a zone to view or change security settings area, select Local intranet, and then select Enable Protected Mode.

Select Trusted sites, and then select Enable Protected Mode.

Select OK.

You must restart the browser after you make these changes.

Status

Microsoft is working on a resolution and will provide an update in an upcoming release.

Although this cumulative security update for Internet Explorer 10 might be offered for installation, this issue will not affect the functionality of Internet Explorer 11. However, you should also install KB4498206 to apply the security fixes that are resolved this month for Internet Explorer 11.

Status

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499151 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4499151/windows-8-1-update-kb4499151

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

If previous dictionary updates are installed, the Japanese input method editor (IME) doesn’t show the new Japanese Era name as a text input option.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership

Microsoft is working on a resolution and will provide an update in an upcoming release.

We are presently investigating this issue with McAfee.

Guidance for McAfee customers can be found in the following McAfee support articles:

  • McAfee Security (ENS) Threat Prevention 10.x
  • McAfee Host Intrusion Prevention (Host IPS) 8.0
  • McAfee VirusScan Enterprise (VSE) 8.8

If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.

  • Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
  • Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
  • Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)

 

KB4499154 Applies to: Windows 10

https://support.microsoft.com/en-us/help/4499154/windows-10-update-kb4499154

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499158 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4499158/windows-server-2012-update-kb4499158

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499164 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4499164/windows-7-update-kb4499164

Symptoms:

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

Workaround:

We are presently investigating this issue with McAfee.

Guidance for McAfee customers can be found in the following McAfee support articles:

  • McAfee Security (ENS) Threat Prevention 10.x
  • McAfee Host Intrusion Prevention (Host IPS) 8.0
  • McAfee VirusScan Enterprise (VSE) 8.8

 

KB4499165 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4499165/windows-8-1-update-kb4499165

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499167 Applies to: Windows 10 – version 1803

https://support.microsoft.com/en-us/help/4499167/windows-10-update-kb4499167

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499171 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4499171/windows-server-2012-update-kb4499171

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

If previous dictionary updates are installed, the Japanese input method editor (IME) doesn’t show the new Japanese Era name as a text input option.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.

  • Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
  • Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
  • Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)

 

KB4499179 Applies to: Windows 10 – version 1709

https://support.microsoft.com/en-us/help/4499179/windows-10-update-kb4499179

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499181 Applies to: Windows 10 – version 1703

https://support.microsoft.com/en-us/help/4499181/windows-10-update-kb4499181

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Flexis April 2019 Patch Review And Recommendations

  • KB4493451 – 2019-04 Security Monthly Quality Rollup for Windows Server 2012 for x64-based Systems
  • KB4493446 – 2019-04 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4493472 – 2019-04 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems
  • KB4493509 – 2019-04 Cumulative Update for Windows 10 Version 1809 for x64-based Systems
  • KB4493478 – 2019-04 Security Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems

 

Impacted Products:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ASP.NET
  • Microsoft Exchange Server
  • Team Foundation Server
  • Azure DevOps Server
  • Open Enclave SDK
  • Windows Admin Center

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

 

Microsoft Security Advisories:

  • ADV190011 | April 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190011

  • ADV990001 | Latest Servicing Stack Updates

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001

 

Known Issues:

 

KB4487563 Applies to: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

https://support.microsoft.com/en-us/help/4487563/description-of-the-security-update-for-microsoft-exchange-server

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  • Select Start, and type cmd.
  • In the results, right-click Command Prompt, and then select Run as administrator.
  • If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  • Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated command prompt, see Start a Command Prompt as an Administrator.

 

KB4491413 Applies to: Exchange Server 2010 Service Pack 3

https://support.microsoft.com/en-us/help/4491413/update-rollup-27-for-exchange-server-2010-service-pack-3

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  • Select Start, and type cmd.
  • In the results, right-click Command Prompt, and then select Run as administrator.
  • If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  • Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated command prompt, see Start a Command Prompt as an Administrator.

 

KB4493441 Applies to: Windows 10, version 1709

https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

  • Go to Tools > Internet options > Security.
  • Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.
  • Select Trusted sites and then select Enable Protected Mode.
  • Select OK.

You must restart the browser after making these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493446 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4493446/windows-8-1-update-kb4493446

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493448 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 

https://support.microsoft.com/en-us/help/4493448/windows-7-update-kb4493448

Symptoms:

After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493450 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4493450/windows-server-2012-update-kb4493450

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493451 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4493451/windows-server-2012-update-kb4493451

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493458 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493458/windows-server-2008-update-kb4493458

Symptoms:

After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493464 Applies to: Windows 10 version 1803

https://support.microsoft.com/en-us/help/4493464/windows-10-update-kb4493464

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites and then select Enable Protected Mode.

Select OK.

You must restart the browser after making these changes.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493467 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4493467/windows-8-1-update-kb4493467

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493470 Applies to: Windows 10 version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4493470/windows-10-update-kb4493470

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites and then select Enable Protected Mode.

Select OK.

You must restart the browser after making these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493471 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493471/windows-server-2008-update-kb4493471

Symptoms:

After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493472 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472

Symptoms:

After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493474 Applies to: Windows 10 version 1703

https://support.microsoft.com/en-us/help/4493474/windows-10-update-kb4493474

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites and then select Enable Protected Mode.

Select OK.

You must restart the browser after making these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493509 Applies to: Windows 10 version 1809, Windows Server 2019 all versions

https://support.microsoft.com/en-us/help/4493509/windows-10-update-kb4493509

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites and then select Enable Protected Mode.

Select OK.

You must restart the browser after making these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493730 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493730/servicing-stack-update-for-windows-server-2008-sp2

Symptoms:

After you install a servicing stack update together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck at a particular stage and see a “Stage 2 of 2” or “Stage 3 of 3” message.

 

If you experience this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

 

KB4493435 Applies to: Internet Explorer 11 on Windows Server 2012 R2, Internet Explorer 11 on Windows 8.1 Update, Internet Explorer 11 on Windows Server 2008 R2 SP1, Internet Explorer 11 on Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on Windows Server 2008 SP

https://support.microsoft.com/en-us/help/4493435/cumulative-security-update-for-internet-explorer-april-12-2019

Symptoms:

After this security update is installed on Windows 10, version 1607 and later operating systems, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or:

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites, and then select Enable Protected Mode.

Select OK.

You must restart the browser after you make these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Flexis March 2019 Patch Review And Recommendations

  • KB4489899 – 2019-03 Cumulative Update for Windows Server 2019 for x64-based Systems
  • KB4489882 – 2019-03 Cumulative Update for Windows Server 2016 for x64-based Systems
  • KB4489881 – 2019-03 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4489878 – 2019-03 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems

 

Impacted Products:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office SharePoint
  • Team Foundation Server
  • Skype for Business
  • Visual Studio

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

 

Microsoft Security Advisories:

  • ADV190008 | March 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190008

  • ADV190010 | Best Practices Regarding Sharing of a Single User Account Across Multiple Users

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190010

  • ADV990001 | Latest Servicing Stack Updates

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

 

Known Issues:

KB4489878, KB4489881, KB4489882, KB4489883, KB4489884, KB4489885, KB4489891, KB4489899

 

KB4489878 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

 https://support.microsoft.com/en-us/help/4489878/windows-7-update-kb4489878

 Symptoms:

After installing this update, Internet Explorer 10 may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:

  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.

Workaround:

Create unique user accounts so that two people don’t share the same user account when logging on to a Windows Server machine. Additionally, disable multiple RDP sessions for a single user account for a specific Windows Server.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

 KB4489881 Applies to: Windows 8.1, Windows Server 2012

https://support.microsoft.com/en-us/help/4489881/windows-8-1-update-kb4489881

Symptoms:

After installing this update, Internet Explorer 11 may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:

  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.

Group Policy editor may also be affected when editing a Group Policy Object (GPO) that contains a Group Policy Preference for Internet Settings.

Workaround:

Create unique user accounts so that two people don’t share the same user account when logging on to a Windows Server machine. Additionally, disable multiple RDP sessions for a single user account for a specific Windows Server.

Microsoft is working on a resolution and will provide an update in an upcoming release.

  

KB4489882 Applies to: Windows 10 version 1607, Windows Server 2016

 https://support.microsoft.com/en-us/help/4489882/windows-10-update-kb4489882

  Symptoms:

After installing this update, Internet Explorer 11 may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:

  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.

Group Policy editor may also be affected when editing a Group Policy Object (GPO) that contains a Group Policy Preference for Internet Settings.

Workaround:

Create unique user accounts so that two people don’t share the same user account when logging on to a Windows Server machine. Additionally, disable multiple RDP sessions for a single user account for a specific Windows Server.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4489883 Applies to: Windows 8.1, Windows Server 2012 R2

 https://support.microsoft.com/en-us/help/4489883/windows-8-1-update-kb4489883

 Symptoms:

After installing this update, Internet Explorer 11 may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:

  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.

Group Policy editor may also be affected when editing a Group Policy Object (GPO) that contains a Group Policy Preference for Internet Settings.

Workaround:

Create unique user accounts so that two people don’t share the same user account when logging on to a Windows Server machine. Additionally, disable multiple RDP sessions for a single user account for a specific Windows Server.

Microsoft is working on a resolution and will provide an update in an upcoming release.

  

KB4489884 Applies to: Windows Server 2012, Windows Embedded 8 Standard

 https://support.microsoft.com/en-us/help/4489884/windows-server-2012-update-kb4489884

Symptoms:

After installing this update, Internet Explorer 10 may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:

  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.

Group Policy editor may also be affected when editing a Group Policy Object (GPO) that contains a Group Policy Preference for Internet Settings.

Workaround:

Create unique user accounts so that two people don’t share the same user account when logging on to a Windows Server machine. Additionally, disable multiple RDP sessions for a single user account for a specific Windows Server.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4489885 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

 https://support.microsoft.com/en-us/help/4489885/windows-7-update-kb4489885

 Symptoms:

After installing this update, Internet Explorer 10 may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:

  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.

Workaround:

Create unique user accounts so that two people don’t share the same user account when logging on to a Windows Server machine. Additionally, disable multiple RDP sessions for a single user account for a specific Windows Server.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4489891 Applies to: Windows Server 2012, Windows Embedded 8 Standard

 https://support.microsoft.com/en-us/help/4489891/windows-server-2012-update-kb4489891

Symptoms:

After installing this update, Internet Explorer 10 may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:

  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.

Group Policy editor may also be affected when editing a Group Policy Object (GPO) that contains a Group Policy Preference for Internet Settings.

Workaround:

Create unique user accounts so that two people don’t share the same user account when logging on to a Windows Server machine. Additionally, disable multiple RDP sessions for a single user account for a specific Windows Server.

Microsoft is working on a resolution and will provide an update in an upcoming release.

  

KB4489899 Applies to: Windows 10 version 1809, Windows Server 2019, all versions

 https://support.microsoft.com/en-us/help/4489899/windows-10-update-kb4489899

 Symptoms:

After installing this update, Internet Explorer 11 may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:

  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.

After installing this update on machines that have multiple audio devices, applications that provide advanced options for internal or external audio output devices may stop working unexpectedly. This issue occurs for users that select an audio output device different from the “Default Audio Device”. Examples of applications that may stop working include:

  • Windows Media Player
  • Realtek HD Audio Manager
  • Sound Blaster Control Panel

Workaround:

Create unique user accounts so that two people don’t share the same user account when logging on to a Windows Server machine. Additionally, disable multiple RDP sessions for a single user account for a specific Windows Server.

As a temporary solution, select the “Default Audio Device” in the options provided by the application; please refer to the application’s user manual for details.

For example, to set the Default Audio Device in Windows Media Player:

Open Windows Media Player > Tools > Options > Devices.

Select the device and choose Properties.

On the next dialog, from the drop-down menu under Select the Audio Device, choose Default Audio Device from the list.

You can then send audio from the application to the audio device you want in the per-application audio settings found under Settings > System > Sound > App Volume and device preferences.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

 

Flexis February 2019 Patch Review And Recommendations

  • KB4487026 – 2019-02 Cumulative Update for Windows Server 2016 for x64-based Systems
  • KB4485447 – 2019-02 Servicing Stack Update for Windows Server 2016 for x64-based Systems
  • KB4487080 – 2019-02 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Server 2012 R2 for x64
  • KB4487000 – 2019-02 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4487038 – 2019-02 Security Update for Adobe Flash Player for Windows Server 2012 R2 for x64-based Systems
  • KB4487078 – 2019-02 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 and Server 2008 R2 for x64
  • KB4486563 – 2019-02 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems

 

Impacted Products:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • .NET Framework
  • Microsoft Exchange Server
  • Microsoft Visual Studio
  • Microsoft Dynamics
  • Team Foundation Server

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

 

Microsoft Security Advisories:

  • ADV190003 | February 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190003

  • ADV190006 | Guidance to mitigate unconstrained delegation vulnerabilities

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190006

  • ADV190007 | Guidance for “PrivExchange” Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190007

  • ADV990001 | Latest Servicing Stack Updates

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

 

Known Issues:

KB4345836, KB4486563, KB4486564, KB4486993, KB4487000, KB4487019, KB4487020, KB4487023, KB4487025, KB4487026, KB4487028, KB4486996, KB4487017, KB4487044, KB4487052

 

KB4345836 Applies to: Exchange Server 2013

https://support.microsoft.com/en-us/help/4345836/cumulative-update-22-for-exchange-server-2013

Symptoms:

In multidomain Active Directory forests in which Exchange is installed or has been prepared previously by using the /PrepareDomain option in SETUP, this action must be completed after the /PrepareAD command for this cumulative update has been completed and the changes are replicated to all domains. Setup will try to execute the /PrepareAD command during the first server installation. Installation will finish only if the user who initiated SETUP has the appropriate permissions.

Workaround:

This cumulative update fixes the issues that are described in the following Microsoft Knowledge Base articles:

  • 4487603 “The action cannot be completed” error when you select many recipients in the Address Book of Outlook in Exchange Server 2013
  • 4490060 Exchange Web Services Push Notifications can be used to gain unauthorized access
  • 4490059 Reducing permissions required to run Exchange Server using Shared Permissions Model

 

KB4486563 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4486563/windows-7-update-kb4486563

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4486564 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

 https://support.microsoft.com/en-us/help/4486564/windows-7-update-kb4486564

 Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4486993 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4486993/windows-server-2012-update-kb4486993

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487000 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4487000/windows-8-1-update-kb4487000

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487019 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4487019/windows-server-2008-update-kb4487019

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487020 Applies to: Windows 10, version 1703

 https://support.microsoft.com/en-us/help/4487020/windows-10-update-kb4487020

 Symptoms: After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround: Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

  

KB4487023 Applies to: Windows Server 2008 Service Pack 2

 https://support.microsoft.com/en-us/help/4487023/windows-server-2008-update-kb4487023

 Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487025 Applies to: Windows Server 2012, Windows Embedded 8 Standard

 https://support.microsoft.com/en-us/help/4487025/windows-server-2012-update-kb4487025

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487026 Applies to: Windows 10 version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4487026/windows-10-update-kb4487026

Symptoms:

  1. For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update. Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.
  2. After installing KB4467691, Windows may fail to start on certain Lenovo laptops that have less than 8 GB of RAM.
  3. After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.
  4. After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround:

1. Run mofcomp on the following mof files on the affected host:

Scvmmswitchportsettings.mof

VMMDHCPSvr.mof

Follow the best practices while patching to avoid a stop error in vfpext.sys in an SDN v2 environment (NC managed hosts).

2. Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart. If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.

Microsoft is working with Lenovo and will provide an update in an upcoming release.

3. Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

4. Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4487028 Applies to: Windows 8.1, Windows Server 2012 R2

 https://support.microsoft.com/en-us/help/4487028/windows-8-1-update-kb4487028

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4486996 Applies to: Windows 10, version 1709

 https://support.microsoft.com/en-us/help/4486996/windows-10-update-kb4486996

Symptoms: After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround: Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4487017 Applies to: Windows 10, version 1803

https://support.microsoft.com/en-us/help/4487017/windows-10-update-kb4487017

Symptoms: After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround: Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4487044 Applies to: Windows 10, version 1809, Windows Server 2019, all versions

https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044

Symptoms: After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround: Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4487052 Applies to: Exchange Server 2010 Service Pack 3

https://support.microsoft.com/en-us/help/4487052/update-rollup-26-for-exchange-server-2010-service-pack-3

Symptoms: When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

To avoid this issue, follow these steps to manually install this security update:

Select Start, select All Programs, and then select Accessories.

Right-click Command prompt, and then select Run as administrator.

If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.

Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update from an elevated command prompt. For more information about how to open an elevated command prompt, visit the following Microsoft webpage: Start a Command Prompt as an Administrator.

Workaround: This cumulative update fixes the issues that are described in the following Microsoft Knowledge Base article:

4490060 Exchange Web Services Push Notifications can be used to gain unauthorized access

 

 

Flexis January 2019 Patch Review And Recommendations

  • KB4480961 – 2019-01 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4480961)
  • KB4481484 – 2019-01 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Server 2012 R2 for x64
  • KB4480963 – 2019-01 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems and Windows 8.1 for x64-based Systems
  • KB4480979 – 2019-01 Security Update for Adobe Flash Player for Windows Server 2012 R2 for x64-based Systems and Windows 8.1 for x64-based Systems
  • KB4480970 – 2019-01 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems and Windows 7 for x64-based Systems
  • KB4480966 – 2019-01 Cumulative Update for Windows 10 Version 1803 for x64-based Systems

 

 

Impacted Products:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • .NET Framework
  • ASP .NET
  • Microsoft Exchange Server
  • Microsoft Visual Studio

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

 

Microsoft Security Advisories:

  • ADV190001 | January 2019 Adobe Flash Update

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190001

 

Known Issues:

KB4480961, KB4480973, KB4480978, KB4480966, KB4480970, KB4480116, KB4480962, KB4480963, KB4480975, 4468742, KB4471389

 

 

KB4480961 Applies to: Windows 10, version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4480961/windows-10-update-kb4480961

Symptoms:

  1. System Center Virtual Machine Manager (SCVMM) managed workloads are noticing infrastructure management issues after VMM refresh as the Windows Management Instrumentation (WMI) class around network port is being unregistered on Hyper-V hosts.
  2. After installing this update on Windows Server 2016, instant search in Microsoft Outlook clients fail with the error, “Outlook cannot perform the search”.
  3. After installing KB4467691, Windows may fail to startup on certain Lenovo laptops that have less than 8 GB of RAM.
  4. After installing this update, third-party applications may have difficulty authenticating hotspots.

Workaround:

  1. Run mofcompfor the mofVMMDHCPSvr.mof, and other relevant SCVMM MOF Files. Please upgrade thru the SCVMM 2016 Update Rollup 6 (UR6) to expedite the Host Refresh activities after running mofcomp command.
  2. To alleviate the symptoms, run sfc /scannow as described in step 3 of Use the System File Checker tool to repair missing or corrupted system files. Then restart Microsoft Outlook. Microsoft is working on a resolution and will provide an update in an upcoming release.
  3. Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart.
    If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.
    Microsoft is working with Lenovo and will provide an update in an upcoming release.
  4. Microsoft is working on a resolution and estimates a solution will be available mid-January.

 

 

KB4480973 Applies to: Windows 10, version 1703

https://support.microsoft.com/en-us/help/4480973/windows-10-update-kb4480973

Symptoms: After installing this update, third-party applications may have difficulty authenticating hotspots.

Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-January.

 

 

KB4480978 Applies to: Windows 10, version 1709

https://support.microsoft.com/en-us/help/4480978/windows-10-update-kb4480978

Symptoms: After installing this update, third-party applications may have difficulty authenticating hotspots.

Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-January.

 

 

KB4480966 Applies to: Windows 10, version 1803

https://support.microsoft.com/en-us/help/4480966/windows-10-update-kb4480966

Symptoms:

  1. After you install the August Preview of Quality Rollupor September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base: 4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates.
  2. After installing this update, some users cannot pin a web link on the Startmenu or the taskbar.
  3. After installing KB4467682, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
  4. After installing this update, third-party applications may have difficulty authenticating hotspots.

Workaround:

  1. Microsoft is working on a resolution and will provide an update in an upcoming release.
  2. Microsoft is working on a resolution and will provide an update in an upcoming release.
  3. Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.
    Microsoft is working on a resolution and will provide an update in an upcoming release.
  4. Microsoft is working on a resolution and estimates a solution will be available mid-January.

 

 

KB4480970 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4480970/windows-7-update-kb4480970

Symptoms:

  1. After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem<number>.inf. The exact problematic configurations are currently unknown.
  2. After installing this update, some users are reporting the KMS Activation error, “Not Genuine”, 0xc004f200 on Windows 7 devices.
  3. Local users who are part of the local “Administrators“ group may not be able to remotely access shares on Windows Server 2008 R2 and Windows 7 machines after installing the January 8th, 2019 security updates. This does not affect domain accounts in the local “Administrators” group.

Workaround:

  1. To locate the network device, launch devmgmt.msc. It may appear under Other Devices.
  • To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.
    • Alternatively, install the drivers for the network device by right-clicking the device and choosing Update. Then choose Search automatically for updated driver software or Browse my computer for driver software.
  1. We are aware of this incident and are presently investigating it. We will provide an update when available.
  2. To work around this issue use either a local account that is not part of the local “Administrators” group or any domain user (including domain administrators).
    We recommend this workaround until a fix is available in a future release.

 

 

KB4480116 Applies to: Windows 10, version 1809, Windows Server 2019, all versions

https://support.microsoft.com/en-us/help/4480116/windows-10-update-kb4480116

Symptoms: After installing this update, third-party applications may have difficulty authenticating hotspots.

Workaround: Microsoft is working on a resolution and estimates a solution will be available late January.

 

 

KB4480962 Applies to: Windows 10

https://support.microsoft.com/en-us/help/4480962/windows-10-update-kb4480962

Symptoms: After installing this update, third-party applications may have difficulty authenticating hotspots.

Workaround: Microsoft is working on a resolution and estimates a solution will be available early February.

 

 

KB4480963 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4480963/windows-8-1-update-kb4480963

Symptoms: After installing this update, third-party applications may have difficulty authenticating hotspots.

Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-January.

 

KB4480975 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4480975/windows-server-2012-update-kb4480975

Symptoms: After installing this update, third-party applications may have difficulty authenticating hotspots.

Workaround: Microsoft is working on a resolution and estimates a solution will be available mid-January.

 


4468742 Applies to: Exchange Server 2010

https://support.microsoft.com/en-us/help/4468742/update-rollup-25-for-exchange-server-2010-service-pack-3

Symptoms: When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

Workaround: To avoid this issue, follow these steps to manually install this security update:

1. Select Start, select All Programs, and then select Accessories.

2. Right-click Command prompt, and then select Run as administrator.

3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.

4. Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.

 

4471389 Applies to: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

https://support.microsoft.com/en-us/help/4471389/description-of-the-security-update-for-microsoft-exchange-server-2019

Symptoms: When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

Workaround: To avoid this issue, follow these steps to manually install this security update:

1. Select Start, select All Programs, and then select Accessories.

2. Right-click Command prompt, and then select Run as administrator.

3. If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.

4. Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.