Flexis April 2019 Patch Review And Recommendations

  • KB4493451 – 2019-04 Security Monthly Quality Rollup for Windows Server 2012 for x64-based Systems
  • KB4493446 – 2019-04 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4493472 – 2019-04 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems
  • KB4493509 – 2019-04 Cumulative Update for Windows 10 Version 1809 for x64-based Systems
  • KB4493478 – 2019-04 Security Update for Adobe Flash Player for Windows 10 Version 1809 for x64-based Systems

 

Impacted Products:

  • Adobe Flash Player
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ASP.NET
  • Microsoft Exchange Server
  • Team Foundation Server
  • Azure DevOps Server
  • Open Enclave SDK
  • Windows Admin Center

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

 

Microsoft Security Advisories:

  • ADV190011 | April 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190011

  • ADV990001 | Latest Servicing Stack Updates

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001

 

Known Issues:

 

KB4487563 Applies to: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019

https://support.microsoft.com/en-us/help/4487563/description-of-the-security-update-for-microsoft-exchange-server

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  • Select Start, and type cmd.
  • In the results, right-click Command Prompt, and then select Run as administrator.
  • If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  • Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated command prompt, see Start a Command Prompt as an Administrator.

 

KB4491413 Applies to: Exchange Server 2010 Service Pack 3

https://support.microsoft.com/en-us/help/4491413/update-rollup-27-for-exchange-server-2010-service-pack-3

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state.

Workaround:

To avoid this issue, follow these steps to manually install this security update:

  • Select Start, and type cmd.
  • In the results, right-click Command Prompt, and then select Run as administrator.
  • If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  • Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.

 

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated command prompt, see Start a Command Prompt as an Administrator.

 

KB4493441 Applies to: Windows 10, version 1709

https://support.microsoft.com/en-us/help/4493441/windows-10-update-kb4493441

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

  • Go to Tools > Internet options > Security.
  • Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.
  • Select Trusted sites and then select Enable Protected Mode.
  • Select OK.

You must restart the browser after making these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493446 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4493446/windows-8-1-update-kb4493446

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493448 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 

https://support.microsoft.com/en-us/help/4493448/windows-7-update-kb4493448

Symptoms:

After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493450 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4493450/windows-server-2012-update-kb4493450

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493451 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4493451/windows-server-2012-update-kb4493451

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493458 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493458/windows-server-2008-update-kb4493458

Symptoms:

After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493464 Applies to: Windows 10 version 1803

https://support.microsoft.com/en-us/help/4493464/windows-10-update-kb4493464

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites and then select Enable Protected Mode.

Select OK.

You must restart the browser after making these changes.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493467 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4493467/windows-8-1-update-kb4493467

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493470 Applies to: Windows 10 version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4493470/windows-10-update-kb4493470

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites and then select Enable Protected Mode.

Select OK.

You must restart the browser after making these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493471 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493471/windows-server-2008-update-kb4493471

Symptoms:

After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493472 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472

Symptoms:

After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Workaround:

To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

 

KB4493474 Applies to: Windows 10 version 1703

https://support.microsoft.com/en-us/help/4493474/windows-10-update-kb4493474

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites and then select Enable Protected Mode.

Select OK.

You must restart the browser after making these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493509 Applies to: Windows 10 version 1809, Windows Server 2019 all versions

https://support.microsoft.com/en-us/help/4493509/windows-10-update-kb4493509

Symptoms:

After installing this update, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites and then select Enable Protected Mode.

Select OK.

You must restart the browser after making these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

Open Windows Deployment Services from Windows Administrative Tools.

Expand Servers and right-click a WDS server.

Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4493730 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493730/servicing-stack-update-for-windows-server-2008-sp2

Symptoms:

After you install a servicing stack update together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck at a particular stage and see a “Stage 2 of 2” or “Stage 3 of 3” message.

 

If you experience this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

 

KB4493435 Applies to: Internet Explorer 11 on Windows Server 2012 R2, Internet Explorer 11 on Windows 8.1 Update, Internet Explorer 11 on Windows Server 2008 R2 SP1, Internet Explorer 11 on Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on Windows Server 2008 SP

https://support.microsoft.com/en-us/help/4493435/cumulative-security-update-for-internet-explorer-april-12-2019

Symptoms:

After this security update is installed on Windows 10, version 1607 and later operating systems, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or:

Enable Protected Mode in Internet Explorer for local intranet and trusted sites.

Go to Tools > Internet options > Security.

Within Select a zone to view or change security settings, select Local intranet and then select Enable Protected Mode.

Select Trusted sites, and then select Enable Protected Mode.

Select OK.

You must restart the browser after you make these changes.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.