Flexis February 2019 Patch Review And Recommendations

• KB4487026 – 2019-02 Cumulative Update for Windows Server 2016 for x64-based Systems
• KB4485447 – 2019-02 Servicing Stack Update for Windows Server 2016 for x64-based Systems
• KB4487080 – 2019-02 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Server 2012 R2 for x64
• KB4487000 – 2019-02 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
• KB4487038 – 2019-02 Security Update for Adobe Flash Player for Windows Server 2012 R2 for x64-based Systems
• KB4487078 – 2019-02 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 7 and Server 2008 R2 for x64
• KB4486563 – 2019-02 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems

 

Impacted Products:

• Adobe Flash Player
• Internet Explorer
• Microsoft Edge
• Microsoft Windows
• Microsoft Office and Microsoft Office Services and Web Apps
• .NET Framework
• Microsoft Exchange Server
• Microsoft Visual Studio
• Microsoft Dynamics
• Team Foundation Server

 

Please note the following information regarding the security updates:

• A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
• Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
• Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
• For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
• In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

 

Microsoft Security Advisories:

• ADV190003 | February 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190003

• ADV190006 | Guidance to mitigate unconstrained delegation vulnerabilities

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190006

• ADV190007 | Guidance for “PrivExchange” Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190007

• ADV990001 | Latest Servicing Stack Updates

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001

 

Known Issues:

KB4345836, KB4486563, KB4486564, KB4486993, KB4487000, KB4487019, KB4487020, KB4487023, KB4487025, KB4487026, KB4487028, KB4486996, KB4487017, KB4487044, KB4487052

 

KB4345836 Applies to: Exchange Server 2013

https://support.microsoft.com/en-us/help/4345836/cumulative-update-22-for-exchange-server-2013

Symptoms:

In multidomain Active Directory forests in which Exchange is installed or has been prepared previously by using the /PrepareDomain option in SETUP, this action must be completed after the /PrepareAD command for this cumulative update has been completed and the changes are replicated to all domains. Setup will try to execute the /PrepareAD command during the first server installation. Installation will finish only if the user who initiated SETUP has the appropriate permissions.

Workaround:

This cumulative update fixes the issues that are described in the following Microsoft Knowledge Base articles:

• 4487603 “The action cannot be completed” error when you select many recipients in the Address Book of Outlook in Exchange Server 2013
• 4490060 Exchange Web Services Push Notifications can be used to gain unauthorized access
• 4490059 Reducing permissions required to run Exchange Server using Shared Permissions Model

 

KB4486563 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4486563/windows-7-update-kb4486563

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4486564 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

 https://support.microsoft.com/en-us/help/4486564/windows-7-update-kb4486564

 Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4486993 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4486993/windows-server-2012-update-kb4486993

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487000 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4487000/windows-8-1-update-kb4487000

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487019 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4487019/windows-server-2008-update-kb4487019

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487020 Applies to: Windows 10, version 1703

 https://support.microsoft.com/en-us/help/4487020/windows-10-update-kb4487020

 Symptoms: After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround: Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

  

KB4487023 Applies to: Windows Server 2008 Service Pack 2

 https://support.microsoft.com/en-us/help/4487023/windows-server-2008-update-kb4487023

 Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487025 Applies to: Windows Server 2012, Windows Embedded 8 Standard

 https://support.microsoft.com/en-us/help/4487025/windows-server-2012-update-kb4487025

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4487026 Applies to: Windows 10 version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4487026/windows-10-update-kb4487026

Symptoms:

1. For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update. Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.
2. After installing KB4467691, Windows may fail to start on certain Lenovo laptops that have less than 8 GB of RAM.
3. After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.
4. After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround:

1. Run mofcomp on the following mof files on the affected host:

Scvmmswitchportsettings.mof

VMMDHCPSvr.mof

Follow the best practices while patching to avoid a stop error in vfpext.sys in an SDN v2 environment (NC managed hosts).

2. Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart. If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.

Microsoft is working with Lenovo and will provide an update in an upcoming release.

3. Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

4. Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4487028 Applies to: Windows 8.1, Windows Server 2012 R2

 https://support.microsoft.com/en-us/help/4487028/windows-8-1-update-kb4487028

Symptoms: After installing this update, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Workaround: After installing this update, shut down the virtual machines before restarting the host. Microsoft is working on a resolution and estimates a solution will be available by mid-February 2019.

 

KB4486996 Applies to: Windows 10, version 1709

 https://support.microsoft.com/en-us/help/4486996/windows-10-update-kb4486996

Symptoms: After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround: Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4487017 Applies to: Windows 10, version 1803

https://support.microsoft.com/en-us/help/4487017/windows-10-update-kb4487017

Symptoms: After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround: Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4487044 Applies to: Windows 10, version 1809, Windows Server 2019, all versions

https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044

Symptoms: After installing this update, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Workaround: Modify the registry with the two- character abbreviation for Japanese eras as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Calendars\Japanese\Eras]

“1868 01 01″=”明治_明_Meiji_M”

“1912 07 30″=”大正_大_Taisho_T”

“1926 12 25″=”昭和_昭_Showa_S”

“1989 01 08″=”平成_平_Heisei_H”

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4487052 Applies to: Exchange Server 2010 Service Pack 3

https://support.microsoft.com/en-us/help/4487052/update-rollup-26-for-exchange-server-2010-service-pack-3

Symptoms: When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

To avoid this issue, follow these steps to manually install this security update:

Select Start, select All Programs, and then select Accessories.

Right-click Command prompt, and then select Run as administrator.

If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.

Type the full path of the .msp file, and then press Enter.

This issue does not occur when you install the update from Microsoft Update.

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update from an elevated command prompt. For more information about how to open an elevated command prompt, visit the following Microsoft webpage: Start a Command Prompt as an Administrator.

Workaround: This cumulative update fixes the issues that are described in the following Microsoft Knowledge Base article:

4490060 Exchange Web Services Push Notifications can be used to gain unauthorized access