Flexis June 2019 Patch Review And Recommendations

  • KB4501835 – 2019-05 Cumulative Update for Windows Server 2019 for x64-based Systems.
  • KB4494440 – 2019-05 Cumulative Update for Windows Server 2016 for x64-based Systems.
  • KB4498947 – 2019-05 Servicing Stack Update for Windows Server 2016 for x64-based Systems.
  • KB4499151 – 2019-05 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems.
  • KB4499164 – 2019-05 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems.

Impacted Products:

  • Adobe Flash Player
  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • ChakraCore
  • Skype for Business and Microsoft Lync
  • Microsoft Exchange Server
  • Azure

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

 

Microsoft Security Advisories:

  • ADV190015 | June 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190015

  • ADV990001 | Latest Servicing Stack Updates

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV990001

 

Known Issues:

 

KB4493730 Applies to: Windows Server 2008 Service Pack 2

https://support.microsoft.com/en-us/help/4493730/servicing-stack-update-for-windows-server-2008-sp2

 Symptoms:

Restart stuck on “Stage 2 of 2” or “Stage 3 of 3”

After you install a servicing stack update together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck at a particular stage and see a “Stage 2 of 2” or “Stage 3 of 3” message.

Workaround:

If you experience this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

Note In managed environments, such as by using Windows Server Update Services (WSUS), you can avoid this issue by deploying this update as a standalone update.

 

KB4503027 Applies to: Exchange Server 2019, Exchange Server 2016

https://support.microsoft.com/en-us/help/4503027/security-update-for-microsoft-exchange-server-2019-june-11-2019

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

To avoid this issue, follow these steps to manually install this security update:

  • Select Start, and type cmd.
  • In the results, right-click Command Prompt, and then select Run as administrator.
  • If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  • Type the full path of the .msp file, and then press Enter.
  • This issue does not occur when you install the update from Microsoft Update.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated command prompt, see Start a Command Prompt as an Administrator.

 

Workaround:

Method 1: Microsoft Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Windows Update: FAQ.

 

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website.

 

Method 3: Microsoft Download Center

You can get the standalone update package through the Microsoft Download Center.

 

KB4503028 Applies to: Exchange Server 2010 Service Pack 3, Exchange Server 2013

https://support.microsoft.com/en-us/help/4503028/security-update-for-microsoft-exchange-server-2013-and-2010

Symptoms:

When you try to manually install this security update by double-clicking the update file (.msp) to run it in “normal mode” (that is, not as an administrator), some files are not correctly updated.

 

When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

 

To avoid this issue, follow these steps to manually install this security update:

  • Select Start, and type cmd.
  • In the results, right-click Command prompt, and then select Run as administrator.
  • If the User Account Control dialog box appears, verify that the default action is the action that you want, and then select Continue.
  • Type the full path of the .msp file, and then press Enter.

 

This issue does not occur if you install the update from Microsoft Update.

 

Exchange services may remain in a disabled state after you install this security update. This condition does not indicate that the update is not installed correctly. This condition may occur if the service control scripts experience a problem when they try to return Exchange services to its usual state. To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually. To avoid this issue, run the security update at an elevated command prompt. For more information about how to open an elevated Command Prompt window, see Start a Command Prompt as an Administrator.

 

Workaround:

Method 1: Microsoft Update

This update is available from Microsoft Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to get security updates automatically, see Windows Update: FAQ.

 

Method 2: Microsoft Update Catalog

To get the standalone package for this update, go to the Microsoft Update Catalog website.

 

Method 3: Microsoft Download Center

You can get the standalone update package through the Microsoft Download Center.

 

KB4503263 Applies to: Windows Server 2012, Windows Embedded 8 Standard

 https://support.microsoft.com/en-us/help/4503263/windows-server-2012-update-kb4503263

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503267 Applies to: Windows 10 version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4503267/windows-10-update-kb4503267

Symptoms:

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

 

Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.

 

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

 

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

After installing this update and restarting, some devices running Windows Server 2016 with Hyper-V enabled may enter Bitlocker recovery mode and receive an error, “0xC0210000”.

 

Note Windows 10, version 1607 may also be affected when Bitlocker and Hyper-V are enabled.

 

Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016) after installation of this update on the server. Applications that may exhibit this behavior use an IFRAME during non-interactive authentication requests and receive X-Frame Options set to DENY.

 

Workaround:

Run mofcomp on the following mof files on the affected host:

  • Scvmmswitchportsettings.mof
  • VMMDHCPSvr.mof

 

Follow the best practices while patching to avoid a stop error in vfpext.sys in an SDN v2 environment (NC managed hosts).

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

For a workaround for this issue, please see KB4505821.

Microsoft is working on a resolution and will provide an update in an upcoming release.

You can use the Allow-From value of the header if the IFRAME is only accessing pages from a single-origin URL. On the affected server, open a PowerShell window as an administrator and run the following command: set-AdfsResponseHeaders -SetHeaderName X-Frame-Options -SetHeaderValue “allow-from https://example.com”

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503276 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4503276/june-11-2019-kb4503276-os-build-monthly-rollup

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

We are presently investigating this issue with McAfee.

Guidance for McAfee customers can be found in the following McAfee support articles:

  • McAfee Security (ENS) Threat Prevention 10.x
  • McAfee Host Intrusion Prevention (Host IPS) 8.0
  • McAfee VirusScan Enterprise (VSE) 8.8

 

To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.

 

We are working on a resolution and estimate a solution will be available in mid-July.

 

KB4503279 Applies to: Windows 10 version 1703

https://support.microsoft.com/en-us/help/4503279/windows-10-update-kb4503279

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503284 Applies to: Windows 10 version 1709

https://support.microsoft.com/en-us/help/4503284/windows-10-update-kb4503284

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503285 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4503285/windows-server-2012-kb4503285

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.

 

We are working on a resolution and estimate a solution will be available in mid-July.

 

KB4503286 Applies to: Windows 10 version 1803

https://support.microsoft.com/en-us/help/4503286/june112019kb4503286osbuild17134821

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503290 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4503290/windows-8-1-update-kb4503290

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503291 Applies to: Windows 10

https://support.microsoft.com/en-us/help/4503291/windows-10-update-kb4503291

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503292 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4503292/windows-7-update-kb4503292

Symptoms:

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

Internet Explorer 11 may stop working when loading or interacting with Power BI reports that have line charts with markers. This issue may also occur when viewing other content that contains Scalable Vector Graphics (SVG) markers.

Workaround:

We are presently investigating this issue with McAfee.

Guidance for McAfee customers can be found in the following McAfee support articles:

  • McAfee Security (ENS) Threat Prevention 10.x
  • McAfee Host Intrusion Prevention (Host IPS) 8.0
  • McAfee VirusScan Enterprise (VSE) 8.8

To mitigate the issue with Power BI reports, the report needs to be republished with markers turned off. Markers can be turned off by selecting the line chart that is having issues and going to the Visualizations pane. Then on the Format tab under Shapes, set the Show marker slider to off.

 

We are working on a resolution and estimate a solution will be available in mid-July.

 

KB4503293 Applies to: Windows 10, version 1903, Windows Server version 1903

https://support.microsoft.com/en-us/help/4503293/windows-10-update-kb4503293

Symptoms:

Windows Sandbox may fail to start with “ERROR_FILE_NOT_FOUND (0x80070002)” on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Workaround:

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4503327 Applies to: Windows 10, version 1809, Windows Server 2019 all versions

https://support.microsoft.com/en-us/help/4503327/windows-10-update-kb4503327

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive the error, “Your printer has experienced an unexpected configuration problem. 0x80070007e.”

After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

 

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

You can use another browser, such as Internet Explorer to print your documents.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

  1. Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.
  2. Select Check for Updates and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

 

Note If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

  1. Go to the Settings app > Recovery.
  2. Select Get Started under the Reset this PC recovery option.
  3. Select Keep my Files.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.