Flexis May 2019 Patch Review And Recommendations

  • KB4494440 – 2019-05 Cumulative Update for Windows Server 2016 for x64-based Systems
  • KB4498947 – 2019-05 Servicing Stack Update for Windows Server 2016 for x64-based Systems
  • KB4499151 – 2019-05 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
  • KB4499164 – 2019-05 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems

 

Impacted Products:

  • Adobe Flash Player
  • Microsoft Windows
  • Internet Explorer
  • Microsoft Edge
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Team Foundation Server
  • Visual Studio
  • Azure DevOps Server
  • SQL Server
  • .NET Framework
  • .NET Core
  • ASP.NET Core
  • ChakraCore
  • Online Services
  • Azure
  • NuGet
  • Skype for Android

 

Please note the following information regarding the security updates:

  • A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
  • Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
  • Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
  • For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
  • In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
  • Starting in May 2019, Internet Explorer 11 is available on Windows Server 2012. This configuration is only present in only the IE Cumulative package 4498206.

 

Microsoft Security Advisories:

  • ADV190012 | May 2019 Adobe Flash Security Update

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190012

  • ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013

 

Known Issues:

 

KB4493730 Applies to: Windows Server 2008 Service Pack 2

 https://support.microsoft.com/en-us/help/4493730/servicing-stack-update-for-windows-server-2008-sp2

 Symptoms:

Restart stuck on “Stage 2 of 2” or “Stage 3 of 3”

After you install a servicing stack update together with other updates, a restart may be required to complete the installation. During this restart, you may find yourself stuck at a particular stage and see a “Stage 2 of 2” or “Stage 3 of 3” message.

Workaround:

If you experience this issue, press Ctrl+Alt+Delete to continue to log on. This should occur only one time and does not prevent updates from installing successfully.

Note In managed environments, such as by using Windows Server Update Services (WSUS), you can avoid this issue by deploying this update as a standalone update.

 

 KB4494440 Applies to: Windows 10 – version 1607, Windows Server 2016

https://support.microsoft.com/en-us/help/4494440/windows-10-update-kb4494440

Symptoms:

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

  1. Run mofcomp on the following mof files on the affected host:
  • Scvmmswitchportsettings.mof
  • VMMDHCPSvr.mof
  1. Follow the best practices while patching to avoid a stop error in vfpext.sys in an SDN v2 environment (NC managed hosts).

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4494441 Applies to: Windows 10 – version 1809, Windows Server 2019 – all versions

 https://support.microsoft.com/en-us/help/4494441/windows-10-update-kb4494441

 Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive the error, “Your printer has experienced an unexpected configuration problem. 0x80070007e.”

After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”

Some customers report that KB4494441 installed twice on their device.

In certain situations, installing an update requires multiple download and restart steps. If two intermediate steps of the installation complete successfully, the View your Update history page will report that installation completed successfully twice.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

You can use another browser, such as Internet Explorer to print your documents.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.

Select Check for Updates and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

Note If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

Go to the Settings app > Recovery.

Select Get Started under the Reset this PC recovery option.

Select Keep my Files.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

No action is required on your part. The update installation may take longer and may require more than one restart, but will install successfully after all intermediate installation steps have completed.

We are working on improving this update experience to ensure the Update history correctly reflects the installation of the latest cumulative update (LCU).

 

KB4497936 Applies to: Windows 10 – version 1903

https://support.microsoft.com/en-us/help/4497936/windows-10-update-kb4497936

Symptoms:

After installing this update, users may experience error “0x800705b4” when launching Windows Defender Application Guard or Windows Sandbox.

Workaround:

Use the credentials of a local admin to create and set the following registry keys on the Host OS then restart the Host:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Containers\CmService\Policy]

“DisableClone”=dword:00000001

“DisableSnapshot”=dword:00000001

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4498206 Applies to: Internet Explorer 11 on Windows Server 2012 R2, Internet Explorer 11 on Windows Server 2012, Internet Explorer 11 on Windows Server 2008 R2 SP1, Internet Explorer 11 on Windows 8.1 Update, Internet Explorer 11 on Windows 7 SP1, Internet Explorer 10 on Windows Server 2012, Internet Explorer 9 on Windows Server 2008 SP2

https://support.microsoft.com/en-us/help/4498206/cumulative-security-update-for-internet-explorer-may-14-2019

Symptoms:

After this security update is installed for Internet Explorer 11 on supported operating systems, Custom URI Schemes for Application Protocol handlers may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

This cumulative security update 4498206 for Internet Explorer 10 might be offered for installation through Windows Server Update Services (WSUS) or other update management solutions, even after you install KB4492872 (Internet Explorer 11 for Windows Server 2012 and Windows Embedded 8 Standard) and upgrade to Internet Explorer 11.

Workaround:

Right-click the URL link to open it in a new window or tab.

Or:

Enable Protected mode in Internet Explorer for local intranet and trusted sites:

Go to Tools > Internet options > Security.

In the Select a zone to view or change security settings area, select Local intranet, and then select Enable Protected Mode.

Select Trusted sites, and then select Enable Protected Mode.

Select OK.

You must restart the browser after you make these changes.

Status

Microsoft is working on a resolution and will provide an update in an upcoming release.

Although this cumulative security update for Internet Explorer 10 might be offered for installation, this issue will not affect the functionality of Internet Explorer 11. However, you should also install KB4498206 to apply the security fixes that are resolved this month for Internet Explorer 11.

Status

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499151 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4499151/windows-8-1-update-kb4499151

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

If previous dictionary updates are installed, the Japanese input method editor (IME) doesn’t show the new Japanese Era name as a text input option.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership

Microsoft is working on a resolution and will provide an update in an upcoming release.

We are presently investigating this issue with McAfee.

Guidance for McAfee customers can be found in the following McAfee support articles:

  • McAfee Security (ENS) Threat Prevention 10.x
  • McAfee Host Intrusion Prevention (Host IPS) 8.0
  • McAfee VirusScan Enterprise (VSE) 8.8

If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.

  • Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
  • Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
  • Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)

 

KB4499154 Applies to: Windows 10

https://support.microsoft.com/en-us/help/4499154/windows-10-update-kb4499154

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499158 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4499158/windows-server-2012-update-kb4499158

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499164 Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1

https://support.microsoft.com/en-us/help/4499164/windows-7-update-kb4499164

Symptoms:

Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update.

Workaround:

We are presently investigating this issue with McAfee.

Guidance for McAfee customers can be found in the following McAfee support articles:

  • McAfee Security (ENS) Threat Prevention 10.x
  • McAfee Host Intrusion Prevention (Host IPS) 8.0
  • McAfee VirusScan Enterprise (VSE) 8.8

 

KB4499165 Applies to: Windows 8.1, Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4499165/windows-8-1-update-kb4499165

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

 

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499167 Applies to: Windows 10 – version 1803

https://support.microsoft.com/en-us/help/4499167/windows-10-update-kb4499167

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499171 Applies to: Windows Server 2012, Windows Embedded 8 Standard

https://support.microsoft.com/en-us/help/4499171/windows-server-2012-update-kb4499171

Symptoms:

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

If previous dictionary updates are installed, the Japanese input method editor (IME) doesn’t show the new Japanese Era name as a text input option.

Workaround:

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:

Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  • Open Windows Deployment Services from Windows Administrative Tools.
  • Expand Servers and right-click a WDS server.
  • Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:

Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

If you see any of the previous dictionary updates listed below, uninstall it from Programs and features > Uninstall or change a program. New words that were in previous dictionary updates are also in this update.

  • Update for Japanese Microsoft IME Standard Dictionary (15.0.2013)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.2013)
  • Update for Japanese Microsoft IME Standard Dictionary (15.0.1215)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1215)
  • Update for Japanese Microsoft IME Standard Dictionary (15.0.1080)
  • Update for Japanese Microsoft IME Standard Extended Dictionary (15.0.1080)

 

KB4499179 Applies to: Windows 10 – version 1709

https://support.microsoft.com/en-us/help/4499179/windows-10-update-kb4499179

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership

Microsoft is working on a resolution and will provide an update in an upcoming release.

 

KB4499181 Applies to: Windows 10 – version 1703

https://support.microsoft.com/en-us/help/4499181/windows-10-update-kb4499181

Symptoms:

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Workaround:

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.