- KB5013941: 2022-05 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems
- KB5013952: 2022-05 Cumulative Update for Windows Server 2016 for x64-based Systems
- KB5014026: 2022-05 Servicing Stack Update for Windows Server 2016 for x64-based Systems
- KB5014011: 2022-05 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
Impacted Products:
- Microsoft Windows
- Microsoft Windows
- Microsoft Edge (Edge HTML-based)
- Microsoft Edge (Chromium-based)
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Visual Studio
- ASP.NET Core
- Chakra Core
- Online Services
- Microsoft Dynamics
- .NET Framework
- .NET Core
Please note the following information regarding the security updates:
- For information regarding enabling Windows 10, version 1809 features and later, please see Windows 10, version 1909 delivery options. Note that Windows 10, versions 1903 and 1909 share a common core operating system with an identical set of system files. They will also share the same security update KBs. There is no change to the cumulative monthly security update
- Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
- For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
- Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
- In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
Known Issues:
KB5013941: Applies to: Windows 10 Enterprise 2019 LTSC; Windows 10 IoT Enterprise 2019 LTSC; Windows 10 IoT Core 2019 LTSC
Improvements and fixes
This security update includes improvements that were a part of update KB5012636 (released April 21, 2022) and also addresses the following issues:
This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.
If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
KB5013952: Applies to Windows 10, version 1607, all editions; Windows Server 2016, all editions
New! Adds improvements for servicing the Secure Boot component of Windows.
Addresses an issue that might occur when you use Netdom.exe or the Active Directory Domains and Trusts snap-in to list or modify name suffixes routing. These procedures might fail. The error message is, “Insufficient system resources exist to complete the requested service.” This issue occurs after installing the January 2022 security update on the primary domain controller emulator (PDCe).
Addresses an issue that causes the improper cleanup of Dynamic Data Exchange (DDE) objects. This prevents session teardown and causes a session to stop responding.
Addresses an issue that might cause Kerberos.dll to stop working within the Local Security Authority Subsystem Service (LSASS). This occurs when LSASS processes simultaneous Service for User (S4U) user-to-user (U2U) requests for the same client user.
Addresses a known issue that might prevent recovery discs (CD or DVD) from starting if you created them using the Backup and Restore (Windows 7) app in Control Panel. This issue occurs after installing Windows updates released January 11, 2022 or later.
Symptom
After installing updates released May 10, 2022 on domain controllers, you might see authentication failures on the server or client for some services. These services include Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the domain controller manages the mapping of certificates to machine accounts.
Note Installation of the May 10, 2022 updates on client Windows devices and non-domain controller Windows Servers will not cause this issue. This issue only affects servers that are used as domain controllers.
Workaround
The preferred mitigation for this issue is to manually map certificates to a machine account in Active Directory. For instructions, see Certificate mapping.
Note The instructions are the same for mapping certificates to user or machine accounts in Active Directory. If the preferred mitigation will not work in your environment, see KB5014754—Certificate-based authentication changes on Windows domain controllers for other possible mitigations in the “SChannel registry key” section.
Note Any other mitigation except the preferred mitigations might lower or disable security hardening.
KB5014026: Applies to: Windows Server 2012; Windows Embedded 8 Standard
Summary
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) makes sure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.
Additionally, this update adds improvements for servicing the Secure Boot component of Windows.
Important: Windows 10, version 1607 reached end of service on April 9, 2019 for devices running the Enterprise, Education, and IoT Enterprise editions. After April 9, 2019, these devices will no longer be offered servicing stack updates. To continue receiving these updates, we recommend updating to the latest version of Windows.
KB5014011: Applies to Windows Server 2012; Windows Embedded 8 Standard
IMPORTANT Windows 8.1 and Windows Server 2012 R2 have reached the end of mainstream support and are now in extended support. Starting in July 2020, there will no longer be optional, non-security releases (known as “C” releases) for this operating system. Operating systems in extended support have only cumulative monthly security updates (known as the “B” or Update Tuesday release).
For information about the various types of Windows updates, such as critical, security, driver, service packs, and so on, please see the following article. To view other notes and messages, see the Windows 8.1 and Windows Server 2012 R2
Improvements and fixes
This cumulative security update contains improvements that are part of update KB5012670 (released April 12, 2022) and includes new improvements for the following issues:
The Key Distribution Center (KDC) code incorrectly returns error message KDC_ERR_TGT_REVOKED during Domain Controller shutdown.
After installing the January 2022 Windows update or a later Windows update on the Primary Domain Controller emulator (PDCe), listing or modifying name suffixes routing by using Netdom.exe or “Active Directory Domains and Trusts” snap-in may fail and you receive the following error message: “Insufficient system resources exist to complete the requested service.”
The Primary Domain Controller (PDC) for the root domain incorrectly logs warning and error events in the System log when trying to scan outbound-only trusts.
Symptom
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.
After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller.
Workaround
Do one of the following:
Perform the operation from a process that has administrator privilege.
Perform the operation from a node that doesn’t have CSV ownership.
Microsoft is working on a resolution and will provide an update in an upcoming release.
The preferred mitigation for this issue is to manually map certificates to a machine account in Active Directory. For instructions, please see Certificate Mapping.
Note The instructions are the same for mapping certificates to user or machine accounts in Active Directory. If the preferred mitigation will not work in your environment, please see KB5014754—Certificate-based authentication changes on Windows domain controllers for other possible mitigations in the SChannel registry key section.
Note Any other mitigation except the preferred mitigations might lower or disable security hardening.
We are presently investigating and will provide an update in an upcoming release.