- KB5016623:- 2022-08 Cumulative Update for Windows Server 2019 for x64-based Systems
- KB5012170:- 2022-08 Cumulative Update for Windows Server 2016 for x64-based Systems
- KB5017095:- 2022-08 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
- KB5016622 :- 2022-08 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
- KB5016681 :- 2022-08 Security Monthly Quality Rollup for Windows Server 2012 for x64-based Systems
Impacted Products:
- Microsoft Windows
- Microsoft Windows
- Microsoft Edge (Edge HTML-based)
- Microsoft Edge (Chromium-based)
- Internet Explorer
- Microsoft Office and Microsoft Office Services and Web Apps
- Windows Defender
- Visual Studio
- ASP.NET Core
- Chakra Core
- Online Services
- Microsoft Dynamics
- .NET Framework
- .NET Core
Please note the following information regarding the security updates:
- For information regarding enabling Windows 10, version 1809 features and later, please see Windows 10, version 1909 delivery options. Note that Windows 10, versions 1903 and 1909 share a common core operating system with an identical set of system files. They will also share the same security update KBs. There is no change to the cumulative monthly security update
- Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
- For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
- A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
- Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
- In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.
Known Issues:
KB5016623: – Applies to: Windows 10 Enterprise 2019 LTSC Windows 10 IoT Enterprise 2019 LTSC Windows 10 IoT Core 2019 LTSC
IMPORTANT Microsoft released KB5012170 on August 9, 2022. It provides support for Secure Boot Forbidden Signature Database (DBX). This is a standalone, security update. Windows 8.1 and newer clients and Windows Server 2012 and newer servers must install this update regardless of whether BitLocker is enabled or supported on your device. After you install the update, you might receive error “0x800f0922”; see Update might fail to install and you might receive a 0x800f0922 error. After you install the update, your device might start up in BitLocker recovery mode. See Some devices might start up into BitLocker Recovery and Finding your BitLocker recovery key in Windows.
Improvements
This security update includes improvements that were a part of update KB5015880 (released July 21, 2022) and also addresses the following issues:
Addresses an issue that might cause the Local Security Authority Server Service (LSASS) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 or later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
KB5012170: – Applies to Windows 10, version 1607, all editions Windows Server 2016, all editions
Summary
This security update makes improvements to Secure Boot DBX for the supported Windows versions listed in the “Applies to” section. Key changes include the following:
Windows devices that has Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.
A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.
This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.
Issue
Some original equipment manufacturer (OEM) firmware might not allow for the installation of this update.
If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.
To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.
When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.
Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates released on August 9, 2022.
Some devices might enter BitLocker Recovery on the first or second restart after attempting to install this update on Windows 11.
Next step
To resolve this issue, contact your firmware OEM.
To workaround this issue, do one of the following before you deploy this update:
On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:
Manage-bde –Protectors –Disable C: -RebootCount 1
Then, deploy the update and restart the device to resume the BitLocker protection.
On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:
Manage-bde –Protectors –Disable C: -RebootCount 3
Then, deploy the update and restart the device to resume the BitLocker protection.
KB5017095- Applies to: Windows Server 2012 Windows Embedded 8 Standard
Summary
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) makes sure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.
Important: Windows 10, version 1607 reached end of service on April 9, 2019 for devices running the Enterprise, Education, and LoT Enterprise editions. After April 9, 2019, these devices will no longer be offered servicing stack updates. To continue receiving these updates, we recommend updating to the latest version of Windows.
For information about the end of service for Windows 10, version 1607, see here.
For information about the end of service for Windows Server 2016, see here.
KB5016622 :- Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro
Improvements
This security update includes quality improvements. Key changes include:
Addresses an issue that prevents certain troubleshooting tools from opening.
Addresses an issue that prevents the Key Distribution Center (KDC) Proxy from properly receiving Kerberos tickets for Key Trust Windows Hello for Business credentials.
Addresses an issue that causes the KDC code to incorrectly return the error message “KDC_ERR_TGT_REVOKED” during domain controller shutdown.
Addresses an issue that might cause the Local Security Authority Server Service (LSASS) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 or later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
Enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, Active Directory domain controllers will not authenticate them. Mitigations that allowed non-compliant devices to authenticate will not exist after August 9, 2022. For more information about this change, see KB5005408.
REMINDER Windows 8.1 will reach end of support on January 10, 2023 for all editions, at which point technical assistance and software updates will no longer be provided. If you have devices running Windows 8.1, we recommend upgrading them to a more current, in-service, and supported Windows release. If devices do not meet the technical requirements to run a more current release of Windows, we recommend that you replace the device with one that supports Windows 11.
Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations.
KB5016681 :- Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro
Improvements
This cumulative security update includes improvements that are part of update KB5015874 (released July 12, 2022) and includes new improvements for the following issues:
Addresses an issue in which Speech and Network troubleshooters will not start.
Addresses an issue that might cause the Local Security Authority Server Service (LSASS) to leak tokens. This issue affects devices that have installed Windows updates dated June 14, 2022 or later. This issue occurs when the device performs a specific form of service for user (S4U) in a non-Trusted Computing Base (TCB) Windows service that runs as Network Service.
Enforces a hardening change that requires printers and scanners that use smart cards for authentication to have firmware that complies with section 3.2.1 of RFC 4556. If they do not comply, Active Directory domain controllers will not authenticate them. Mitigations that allowed non-compliant devices to authenticate will not exist after August 9, 2022. For more information about this change, see KB5005408.
Symptoms
Starting at 12:00 A.M. Saturday, September 10, 2022, the official time in Chile will advance 60 minutes in accordance with the August 9, 2022 official announcement by the Chilean government about a daylight saving time (DST) time zone change. This moves the DST change which was previously September 4 to September 10.
Symptoms if the workaround is not used on devices between September 4, 2022 and September 11, 2022:
Time shown in Windows and apps will not be correct.
Apps and cloud services which use date and time for integral functions, such as Microsoft Teams and Microsoft Outlook, notifications and scheduling of meetings might be 60 minutes off.
Automation that uses date and time, such as Scheduled tasks, might not run at the expected time.
Timestamp on transactions, files, and logs will be 60 minutes off.
Operations that rely on time-dependent protocols such as Kerberos might cause authentication failures when attempting to logon or access resources.
Windows devices and apps outside of Chile might also be affected if they are connecting to servers or devices in Chile or if they are scheduling or attending meetings taking place in Chile from another location or time zone. Windows devices outside of Chile should not use the workaround, as it would change their local time on the device.
Next step
To mitigate this issue, please see Possible issues caused by new Daylight Savings Time in Chile.
We are working on a resolution and will provide an update in an upcoming release.
Note We plan to release an update to support this change; however, there might be insufficient time to properly build, test, and release such an update before the change goes into effect. Please use the workaround above.