Impacted Products:

Please note the following information regarding the security updates:

KB5026370 : Applies to: Windows 10 Enterprise 2019 LTSC; Windows 10 IoT Enterprise 2019 LTSC; Windows 10 IoT Core 2019 LTSC

https://support.microsoft.com/en-us/topic/may-9-2023-kb5026370-os-build-20348-1726-8c5dc605-d613-46ea-9232-1425cfc91d62

Improvements

New! This update changes firewall settings. You can now configure application group rules.

This update addresses an issue that affects conhost.exe. It stops responding.

This update affects the Islamic Republic of Iran. The update supports the government’s daylight saving time change order from 2022.

This update addresses issues that affect the 32-bit version of Windows Calculator.

This update addresses an issue that affects apps that use DirectX on older Intel graphics drivers. You might receive an error from apphelp.dll.

The update addresses an issue that sends unexpected password expiration notices to users. This occurs when you set up an account to use “Smart Card is Required for Interactive Logon” and set “Enable rolling of expiring NTLM secrets”.

This update addresses an issue that affects Microsoft Edge IE mode. Pop-up windows open in the background instead of in the foreground.

This update addresses an issue that affects the software defined networking (SDN) virtual subnet. The delete operation creates an error. This stops the virtual subnet from being deleted.

The update addresses an issue that affects AzureService Fabric containers. This change is off by default. To enable the change, set Globals.RouteResolutionOrderConfig to TRUE. To propagate the value, move the primary node for VswitchService and SDNAPI. After you set the value, this change will apply to new and current network traffic routes. 

This update addresses an issue that affects protected content. When you minimize a window that has protected content, the content displays when it should not. This occurs when you are using Taskbar Thumbnail Live Preview.

This update addresses an issue that affects mobile device management (MDM) customers. The issue stops you from printing. This occurs because of an exception.

This update addresses an issue that affects signed Windows Defender Application Control (WDAC) policies. They are not applied to the Secure Kernel. This occurs when you enable Secure Boot. 

This update addresses an issue that affects the Windows Defender Application Control. The policy that blocks software using a hash rule might not stop the software from running.

This update addresses an Active Directory Federation Services (AD FS). You might need to retry authentication multiple times to sign in successfully.

This update addresses an issue that affects accounts that run the Set-AdfsCertificate command. The command fails. This occurs when an account does not have read permissions for the related Distributed Key Manager (DKM) container.

This update addresses a race condition in Windows Local Administrator Password Solution (LAPS). The Local Security Authority Subsystem Service (LSASS) might stop responding. This occurs when the system processes multiple local account operations at the same time. The access violation error code is 0xc0000005.

This update addresses an issue that affects the legacy Local Administrator Password Solution (LAPS) and the new Windows LAPS feature. They fail to manage the configured local account password. This occurs when you install the legacy LAPS .msi file after you have installed the April 11, 2023, Windows update on machines that have a legacy LAPS policy.

This update addresses an issue that affects SMB Direct. Endpoints might not be available on systems that use multi-byte character sets.

Symptom

After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are affected by this issue. Affected versions of VMware ESXi are versions vSphere ESXi 7.0.x and below.

Workaround

Please see VMware’s documentation to mitigate this issue.

Microsoft and VMware are investigating this issue and will provide more information when it is available.

 KB5026362: Applies to Windows 10, version 1607, all editions; Windows Server 2016, all editions

https://support.microsoft.com/en-us/topic/may-9-2023-kb5026362-os-build-17763-4377-b0133287-05dd-4bc5-b1c3-5edaca650afd

Improvements

This update addresses an issue that affects conhost.exe. It stops responding. 

This update affects the Islamic Republic of Iran. The update supports the government’s daylight saving time change order from 2022.

The update addresses an issue that affects the Remote Procedure Call Service (RPCSS). A lock order inversion causes a deadlock in it.

This update addresses an issue that affects the Key Distribution Center (KDC) service. When the service stops on a local machine, signing in to all local Kerberos fails. The error is STATUS_NETLOGON_NOT_STARTED.

This update addresses an issue that affects accounts that run the Set-AdfsCertificate command. The command fails. This occurs when an account does not have read permissions for the related Distributed Key Manager (DKM) container.

This update addresses an Active Directory Federation Services (AD FS). You might need to retry authentication multiple times to sign in successfully.

This update addresses an issue that affects SMB Direct. Endpoints might not be available on systems that use multi-byte character sets.

This update addresses an issue that might affect the Windows Local Administrator Password Solution (LAPS). It might fail. This occurs on versions of Windows Server 2019 that run Server Core. The error is 0x8007007f.

This update addresses an issue that affects apps that use DirectX on older Intel graphics drivers. You might receive an error from apphelp.dll.

This update addresses a race condition in Windows LAPS. The Local Security Authority Subsystem Service (LSASS) might stop responding. This occurs when the system processes multiple local account operations at the same time. The access violation error code is 0xc0000005.

This update addresses an issue that affects the legacy Local Administrator Password Solution (LAPS) and the new Windows LAPS feature. They fail to manage the configured local account password. This occurs when you install the legacy LAPS .msi file after you have installed the April 11, 2023, Windows update on machines that have a legacy LAPS policy.

KB5026363: Applies to Windows Server 2012; Windows Embedded 8 Standard

https://support.microsoft.com/en-us/topic/may-9-2023-kb5026363-os-build-14393-5921-e5c7bc74-7bac-4d82-bce3-676f30f7a701

Improvements

This update affects the Islamic Republic of Iran. The update supports the government’s daylight saving time change order from 2022.

This update addresses an issue that affects the Key Distribution Center (KDC) service. When the service stops on a local machine, signing in to all local Kerberos fails. The error is STATUS_NETLOGON_NOT_STARTED.

This update addresses an issue that affects Microsoft Edge IE mode. The issue stops you from configuring add-ons.

KB5026415: Windows Server 2012 R2; Windows Embedded 8.1 Industry Enterprise; Windows Embedded 8.1 Industry Pro

https://support.microsoft.com/en-gb/topic/may-9-2023-kb5026415-monthly-rollup-1969aa75-af6d-4b89-97c6-5418cc3d6f91

This cumulative security update includes improvements that are part of update KB5025285 (released April 11, 2023). This update also makes improvements for the following issues:

By order of the Islamic Republic of Iran on September 22, 2022, daylight saving time (DST) will no longer be observed and the republic will remain on Iran Standard Time UTC+03:30.

Local Kerberos authentication fails if the local Key Distribution Center (KDC) service is stopped. Additionally, all local Kerberos logons fail with the error STATUS_NETLOGON_NOT_STARTED. After the Windows Monthly Rollup dated on or after November 8, 2022, is installed, Kerberos constrained delegation (KCD) fails with the error message KRB_AP_ERR_MODIFIED on Read/Write Domain Controllers.