Flexis April 2023 Patch Recommendation

• KB5025230: 2023-04 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems
• KB5025229: 2023-04 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems
• KB5025228: 2023-04 Cumulative Update for Windows Server 2016 for x64-based Systems
• KB5012170: 2022-08 Security Update for Windows Server 2012 R2 for x64-based Systems
• KB5025285: 2023-04 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems

 Impacted Products:

• Microsoft Windows
• Microsoft Windows
• Microsoft Edge (Edge HTML-based)
• Microsoft Edge (Chromium-based)
• Internet Explorer
• Microsoft Office and Microsoft Office Services and Web Apps
• Windows Defender
• Visual Studio
• ASP.NET Core
• Chakra Core
• Online Services
• Microsoft Dynamics
• .NET Framework
• .NET Core

Please note the following information regarding the security updates:

• For information regarding enabling Windows 10, version 1809 features and later, please see Windows 10, version 1909 delivery options. Note that Windows 10, versions 1903 and 1909 share a common core operating system with an identical set of system files. They will also share the same security update KBs. There is no change to the cumulative monthly security update
• Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
• A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
• Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
• In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

KB5025230 : Applies to: Windows 10 Enterprise 2019 LTSC Windows 10 IoT Enterprise 2019 LTSC Windows 10 IoT Core 2019 LTSC

https://support.microsoft.com/en-gb/topic/april-11-2023-kb5025230-os-build-20348-1668-28a5446e-6389-4a5b-ae3f-e942a604f2d3

Improvements

New! This update adds many new features and improvements to Microsoft Defender for Endpoint. For more information, see Microsoft Defender for Endpoint.

New! This update implements the new Windows Local Administrator Password Solution (LAPS) as a Windows inbox feature. For more information, see By popular demand: Windows LAPS available now!

This update addresses an issue that affects inbound remote Component Object Model (COM) activations. They fail. The error code is 0x80010111. This occurs if the client protocol version is less than 5.7.

This update addresses an issue that affects Microsoft PowerPoint. It stops working on Azure Virtual Desktop (AVD). This occurs when you use Visual Basic for Applications (VBA).

This update addresses an issue that affects Windows Search. Windows Search fails inside of Windows container images.

This update affects the Arab Republic of Egypt. The update supports the government’s daylight saving time change order for 2023.

This update addresses an issue that affects the Key Distribution Center (KDC) service. When the service stops on a local machine, signing in to all local Kerberos fails. The error is STATUS_NETLOGON_NOT_STARTED.

This update addresses an issue that affects the Windows Remote Management (WinRM) client. The client returns an HTTP server error status (500). This error occurs when it runs a transfer job in the Storage Migration Service.

This update addresses an issue that affects Desired State Configuration. It loses its previously configured options. This occurs if metaconfig.mof is missing.

This update addresses compatibility issues that affect some printers. These printers use Windows Graphical Device Interface (GDI) printer drivers. These drivers do not completely adhere to GDI specifications.

This update addresses a stack overflow condition that causes a device to stop working. This occurs when you call xxxDestroyWindow() in Kernel mode.

This update addresses a rare issue that might cause an input destination to be null. This issue might occur when you attempt to convert a physical point to a logical point during hit testing. Because of this, the computer raises a stop error.

This update addresses an issue that affects certain processors that have firmware Trusted Platform Modules (TPM). You cannot use Autopilot to set them up.

This update addresses an issue that affects the Fast Identity Online 2.0 (FIDO2) PIN credential icon. It does not appear on the credentials screen of an external monitor. This occurs when that monitor is attached to a closed laptop.

This update addresses an issue that affects a Clustered Shared Volume (CSV). The CSV fails to come online. This occurs if you enable BitLocker and local CSV managed protectors, and the system recently rotated the BitLocker keys.

This update addresses an issue that affects Windows Server 2022 domain controllers. They stop working. This occurs when they process Lightweight Directory Access Protocol (LDAP) requests.

This update addresses an issue that affects Administrator Account Lockout policies. GPResult and Resultant Set of Policy did not report them.

This update addresses an issue that affects MySQL commands. The commands fail on Windows Xenon containers.

Known issues in this update

Symptom

After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are affected by this issue. Affected versions of VMware ESXi are versions vSphere ESXi 7.0.x and below.

Workaround

Please see VMware’s documentation to mitigate this issue.

Microsoft and VMware are investigating this issue and will provide more information when it is available.

KB5025229: Applies to Windows 10, version 1607, all editions Windows Server 2016, all editions

https://support.microsoft.com/en-au/topic/april-11-2023-kb5025229-os-build-17763-4252-e8ead788-2cd3-4c9b-8c77-d677e2d8744f

Improvements

New! This update adds many new features and improvements to Microsoft Defender for Endpoint. For more information, see Microsoft Defender for Endpoint.

New! This update implements the new Windows Local Administrator Password Solution (LAPS) as a Windows inbox feature. For more information, see By popular demand: Windows LAPS available now!

This update affects the Arab Republic of Egypt. The update supports the government’s daylight saving time change order for 2023.

This update enables onunload events to create pop-up windows in IE Mode.

This update addresses an issue that affects Microsoft Edge IE mode and pages that use predictive prerendering. Edge IE mode does not support predictive prerendering. Because of this, a page that uses prerendering will load as if it was not in use.

This update addresses an issue that affects Desired State Configuration. It loses its previously configured options. This occurs if metaconfig.mof is missing.

This update addresses compatibility issues that affect some printers. These printers use Windows Graphical Device Interface (GDI) printer drivers. These drivers do not completely adhere to GDI specifications.

This update addresses an issue that affects the Host Networking Service. The service stops working. Because of this, there are traffic interruptions.

This update addresses an issue that affects Administrator Account Lockout policies. GPResult and Resultant Set of Policy did not report them.

This update addresses an issue that affects MySQL commands. The commands fail on Windows Xenon containers.

This update addresses an issue that affects repair storage jobs. The jobs are suspended. This occurs after two physical disks in two different rack-level fault domains (three fault domain in total) lose communication.

KB5025228: Applies to Windows Server 2012 Windows Embedded 8 Standard

https://support.microsoft.com/en-us/topic/april-11-2023-kb5025228-os-build-14393-5850-23f04722-1b4f-4786-8c06-67e73de414d5

Improvements

This update affects the Arab Republic of Egypt. The update supports the government’s daylight saving time change order for 2023.

This update addresses an issue that affects Microsoft Edge IE mode and pages that use predictive prerendering. Edge IE mode does not support predictive prerendering. Because of this, a page that uses prerendering will load as if it was not in use.

This update addresses compatibility issues that affect some printers. These printers use Windows Graphical Device Interface (GDI) printer drivers. These drivers do not completely adhere to GDI specifications.

KB5012170: Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro

https://support.microsoft.com/en-gb/topic/kb5012170-security-update-for-secure-boot-dbx-72ff5eed-25b4-47c7-be28-c42bd211bb15

Windows devices that have Unified Extensible Firmware Interface (UEFI) based firmware can run with Secure Boot enabled. The Secure Boot Forbidden Signature Database (DBX) prevents UEFI modules from loading. This update adds modules to the DBX.

A security feature bypass vulnerability exists in secure boot. An attacker who successfully exploited the vulnerability might bypass secure boot and load untrusted software.

This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX.

Known issues.

If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.

To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.

When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.

Note This issue only affects this security update for Secure Boot DBX (KB5012170) and does not affect the latest cumulative security updates, monthly rollups, or security-only updates.

Next Step

To work around this issue, do one of the following before you deploy this update:

On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:

Manage-bde –Protectors –Disable C: -RebootCount 1

Then, deploy the update and restart the device to resume the BitLocker protection.

On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

Manage-bde –Protectors –Disable C: -RebootCount 3                                        

Then, deploy the update and restart the device to resume the BitLocker protection.

KB5025285: Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows     Embedded 8.1 Industry Pro

https://support.microsoft.com/en-au/topic/april-11-2023-kb5025285-monthly-rollup-79639041-a60e-423b-845d-64c251ea656c

Improvements

This cumulative security update includes improvements that are part of update KB5023765 (released March 14, 2023). This update also makes improvements for the following issues:

By the March 1, 2023, order of the Arab Republic of Egypt, daylight savings time (DST) will resume on April 28, 2023, and end on October 27, 2023. This update applies to Egypt Standard Time – (UTC+02:00) Cairo.

Known compatibility issues exist with certain printer models which feature GDI printer drivers that do not completely adhere to GDI specifications.