Flexis August 2024 Patch Recommendation
Patches Microsoft released in August 2024:
- KB5041160: 2024-08 Cumulative Update for Microsoft server operating system, version 22H2 for x64-based Systems
- KB5041578: 2024-08 Cumulative Update for Windows Server 2019 for x64-based Systems
- KB5041773: 2024-08 Cumulative Update for Windows Server 2016 for x64-based Systems
- KB5041576: 2024-08 Servicing Stack Update for Windows Server 2016 for x64-based Systems.
Impacted Products:
Microsoft Windows
Microsoft Edge
(HTML-based)
Microsoft Edge
(Chromium-based)
Internet Explorer
Microsoft Office and Microsoft Office Services and Web Apps
Windows Defender
Visual Studio
ASP.NET Core
Chakra Core
Microsoft Dynamics
.NET Framework
.NET Core
Please note the following information regarding the security updates:
Windows 10, version 1607 Mobile and Mobile Enterprise editions reached the end of support (EOS) on October 9, 2018. These editions will no longer be offered servicing stack updates.
Windows 10, version 1607 IoT Core edition reached the end of support on April 10, 2018. This edition will no longer be offered servicing stack updates.
Windows 10, version 1607 IoT Core Enterprise edition reached the end of support on April 9, 2019. This edition will no longer be offered servicing stack updates.
Windows 10, version 1607 Enterprise, Education, Pro, Home, and Pro for Workstation reached end of support on January 10, 2023. These editions will no longer be offered servicing stack updates.
Windows 10 Enterprise N 2016 LTSB and Windows 10 IoT Enterprise 2016 LTSB will reach the end of support on October 13, 2026.
To continue receiving these updates, we recommend updating to the latest update of Windows. For more information, see Get the latest Windows update.
Windows Server 2016 Datacenter edition, Nano Server installation, and Standard edition, Nano Server installation options reached the end of support on October 9, 2018.
Windows Server 2016 Essentials, Datacenter, Standard, Multipoint Premium Server, and Hyper-V Server will reach the end of support on January 12, 2027.
KB5041160: Windows Server 2022
Improvements
This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change we are documenting.
- [Remote Desktop Session Host (RDSH)] Users cannot connect to the RDSH, and the host loses data. This occurs because win32kbase.sys stops responding.
- [Windows Defender Application Control (WDAC)] A memory leak occurs that might exhaust system memory as time goes by. This issue occurs when you provision a device.
- [Protected Process Light (PPL) protections] You can bypass them.
- [Windows Kernel Vulnerable Driver Blocklist file (DriverSiPolicy.p7b)] This update adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
- [Microsoft 365 Defender (known issue] The Network Detection and Response (NDR) service might encounter issues. This interrupts network data reporting. If this issue affects you, a message appears on the service health page of the Microsoft 365 admin center. You can also view the status of NDR on the service health page.
- [BitLocker (known issue)] A BitLocker recovery screen shows when you start up your device. This occurs after you install the July 9, 2024, update. This issue is more likely to occur if device encryption is on. Go to Settings > Privacy & Security > Device encryption. To unlock your drive, Windows might ask you to enter the recovery key from your Microsoft account.
- [Lock screen] This update addresses CVE-2024-38143. Because of this, the “Use my Windows user account” checkbox is not available on the lock screen to connect to Wi-Fi.
- [NetJoinLegacyAccountReuse] This update removes this registry key. For more information refer to KB5020276—Netjoin: Domain join hardening changes.
- [Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.
- [Domain Name System (DNS)] This update hardens DNS server security to address CVE-2024-37968. If the configurations of your domains are not up to date, you might get the SERVFAIL error or time out.
- [Line Printer Daemon (LPD) protocol] Using this deprecated protocol to print might not work as you expect or fail. This issue occurs after you install the July 9, 2024, and later updates.
Note When it is no longer available, clients, like UNIX, that use it will not connect to a server to print. UNIX clients should use the Internet Printing Protocol (IPP). Windows clients can connect to shared UNIX printers using the Windows Standard Port Monitor.
Known issues in this update
Symptom
After installing this update, you might be unable to change your user account profile picture.
When attempting to change a profile picture by selecting the button Start> Settings > Account > Your info and, under Create your picture, clicking on Browse for one, you might receive an error message with error code 0x80070520.
After installing the Windows update released on or after July 9, 2024, Windows Servers might affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Resulting from this, remote desktop connections might be interrupted.
This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT administrators can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005.
Workaround
We are working on a resolution and will provide an update in an upcoming release.
To work around this issue, use one of the following options:
Option 1: Disallow connections over pipe, and port \pipe\RpcProxy\3388 through the RD Gateway.
This process will require the use of connection applications, such as firewall software. Consult the documentation for your connection and firewall software for guidance on disallowing and porting connections.
Option 2: Edit the registry of client devices and set the value of RDGClientTransport to 0x00000000 (0)
In Windows Registry Editor, navigate to the following registry location:
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client
Find RDGClientTransport and set its value to 0 (zero). This changes the value of RDGClientTransport to 0x00000000 (0).
KB5041578: Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows Server 2019
Improvements
This security update includes improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change we are documenting.
- [Protected Process Light (PPL) protections] You can bypass them.
- [Windows Kernel Vulnerable Driver Blocklist file (DriverSiPolicy.p7b)] This update adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
- [BitLocker (known issue)] A BitLocker recovery screen shows when you start up your device. This occurs after you install the July 9, 2024, update. This issue is more likely to occur if device encryption is on. Go to Settings > Privacy & Security > Device encryption. To unlock your drive, Windows might ask you to enter the recovery key from your Microsoft account.
- [Lock screen] This update addresses CVE-2024-38143. Because of this, the “Use my Windows user account” checkbox is not available on the lock screen to connect to Wi-Fi.
- [NetJoinLegacyAccountReuse] This update removes this registry key. For more information refer to KB5020276—Netjoin: Domain join hardening changes.
- [Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.
- [Domain Name System (DNS)] This update hardens DNS server security to address CVE-2024-37968. If the configurations of your domains are not up to date, you might get the SERVFAIL error or time out.
- [Line Printer Daemon (LPD) protocol] Using this deprecated protocol to print might not work as you expect or fail. This issue occurs after you install the July 9, 2024, and later updates.
Note When it is no longer available, clients, like UNIX, that use it will not connect to a server to print. UNIX clients should use the Internet Printing Protocol (IPP). Windows clients can connect to shared UNIX printers using the Windows Standard Port Monitor.
If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.
For more information about security vulnerabilities, please refer to the new Security Update Guide website and the August 2024 Security Updates.
Known issues
Symptom
After installing the Windows update released on or after July 9, 2024, Windows Servers might affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Resulting from this, remote desktop connections might be interrupted.
This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT administrators can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005.
Workaround
To work around this issue, use one of the following options:
Option 1: Disallow connections over pipe, and port \pipe\RpcProxy\3388 through the RD Gateway.
This process will require the use of connection applications, such as firewall software. Consult the documentation for your connection and firewall software for guidance on disallowing and porting connections.
Option 2: Edit the registry of client devices and set the value of RDGClientTransport to 0x00000000 (0)
In Windows Registry Editor, navigate to the following registry location:
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client
Find RDGClientTransport and set its value to 0 (zero). This changes the value of RDGClientTransport to 0x00000000 (0).
We are working on a resolution and will provide an update in an upcoming release.
KB5041773: Windows 10, version 1607, all editions Windows Server 2016, all editions
Improvements
This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change we are documenting.
- [BitLocker (known issue)] A BitLocker recovery screen shows when you start up your device. This occurs after you install the July 9, 2024, update. This issue is more likely to occur if device encryption is on. Go to Settings > Privacy & Security > Device encryption. To unlock your drive, Windows might ask you to enter the recovery key from your Microsoft account.
- [Lock screen] This update addresses CVE-2024-38143. Because of this, the “Use my Windows user account” checkbox is not available on the lock screen to connect to Wi-Fi.
- [NetJoinLegacyAccountReuse] This update removes this registry key. For more information refer to KB5020276—Netjoin: Domain join hardening changes.
- [Secure Boot Advanced Targeting (SBAT) and Linux Extensible Firmware Interface (EFI)] This update applies SBAT to systems that run Windows. This stops vulnerable Linux EFI (Shim bootloaders) from running. This SBAT update will not apply to systems that dual-boot Windows and Linux. After the SBAT update is applied, older Linux ISO images might not boot. If this occurs, work with your Linux vendor to get an updated ISO image.
- [Domain Name System (DNS)] This update hardens DNS server security to address CVE-2024-37968. If the configurations of your domains are not up to date, you might get the SERVFAIL error or time out.
- [Line Printer Daemon (LPD) protocol] Using this deprecated protocol to print might not work as you expect or fail. This issue occurs after you install the July 9, 2024, and later updates.
Note When it is no longer available, clients, like UNIX, that use it will not connect to a server to print. UNIX clients should use the Internet Printing Protocol (IPP). Windows clients can connect to shared UNIX printers using the Windows Standard Port Monitor.
Known issues
Symptom
After installing the Windows update released on or after July 9, 2024, Windows Servers might affect Remote Desktop Connectivity across an organization. This issue might occur if legacy protocol (Remote Procedure Call over HTTP) is used in Remote Desktop Gateway. Resulting from this, remote desktop connections might be interrupted.
This issue might occur intermittently, such as repeating every 30 minutes. At this interval, logon sessions are lost and users will need to reconnect to the server. IT administrators can track this as a termination of the TSGateway service which becomes unresponsive with exception code 0xc0000005.
Workaround
To work around this issue, use one of the following options:
Option 1: Disallow connections over pipe, and port \pipe\RpcProxy\3388 through the RD Gateway.
This process will require the use of connection applications, such as firewall software. Consult the documentation for your connection and firewall software for guidance on disallowing and porting connections.
Option 2: Edit the registry of client devices and set the value of RDGClientTransport to 0x00000000 (0)
In Windows Registry Editor, navigate to the following registry location:
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client
Find RDGClientTransport and set its value to 0 (zero). This changes the value of RDGClientTransport to 0x00000000 (0).
We are working on a resolution and will provide an update in an upcoming release.
KB5041576 : Win 10 Ent LTSB 2016 Win 10 IoT Ent LTSB 2016 Windows Server 2016
Summary
This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) makes sure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.
This update resolve issues in Windows. For a complete listing of the issues that are included in this update, see the associated Microsoft Knowledge Base article for more information. After you install this item, you may have to restart your computer.