Flexis March 2023 Patch Recommendation

• KB5023702: 2023-03 Cumulative Update for Windows Server 2019 for x64-based Systems
• KB5023788: 2023-03 Servicing Stack Update for Windows Server 2016 for x64-based Systems
• KB5023697: 23-03 Cumulative Update for Windows Server 2016 for x64-based Systems
• KB5023765:2023-03 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems

 Impacted Products:

• Microsoft Windows
• Microsoft Windows
• Microsoft Edge (Edge HTML-based)
• Microsoft Edge (Chromium-based)
• Internet Explorer
• Microsoft Office and Microsoft Office Services and Web Apps
• Windows Defender
• Visual Studio
• ASP.NET Core
• Chakra Core
• Online Services
• Microsoft Dynamics
• .NET Framework
• .NET Core

Please note the following information regarding the security updates:

• For information regarding enabling Windows 10, version 1809 features and later, please see Windows 10, version 1909 delivery options. Note that Windows 10, versions 1903 and 1909 share a common core operating system with an identical set of system files. They will also share the same security update KBs. There is no change to the cumulative monthly security update
• Windows 10 updates are cumulative. The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. The updates are available via the Microsoft Update Catalog.
• For information on lifecycle and support dates for Windows 10 operating systems, please see Windows Lifecycle Facts Sheet.
• A list of the latest servicing stack updates for each operating system can be found in ADV990001. This list will be updated whenever a new servicing stack update is released. It is important to install the latest servicing stack update.
• Updates for Windows RT 8.1 and Microsoft Office RT software are only available via Windows Update.
• In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

KB5023702 : Applies to: Windows 10 Enterprise 2019 LTSC Windows 10 IoT Enterprise 2019 LTSC Windows 10 IoT Core 2019 LTSC

https://support.microsoft.com/en-us/topic/march-14-2023-kb5023702-os-build-17763-4131-f3e27d13-7dcc-4d32-826b-8d57e1600ccf

Improvements

This update implements phase three of Distributed Component Object Model (DCOM) hardening. See KB5004442. After you install this update, you cannot turn off the changes using the registry key.

This update addresses an issue that affects the registry size. It grows very large. This occurs because the registry entries are not removed when users sign out of an Azure Virtual Desktop (AVD) environment that uses FSlogix.

This update affects the United Mexican States. This update supports the government’s daylight saving time change order for 2023.

This update addresses an issue that might affect lsass.exe. It might stop responding when it sends a Lightweight Directory Access Protocol (LDAP) query to a domain controller that has a very large LDAP filter.

This update addresses an issue that affects the Local Security Authority Subsystem Service (LSASS). LSASS might stop responding. This occurs after you run Sysprep on a domain-joined machine.

This update addresses an issue that affects a computer account and Active Directory. When you reuse an existing computer account to join an Active Directory domain, joining fails. This occurs on devices that have installed Windows updates dated October 11, 2022 or later. The error message is, “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: ‘An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.’” For more information, see KB5020276.

This update addresses an issue that affects the Routing and Remote Access Service (RRAS). RRAS cannot accept any new incoming virtual private network (VPN) connections.

This update addresses an issue that affects Cluster Name Object of Failover Clustering on Azure virtual machines (VM). The issue stops you from repairing it.

KB5023788: Applies to Windows 10, version 1607, all editions Windows Server 2016, all editions

https://support.microsoft.com/en-us/topic/march-14-2023-kb5023698-os-build-22000-1696-3e54e715-3d5a-493b-bfad-4bb989516a7b

This update implements phase three of Distributed Component Object Model (DCOM) hardening. See KB5004442. After you install this update, you cannot turn off the changes using the registry key.

This update addresses an issue that affects a computer account and Active Directory. When you reuse an existing computer account to join an Active Directory domain, joining fails. This occurs on devices that have installed Windows updates dated October 11, 2022 or later. The error message is, “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: ‘An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.’” For more information, see KB5020276.

KB5023697: Applies to: Windows Server 2012 Windows Embedded 8 Standard

https://support.microsoft.com/en-us/topic/march-14-2023-kb5023697-os-build-14393-5786-d8c0d93c-c58b-4398-9fee-59183e52b20c

Improvements

This update implements phase three of Distributed Component Object Model (DCOM) hardening. See KB5004442. After you install this update, you cannot turn off the changes using the registry key.

This update affects the United Mexican States. This update supports the government’s daylight saving time change order for 2023.

This update addresses an issue that affects the Local Security Authority Subsystem Service (LSASS). LSASS might stop responding. This occurs after you run Sysprep on a domain-joined machine.

This update addresses an issue that affects a computer account and Active Directory. When you reuse an existing computer account to join an Active Directory domain, joining fails. This occurs on devices that have installed Windows updates dated October 11, 2022 or later. The error message is, “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: ‘An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.’” For more information, see KB5020276.

KB5023765: Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro

https://support.microsoft.com/en-us/topic/march-14-2023-kb5023765-monthly-rollup-d6ebf3d1-c12d-4a4c-9933-ca3bb2324e01

After applying a Windows update released on or after July 12, 2022, hyperlinks embedded in an Office document that use the search-ms protocol might stop working.

The Local Security Authority Subsystem Service (Lsass.exe) might stop responding after System Preparation (sysprep) is run on a domain-joined device.

By order of the Mexican government in October 2022, the United Mexican States will not observe daylight saving time (DST) in 2023. Key changes in the order include the following:

Updated DST rules for Mountain Standard Time (Mexico) and Central Standard Time (Mexico) to no daylight saving time starting in 2023.

Changed Chihuahua time zone from (UTC -7:00) Mountain Standard Time (Mexico) to (UTC -6:00) Central Standard Time (Mexico).

Changed Ojinaga time zone from (UTC -7:00) Mountain Standard Time (Mexico) to (UTC -6:00) Central Standard Time (Mexico)

Created a new time zone America/Ciudad_Juarez and mapped it to Mountain Standard Time (Mexico).

This update implements the final phase of DCOM hardening as described in KB5004442. This phase removes the ability to disable changes through the registry.

Known issue resolved: When an existing computer account is reused to join a computer to an Active Directory domain, the join is unsuccessful. Additionally, the following error occurs on devices that have installed Windows updates released on or after October 11, 2022: