Flexis October 2023 Patch Recommendation
Patches Microsoft released in October 2023:
- KB5031364– 2023-10 Cumulative Update for Microsoft server operating system, version 22H2 for x64-based Systems.
- KB5031361: – 2023-10 Cumulative Update for Windows Server 2019 for x64-based Systems
- KB5031362: – 2023-10 Cumulative Update for Windows Server 2016 for x64-based Systems.
- KB5031419: – 2023-10 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems
Impacted Products:
Microsoft Windows
Microsoft Edge
(HTML-based)
Microsoft Edge
(Chromium-based)
Internet Explorer
Microsoft Office and Microsoft Office Services and Web Apps
Windows Defender
Visual Studio
ASP.NET Core
Chakra Core
Microsoft Dynamics
.NET Framework
.NET Core
Please note the following information regarding the security updates:
Windows 8.1 reached end of support on January 10, 2023, at which point technical assistance and software updates are no longer provided. If you have devices running Windows 8.1, we recommend upgrading them to a more current, in-service, and supported Windows release. If devices do not meet the technical requirements to run a more current release of Windows, we recommend that you replace the device with one that supports Windows 11.
Microsoft will not be offering an Extended Security Update (ESU) program for Windows 8.1. Continuing to use Windows 8.1 after January 10, 2023 may increase an organization’s exposure to security risks or impact its ability to meet compliance obligations. For more information, see Windows 8.1 support will end on January 10, 2023.
KB5031364: Applies to: Windows 10 Enterprise 2019 LTSC Windows 10 IoT Enterprise 2019 LTSC Windows 10 IoT Core 2019 LTSC
Improvements
New! This update adds an Azure Arc Setup Optional Component. It includes a new Azure Arc system tray icon and a new Server Manager entry for Azure Arc Management. There is also a graphical installer for the Azure Connected Machine agent. Now, you can turn on Azure Arc using just a few clicks. You do not need to run a PowerShell script. To learn more, see Connect Windows Server machines to Azure through Azure Arc Setup.
New! This update completes the work to comply with the GB18030-2022 requirements. It removes and remaps characters for Microsoft Wubi input and Microsoft Pinyin U-mode input. You can no longer enter character codepoints that are not supported. All the required codepoints are up to date.
This update addresses a race condition. This occur when codepages load during the early part of startup. This leads to stop error a 0x7e.
This update changes the spelling of Ukraine’s capital from Kiev to Kyiv.
This update supports daylight saving time (DST) changes in Greenland.
This update addresses an issue that affects scheduled tasks. Tasks that call the credential manager API might fail. This occurs if you select [Run only when user is logged on] and [Run with highest privileges].
This update addresses an issue that affects Kerberos delegation. It might fail in the wrong way. The error code is 0xC000006E (STATUS_ACCOUNT_RESTRICTION). This issue might occur when you mark the intermediate service account as “This account is sensitive and cannot be delegated” in Active Directory. Applications might also return the error message, “System.Security.Authentication.AuthenticationException: Failed to initialize security context. Error code was -2146893042.”
This update addresses an issue that affects PCI devices. You might get an error when you turn on Kernel Direct Memory Access (DMA) protection.
This update improves the efficiency and performance of the Recommended Troubleshooter.
This update affects Windows Filtering Platform (WFP) connections. The redirect diagnostics for them has improved.
This update addresses an issue that affects external binding. It fails. This occurs after you install Windows updates dated May 2023 or later. Because of this, there are issues that affect LDAP queries and authentication.
This update affects Active Directory event ID 1644 processing. It now accepts events that are more than 64 KB in length. This change truncates Lightweight Directory Access Protocol (LDAP) queries that are in event 1644 to 20000 characters by default. You can configure the 20K value using the registry key “DEFAULT_DB_EXPENSIVE_SEARCH_FILTER_MAX_LOGGING_LENGTH_IN_CHARS.”
This update addresses an issue that affects those who enable the “Smart Card is Required for Interactive Logon” account option. When RC4 is disabled, you cannot authenticate to Remote Desktop Services farms. The error message is, “An authentication error has occurred. The requested encryption type is not supported by the KDC.”
This update addresses an issue that affects I/O over Server Message Block (SMB). It might fail when you use the LZ77+Huffman compression algorithm.
This update addresses an issue that affects the Server Message Block (SMB) client. It does not reconnect all the persistent handles when the reauthentication of a session fails.
To protect against CVE-2023-44487, you should install the latest Windows update. Based on your use case, you can also set the limit of the RST_STREAMS per minute using the new registry keys in this update.
| Registry key | Default value | Valid value range | Registry key function |
|---|---|---|---|
|
Http2MaxClientResetsPerMinute |
400 |
0–65535 |
Sets the allowed number of resets (RST_STREAMS) per minute for a connection. When you reach this limit, a GOAWAY message is sent to client for the connection. |
|
Http2MaxClientResetsGoaway |
1 |
0-1 |
Disables or enables the GOAWAY message to send when you reach the limit. If you set this to 0, the connection ends as soon as you reach the limit. |
Symptom
After installing this update on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are affected by this issue. Affected versions of VMware ESXi are versions vSphere ESXi 7.0.x and below.
Workaround
Please see VMware’s documentation to mitigate this issue.
Microsoft and VMware are investigating this issue and will provide more information when it is available.
KB5031361: Win 10 Ent LTSC v2019 Win 10 IoT Ent LTSC v2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019
Improvements
New! This update completes the work to comply with the GB18030-2022 requirements. It removes and remaps characters for Microsoft Wubi input and Microsoft Pinyin U-mode input. You can no longer enter character codepoints that are not supported. All the required codepoints are up to date.
New! This update adds Azure Arc Optional Component related links to Server Manager. Now, you can turn on Arc on your servers. You do not need to run a PowerShell script.
This update changes the spelling of Ukraine’s capital from Kiev to Kyiv.
This update addresses an issue that affects scheduled tasks. Tasks that call the credential manager API might fail. This occurs if you select [Run only when user is logged on] and [Run with highest privileges].
This update addresses an issue that stops you from getting the IE mode windows list.
This update addresses an issue that affects external binding. It fails. This occurs after you install Windows updates dated May 2023 or later. Because of this, there are issues that affect LDAP queries and authentication.
This update addresses an issue that affects those who enable the “Smart Card is Required for Interactive Logon” account option. When RC4 is disabled, you cannot authenticate to Remote Desktop Services farms. The error message is, “An authentication error has occurred. The requested encryption type is not supported by the KDC.”
This update addresses an issue that affects Kerberos delegation. It might fail in the wrong way. The error code is 0xC000006E (STATUS_ACCOUNT_RESTRICTION). This issue might occur when you mark the intermediate service account as “This account is sensitive and cannot be delegated” in Active Directory. Applications might also return the error message, “System.Security.Authentication.AuthenticationException: Failed to initialize security context. Error code was -2146893042.”
This update affects Windows Filtering Platform (WFP) connections. The redirect diagnostics for them has improved.
This update addresses an issue that affects a relying party. When you sign out of it, a SAML request cookie is not cleared. Because of this, your device automatically attempts to connect to the same relying party when you sign in again.
This update addresses an issue that affects the Server Message Block (SMB) client. It does not reconnect all the persistent handles when the reauthentication of a session fails.
To protect against CVE-2023-44487, you should install the latest Windows update. Based on your use case, you can also set the limit of the RST_STREAMS per minute using the new registry key in this update.
| Registry key | Default value | Valid value range | Registry key function |
|---|---|---|---|
|
Http2MaxClientResetsPerMinute |
500 |
0–65535 |
Sets the allowed number of resets (RST_STREAMS) per minute for a connection. When you reach this limit, the connection ends |
Known issues in this update.
Symptom
Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the “Require Device Encryption” setting for some devices in your environment. Affected environments are those with the “Enforce drive encryption type on operating system drives” or “Enforce drive encryption on fixed drives” policies set to enabled and selecting either “full encryption” or “used space only”. Microsoft Intune is affected by this issue but third-party MDMs might also pe affected.
Important This issue is a reporting issue only and does not affect drive encryption or the reporting of other issues on the device, including other BitLocker issues.
Workaround
To mitigate this issue in Microsoft Intune, you can set the “Enforce drive encryption type on operating system drives” or “Enforce drive encryption on fixed drives” policies to not configured.
We are working on a resolution and will provide an update in an upcoming release.
KB5031362: Windows 10, version 1607, all editions Windows Server 2016, all editions
Improvements
New! IE mode and Microsoft Edge can now share cookies. To learn more, see Cookie sharing between Microsoft Edge and Internet Explorer.
New! This update completes the work to comply with the GB18030-2022 requirements. It removes and remaps characters for Microsoft Wubi input and Microsoft Pinyin U-mode input. You can no longer enter character codepoints that are not supported. All the required codepoints are up to date.
This update changes the spelling of Ukraine’s capital from Kiev to Kyiv.
This update addresses an issue that affects external binding. It fails. This occurs after you install Windows updates dated May 2023 or later. Because of this, there are issues that affect LDAP queries and authentication.
To protect against CVE-2023-44487, you should install the latest Windows update. Based on your use case, you can also set the limit of the RST_STREAMS per minute using the new registry key in this update.
| Registry key | Default value | Valid value range | Registry key function |
|---|---|---|---|
|
Http2MaxClientResetsPerMinute |
500 |
0–65535 |
Sets the allowed number of resets (RST_STREAMS) per minute for a connection. When you reach this limit, the connection ends. |
• KB5031419: Win 10 Ent LTSB v2016 Win 10 IoT Ent LTSB v2016 Windows Server 2016
This cumulative security update includes improvements that are part of update KB5030269 (released September 12, 2023). This update also makes improvements for the following issues:
Addresses an issue in which an external bind might fail after Windows updates released on or after May 2023 are installed. This leads to issues with Lightweight Directory Access Protocol (LDAP) queries and authentication.
This update includes daylight saving time (DST) changes for Ukraine and Greenland. For more information, see the Daylight Saving Time & Time Zone Blog.