November 27, 2018—KB4467684 (OS Build 14393.2639)

Applies to: Windows 10 Version 1607Windows Server 2016

Improvements and fixes

This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addresses an issue that causes the GetCalendarInfo function to return an incorrect era name on the first day of the Japanese era. For more information, see KB4469068 .
  • Addresses time zone changes for Russian daylight standard time.
  • Addresses time zone changes for Moroccan daylight standard time.
  • Addresses an issue that allows mouse movements promoted by touch to bypass low-level mouse hooks designed to block mouse input. As a result, unexpected WM_MOUSEMOVE messages appear.
  • Addresses an issue that may automatically display the software keyboard when you tap on the non-editable area of a Universal Windows Platform (UWP) application. This issue affects devices that have installed the Windows 10 Anniversary Update and have no physical keyboard.
  • Addresses an issue in File Explorer that sometimes deletes the permissions of a shared parent folder when you delete the shared child folder. To apply this solution, enable the Group Policy “User Configuration\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profile”.
  • Addresses an issue that causes File Explorer to stop working during logoff.
  • Addresses an issue in the Universal CRT that sometimes causes the AMD64-specific implementation of FMOD to return an incorrect result when given very large inputs. FMOD is frequently used to implement the modulo operator in JavaScript and Python implementations that use the Universal C Runtime.
  • Addresses an issue that blocks ActiveX controls in Internet Explorer on 64-bit systems. This occurs when using Windows Defender Application Control and creating a policy that allows all ActiveX controls to run in Internet Explorer.
  • Addresses an issue that prevents some applications from running when Windows Defender Application Control (Device Guard) is in audit mode.
  • Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable the changes, add a new registry key “DeleteUserAppContainersOnLogoff” (DWORD) on “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy” using Regedit, and set it to 1.
  • Addresses an issue that causes network connectivity to fail when 802.1x authentication fails.
  • Addresses an issue with Network Connection Status Indicator (NCSI) gateway MAC address resolution timing, which causes Internet connectivity to fail.
  • Addresses an issue that fails to clean up some Windows Management Instrumentation (WMI) class registrations correctly when using Hyper-V cmdlets that have root\interop class dependencies. This issue may cause Virtual Machine management tasks (using PowerShell or the UI) to fail. Additionally, Virtual Machines may not be created or modified. For example, running Set-VMFirmware to modify the boot order may fail with the error, “ObjectNotFound.”
  • Addresses an issue with Just Enough Administration (JEA). A temporary account with the security identifier (SID) authority of “S-1-5-94-xxx” remains in the server security policy under the Log on as a service user right. As a result, the Local Security Authority (LSA) database grows larger, which may affect the performance of domain controllers.
  • Addresses an issue that writes to a memory call stack with the Stop code “0xA” in Storage Replica environments.
  • Addresses an issue that causes the installation and client activation of Windows Server 2019 and 1809 LTSC Key Management Service (KMS) host keys (CSVLK) to not work as expected. For more information about the original feature, see KB4347075.
  • Addresses an issue that causes promotions of non-root domains to fail with the error, “The replication operation encountered a database error.” The issue occurs in Active Directory forests that have optional features like Active Directory recycle enabled.
  • Addresses an issue that may cause Hyper-V servers to stop working with the error, "0x7F (UNEXPECTED_KERNEL_MODE_TRAP)".
  • Addresses an issue that generates the error, “C00002E2 (STATUS_DS_INTI_FAILURE)” at the first restart after promoting a new domain controller. Domain controllers promoted after installing this update will no longer create unnecessary “api” Active Directory log files, such as api.chk. Instead, the domain controller will use the correct “edb” log base name during domain controller promotion.

If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.

Known issues in this update

Symptom Workaround

After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base:

4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates.

This issue is resolved in KB4480977.

After installing this update, users may not be able to use the Seek Bar in Windows Media Player when playing specific files. This issue does not affect normal playback.

This issue is resolved in KB4471321.
When features related to end-user-defined characters (EUDC) are used, the entire system may become unresponsive.

This issue is resolved in KB4471321.

For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.

Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.

This issue is resolved in KB4507459.

After installing this update on Windows Server 2016, instant search in Microsoft Outlook clients fail with the error, "Outlook cannot perform the search".

This issue is resolved in KB4487026.

After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

Set the domain default "Minimum Password Length" policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.

After installing KB4467691, Windows may fail to start on certain Lenovo and Fujitsu laptops that have less than 8 GB of RAM.

Restart the affected machine using the Unified Extensible Firmware Interface (UEFI). Disable Secure Boot and then restart.

If BitLocker is enabled on your machine, you may have to go through BitLocker recovery after Secure Boot has been disabled.

Lenovo and Fujitsu are aware of this issue. Please contact your OEM to ask if there is a firmware update available for your device.

How to get this update

Before installing this update

Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). SSUs improve the reliability of the update process to mitigate potential issues while installing the LCU. For more information, see Servicing stack updates.

If you are using Windows Update, the latest SSU (KB4465659) will be offered to you automatically. To get the stand-alone package for the latest SSU, go to the Microsoft Update Catalog.

Install this update

To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates.

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

File information

For a list of the files that are provided in this update, download the file information for cumulative update 4467684.