This security update includes improvements and fixes in the functionality of Windows Server 2016 Technical Preview 5.
Windows Server 2016 updates are cumulative. Therefore, this package contains all previously released fixes.
If you have installed previous updates, only the new fixes that are contained in this package will be downloaded and installed to your computer. If you're installing a Windows Server 2016 update package for the first time, the package for the x64 version is 128 MB.
Known issues in this update
Administrators receive the following error message when they try to uninstall KB 3163016 if the Wireless LAN Service is disabled:
An error has occurred. Not all the updates were successfully uninstalled.
To fix this issue, enable the Wireless LAN Service. For more information, follow the instructions in the Wireless LAN Service Overview.
MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles:
3159398 MS16-072: Description of the security update for Group Policy: June 14, 2016
3163017 Cumulative update for Windows 10: June 14, 2016
3163018 Cumulative update for Windows 10 Version 1511 and Windows Server 2016 Technical Preview 4: June 14, 2016
3163016 Cumulative Update for Windows Server 2016 Technical Preview 5: June 14 2016
SymptomsAll user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.
CauseThis issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.
ResolutionTo resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.
How to get this update
Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
Method 1: Windows Update
If your computer is configured to accept Windows Updates, the update is downloaded and installed automatically.
Method 2: Microsoft Update Catalog
To get the stand-alone package for this update, go to the Microsoft Update Catalog website.
There are no prerequisites for installing this update.
You have to restart the computer after you apply this update.
Update replacement information
This update replaces the previously released update 3158987.
For a list of the files that are provided in this cumulative update, download the file information for cumulative update 3163016.
The .NET framework version 3.5 and earlier versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. This update enables the use of TLS v1.2 in the .NET Framework 3.5.
The following registry keys can be set to use the operating system defaults for SSL and TLS instead of the hardcoded .NET Framework defaults for a managed application running on the computer.
For 64-bit operating systems: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001
For 32-bit operating systems: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001
Note If the application has set the ServicePointManager.SecureProtocol in code or through config files to a specific value, or uses the SslStream.AuthenticateAs* APIs to specify a specific SslProtocols enum, the registry setting behavior does not occur.
In addition, we have added the SslProtocolsExtensions enumeration that you can use as an option for setting TLS v1.2, TLS v1.1, as well as operating system defaults for the ServicePointManager.SecurityProtocol property when targeting .NET framework version 2.0 SP2. (See the Developer Guidance section for the information on how to use the extensions.)
For more information about how to enable TLS v1.1 or v1.2 as operating system defaults, follow the instructions at https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS12.
Learn about the terminology that Microsoft uses to describe software updates.