Improvements and fixes
Note To learn more about the nonsecurity improvements and fixes in this update, see the "July 21, 2016 – KB3172614" section in Windows 8.1 and Windows Server 2012 R2 update history.
When a service such as Exchange server tries to reestablish the Kerberos client session during a cluster failover, it may cause the system to become unresponsive. Additionally, an LSASS CPU spike occurs after the failover.
Note This issue can occur on nonclustered environments also if there are many authentication requests occurring at the same time.
ResolutionMicrosoft Windows has released a fix that contains new opt-in behavior for the Kerberos client to address this issue. By enabling the Kerberos parameter, the Kerberos client can bypass the CPU intensive action of purging compounded tickets.
Note The Kerberos client must opt-in for the new behavior. Follow these steps to create the registry parameter on each node of the cluster:
- In Registry Editor, locate and then select the following subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters
- Right-click Parameters, point to New, and then click DWORD Value.
- Type AllowStaleDeviceAuthzData as the entry name, and then press Enter.
- Right-click AllowStaleDeviceAuthzData, and then click Modify.
- In the Value data box, type 1, and then click OK.
Note Setting this registry parameter may delay the purging and repopulating of compounding information that could cause changes in account permissions to not be reflected in real time.
For more information, see What's New in Kerberos Authentication.
Known issues in this update
After you apply this update on a Remote Desktop Session (RDS) host, some new users cannot connect to an RDP session. Instead, those users see a black screen, and they are eventually disconnected. This issue occurs at unspecified intervals.
The following events are usually logged when this issue occurs:
|Event Logs||Event Source||ID||Description|
|Microsoft-Windows-TerminalServices-LocalSessionManager/Operational||Microsoft-Windows-TerminalServices-LocalSessionManager||36||An error occurred when transitioning from CsrConnected in response to EvCsrInitialized. (ErrorCode 0x80004005)|
|Application||Microsoft-Windows-Winlogon||4005||The Windows logon process has unexpectedly terminated.|
During virtual channel management, a deadlock condition occurs that prevents the RDS service from accepting new connections.
To fix this issue, install November 2016 Preview of Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2 (KB3197875).
How to get this update
Method 1: Windows UpdateThis update is provided as a Recommended update on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.
Method 2: Microsoft Download CenterThe following files are available for download from the Microsoft Download Center.
|All supported x86-based versions of Windows 8.1||Download the package now.|
|All supported x64-based versions of Windows 8.1||Download the package now.|
|All supported x64-based versions of Windows Server 2012 R2||Download the package now.|
Method 3: Microsoft Update CatalogTo get the stand-alone package for this update, go to the Microsoft Update Catalog website.
Note You must be running Microsoft Internet Explorer 6 or a later version.
Update detail information
PrerequisitesTo apply this update, you must have the following updates installed on Windows 8.1 or Windows Server 2012 R2:
- April 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355)
- April 2015 servicing stack update for Windows 8.1 and Windows Server 2012 R2 (KB 3021910)