July 2016 update rollup for Windows 8.1 and Windows Server 2012 R2

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 StandardWindows Server 2012 R2 Essentials

The July 2016 update rollup includes some new improvements and fixes, including the improvements from June 2016 update rollup KB3161606 and May 2016 update rollup KB3156418 for the Windows 8.1 and 2012 R2 platform. We recommend that you apply this update rollup as part of your regular maintenance routines. Before you install this update, check out the Prerequisites and Restart requirement sections.

Improvements and fixes

Note To learn more about the nonsecurity improvements and fixes in this update, see the "July 21, 2016 – KB3172614" section in Windows 8.1 and Windows Server 2012 R2 update history.

Issue 1


When a service such as Exchange server tries to reestablish the Kerberos client session during a cluster failover, it may cause the system to become unresponsive. Additionally, an LSASS CPU spike occurs after the failover.

Note This issue can occur on nonclustered environments also if there are many authentication requests occurring at the same time.


Microsoft Windows has released a fix that contains new opt-in behavior for the Kerberos client to address this issue. By enabling the Kerberos parameter, the Kerberos client can bypass the CPU intensive action of purging compounded tickets.

Note The Kerberos client must opt-in for the new behavior. Follow these steps to create the registry parameter on each node of the cluster:
  1. In Registry Editor, locate and then select the following subkey:
  2. Right-click Parameters, point to New, and then click DWORD Value.
  3. Type AllowStaleDeviceAuthzData as the entry name, and then press Enter.
  4. Right-click AllowStaleDeviceAuthzData, and then click Modify.
  5. In the Value data box, type 1, and then click OK.

Note Setting this registry parameter may delay the purging and repopulating of compounding information that could cause changes in account permissions to not be reflected in real time.

For more information, see What's New in Kerberos Authentication.

Known issues in this update

Issue 1


After you apply this update on a Remote Desktop Session (RDS) host, some new users cannot connect to an RDP session. Instead, those users see a black screen, and they are eventually disconnected. This issue occurs at unspecified intervals.

The following events are usually logged when this issue occurs:

Event Logs Event Source ID Description
Microsoft-Windows-TerminalServices-LocalSessionManager/Operational Microsoft-Windows-TerminalServices-LocalSessionManager 36 An error occurred when transitioning from CsrConnected in response to EvCsrInitialized. (ErrorCode 0x80004005)
Application Microsoft-Windows-Winlogon 4005   The Windows logon process has unexpectedly terminated.


During virtual channel management, a deadlock condition occurs that prevents the RDS service from accepting new connections.


To fix this issue, install November 2016 Preview of Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2 (KB3197875).

How to get this update

Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.

Method 1: Windows Update

This update is provided as a Recommended update on Windows Update. For more information about how to run Windows Update, see How to get an update through Windows Update.

Method 2: Microsoft Download Center

The following files are available for download from the Microsoft Download Center.
Operating system Update
All supported x86-based versions of Windows 8.1 Download Download the package now.
All supported x64-based versions of Windows 8.1 Download Download the package now.
All supported x64-based versions of Windows Server 2012 R2 Download Download the package now.
For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Method 3: Microsoft Update Catalog

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

Note You must be running Microsoft Internet Explorer 6 or a later version.

Update detail information


To apply this update, you must have the following updates installed on Windows 8.1 or Windows Server 2012 R2:

Restart requirement

You must restart the computer after you apply this update.


Update replacement information

This update replaces the previously released updates 3161606 and 3156418.

File Information

File information

For a list of the files that are provided in this update, download the file information for update rollup 3172614.


For more information about Windows Update, go to the following Microsoft websites:

Troubleshoot problems with installing updates

Windows Update: Frequently Asked Questions

Learn about the terminology that Microsoft uses to describe software updates.