Improvements and fixes
This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:
Updated the BitLocker.psm1 PowerShell script to not log passwords when logging is enabled.
Addressed issue with the Lock Workstation setting for smart cards where, in some cases, the system doesn’t lock when the smart card is removed.
Addressed issue where saving a credential with an empty password to Credential Manager causes the system to stop working when attempting to use the credential.
Addressed issue where an access token is improperly closed from a WMI query.
Addressed issue where the size of a cloned file was improperly calculated by ReFS.
Addressed error STOP 0x44 in Npfs!NpFsdDirectoryControl.
Addressed error 0x1_SysCallNum_71_nt!KiSystemServiceExitPico.
- Addressed issue where a computer loses access to its domain each time a Managed Service Account (MSA) automatically renews its password. This fix eliminates the need to restart the OS or the NETLOGON service once NETLOGON Event 3210 is logged with 0xc000022.
- Addressed RemoteApp display issues that occur when you minimize and restore a RemoteApp to full-screen mode.
- Addressed issue with delays when accessing Office documents from a remote network drive. Files open, but file access and file saves are affected. Access delays increase dramatically with increased file size.
- Addressed issue to prevent user logon delays. Delays occur when the Group Policy Preference client-side extensions send BroadcastSystemMessages and processes that have registered, top-level windows fail to respond.
- Addressed issue where the Get-AuthenticodeSignature cmdlet does not list TimeStamperCertificate even though the file is time stamped.
- Addressed issue that may occur when you inspect a corrupted VHDX file on a Hyper-V host; the error is “Multiple Bugcheck BAD_POOL_CALLER (c2) 0000000000000007; Attempt to free pool which was already freed”. However, when Special Pool is enabled, the error is “0xCC PAGE_FAULT_IN_FREED_SPECIAL_POOL”.
Addressed issue where the Remote Desktop’s idle timeout warning doesn't appear after the idle time elapsed.
Addressed issue where revoking a certificate associated with a disabled user account in the CA management console fails. The error is "The user name or password is incorrect. 0x8007052e (WIN32: 1326 ERROR_LOGON_FAILURE)”.
Addressed issue where Multi-Factor Authentication doesn't work correctly with mobile devices that use custom culture definitions.
•Addressed issue where the cluster node stops working when using async replication on very high-speed disks.
Addressed issue where ksecdd.sys causes LSASS to leak kernel memory in paged pool. This most commonly affects servers that host an HTTPS service and handle a heavy load of TLS handshakes from clients.
Addressed issue with excessive memory usage in LSASS when it evaluates an LDAP filter over a large record set on domain controllers.
Addressed issue where LSASS consumes large amounts of memory on 2012 R2 domain controllers during a security descriptor propagation operation. This issue occurs when a security descriptor change is made on a root object that has many descendants. Additionally, Applies To is set to "This object and all descendant objects."
Addressed issue where console and RDP logons permanently stop responding at “Applying user profile settings” because of a deadlock between DPAPI/LSASS and RDR. Once the deadlock occurs, new logons fail until the logon computer is restarted.
Addressed issue where performing TPM-related operations using PowerShell commands on a virtual machine causes the TPM support to fail. For example, performing a Get-TPM operation produces the following error: "get-tpm : An internal error was detected. (Exception from HRESULT: 0x80290107). At line:1 char:1".
Added support for OIDC logout using federated LDPs. This will allow kiosk scenarios where multiple users may be serially logged into a single device that has federation with an LDP.
Addressed issue with WinHello where CEP- and CES-based certificates don't work with gMSA accounts.
Improved RPC reliability when sending large data blobs.
- Addressed issue where using a smart card to log on to a Remote Desktop Server sometimes causes the server to stop responding.
- Addressed issue where "Hibernate Once/Resume Many " (HORM) could not be enabled on Windows Server 2016 IoT with Unified Write Filter.
- Addressed issue where deleting an object that has many links in Active Directory causes replication to stop with Event 1084, error 8409: "A database error has occurred". For additional information, read KB3149779.
- Addressed issue where Windows Server 2016 domain controllers (DC) may log audit events with ID 4625 and 4776. The DCs use Microsoft Windows Security information that has truncated user names and domain names for logons that come from client applications that use wldap32.dll.
- Addressed access violation in LSASS that occurs during the startup of the domain controller role conditions. A race condition causes the violation when account management calls occur while the database is refreshing internal metadata. A password reset or change is one of the management calls that may trigger this problem.
- Addressed issue where Windows Server Essentials Storage Service stops working if a tiered virtual disk is created on a storage pool that has HDD and SSD.
- Addressed issue where attempting to extend a Clustered Shared Volume (the source disk) beyond 2 TB using Disk Management in the Storage Replica feature of Windows Server 2016 Datacenter Edition fails. The error is “There is not enough space available on the disk to complete this operation”. The same problem may occur when using the Resize-Partition PowerShell cmdlet. In this case, the error is “Not enough available capacity”.
- Addressed issue where the Windows Internal Database (WID) on Windows Server 2016 AD FS servers fails to synchronize some settings because of a foreign key constraint. These settings include the ApplicationGroupId columns from IdentityServerPolicy.Scopes and IdentityServerPolicy.Clients tables. The synchronization failure can cause different claim, claim provider, and application experiences between primary and secondary AD FS servers. Also, if you move the WID primary role to a secondary node, you cannot manage application groups using the AD FS management user interface. Once patched, new application groups will be synced correctly. Delete existing Relying Parties (RP) that are not syncing before installing the patch, and rebuild them after the package is installed.
If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.
For more information about the resolved security vulnerabilities, please refer to the Security Update Guide.
Note: This is a re-release that includes Windows Server 2016 improvements. If you've installed the September 25, 2017 update and are not interested in server improvements, you can skip this update.
Windows Update Client Improvement
Microsoft will release an update directly to the Windows Update Client to improve Windows Update reliability. It will only be offered to devices that have not installed the most recent updates and are not currently managed (e.g., domain joined).
Known issues in this update
|After installing this update, downloading updates using express installation files may fail.||This issue has been resolved in KB4041688.|
Some users who have the text size for icons set to a larger size (using Display Settings in Control Panel) may have issues launching Internet Explorer.
Reducing the text size for icons to a smaller value or using the Change the size of all items setting should alleviate this issue.
Microsoft is working on a resolution and will provide an update in an upcoming release.