July 24, 2018—KB4338817 (OS Build 16299.579)

Applies to: Windows 10, version 1709

Improvements and fixes


This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addresses an issue that causes devices within Active Directory or Hybrid AADJ++ domains to unexpectedly unenroll from Microsoft Intune or third-party MDM services after installing provisioning package updates (PPKG). This issue occurs on devices that are subject to the “Auto MDM Enrollment with AAD Token” Group Policy. If you ran the script “Disable-AutoEnrollMDMCSE.PS1 as a workaround for this issue, run “Enable-AutoEnrollMDMCSE.PS1 from a PowerShell window running in Administrator mode after installing this update.

  • Inserts a carriage return (CR) before a line feed (LF) if there is none when entering data in a form field
  • Enables debugging of WebView content in UWP apps using the Microsoft Edge DevTools Preview app available in the Microsoft App Store. 
  • Addresses an issue in which Microsoft Edge DevTools becomes unresponsive when the console is flooded with messages. 
  • Addresses an issue that causes a black screen to appear for several minutes after installing Windows updates before going to the desktop. 
  • Addresses additional issues with updated time zone information. 
  • Improves the PDF file experience in Microsoft Edge by addressing PDF file open, print, and reliability issues. 
  • Addresses an issue in which moving a Microsoft Foundation Class (MFC) application window might leave behind a dithered pattern on the desktop. 
  • Addresses an issue that causes power options to appear on the Windows security screen even when the per-user Group Policy to hide power options is set. 
  • Addresses an issue in which the correct lock screen image won't show when all of the following are true:
    • GPO policy “Computer Configuration\Administrative Templates\Control Panel\Personalization\Force a specific default lock screen and logon image” is enabled.
    • GPO policy "Computer Configuration\Administrative Templates\Control Panel\Personalization\Prevent changing lock screen and logon image" is enabled
    • Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\DisableLogonBackgroundImage is set to 1. 
  • Addresses an issue in which a warning appears stating that the application is from an “unknown publisher” when running an application as an elevated user (Administrator).
  • Addresses an issue that causes sporadic authentication issues when using Web Account Manager.
  • Addresses an issue that sometimes causes the single-sign-on scenario to fail and presents the the logon tile when connecting to a Remote Desktop server. 
  • Addresses an issue in which the memory usage of LSASS continues to grow until it is necessary to restart the system. 
  • Addresses an issue in which the default domain for an Azure Active Directory-joined machine is not set on the logon screen automatically. 
  • Addresses an issue that causes SQL Server memory usage to grow over time when encrypting data using a symmetric key that has a certificate. Then, you execute queries that open and close the symmetric key in a recursive loop.
  • Addresses an issue in which using an invalid password in a wireless PEAP environment that has SSO enabled causes the submission of two authentication requests with the invalid password. The excess authentication request may cause premature account lockouts in environments with low account lockout thresholds. To enable the changes, add the new registry key, “DisableAuthRetry” (Dword) on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\26 using regedit, and set it to 1. 
  • Addresses an issue that may cause the BITS service to become unresponsive when the service cannot connect to Internet resources. 
  • Addresses an issue that prevents printing on a 64-bit OS when 32-bit applications impersonate other users (typically by calling LogonUser). This issue occurs after installing monthly updates starting with KB4034681, released in August 2017. To resolve the issue for the affected applications, install this update, and then do one of the following:
    • Use Microsoft Application Compatibility Toolkit to globally enable the Splwow64Compat App Compat Shim.
    • Use the following registry setting, and then restart the 32-bit application: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print Setting: Splwow64Compat

Type: DWORD

Value1: 1     

  • Addresses an issue with DNS Response Rate Limiting that causes a memory leak when enabled with LogOnly mode. 
  • Addresses an issue that sometime prevents a system from shutting down or being placed in Hibernation. This issue occurs on the first boot after performing disk encryption on an SSD drive. 
  • Addresses an issue that prevents access to SMB shares using IP addresses if SMB hardening is enabled. 
  • Addresses an issue in which using mandatory (read-only) user profiles for RDP might result in the error code, "Class not registered (0x80040151)".
  • Addresses an issue in which not all network printers are connected after a user logs on. The HKEY_USERS\User\Printers\Connections Key shows the correct network printers for the affected user. However, the list of network printers from this registry key is not populated in any app, including Microsoft Notepad or Devices and Printers. Printers may disappear or become non-functional.
  • Addresses an issue that causes in-place upgrades to Windows 10 version 1709 to stop responding at the “Making sure you’re ready to install” screen. This occurs while performing device inventory on devices that have installed monthly updates since April 2018.

Note  WSUS can also deliver Dynamic Updates (DU) to devices when configured to sync Dynamic Update content. Verify that Dynamic Updates haven’t been disabled by the /DynamicUpdate Disable setup switch.

  • Addresses a rendering issue that occurs while dynamically modifying the classname or ID of elements on a page.
  • Addresses an issue that prevents Memory Analyzer and Performance Analyzer from working properly in Microsoft Internet Explorer 11 Developer Tools.

 If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.

For more information about the resolved security vulnerabilities, please refer to the Security Update Guide.

Known issues in this update


Symptom Workaround
Some non-English platforms may display the following string in English instead of the localized language: ”Reading scheduled jobs from file is not supported in this language mode.” This error appears when you try to read the scheduled jobs you've created and Device Guard is enabled

After evaluation, Microsoft has determined that this is a low probability and a low-risk issue, and we will not provide a solution at this time for Windows 10, version 1709. 

If you believe that you are affected by this issue, please contact Microsoft Support.

When Device Guard is enabled, some non-English platforms may display the following strings in English instead of the localized language:

  • "Cannot use '&' or '.' operators to invoke a module scope command across language boundaries."
  • "'Script' resource from 'PSDesiredStateConfiguration' module is not supported when Device Guard is enabled. Please use 'Script' resource published by PSDscResources module from PowerShell Gallery."

After evaluation, Microsoft has determined that this is a low probability and a low-risk issue, and we will not provide a solution at this time for Windows 10, version 1709. 

If you believe that you are affected by this issue, please contact Microsoft Support.

After you install any of the July 2018 .NET Framework Security Updates, a COM component fails to load because of “access denied,” “class not registered,” or “internal failure occurred for unknown reasons” errors. The most common failure signature is the following:

Exception type: System.UnauthorizedAccessException

Message: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

This issue is resolved in KB4343897.

After installing this update on an Hybrid Azure AD joined machine, the logon screen displays “AzureAD” as the default domain. This may result in failure to log on for users in hybrid Azure AD joined scenarios when users provide only their username and password.

This issue is resolved in KB4343897.

After installing this update, Windows no longer recognizes the Personal Information exchange (PFX) certificate that’s used for authenticating to a Wi-Fi or VPN connection. As a result, Microsoft Intune takes a long time to deliver user profiles because it doesn’t recognize that the required certificate is on the device. This issue is resolved in KB4464217.

How to get this update


To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates.

To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

File information

For a list of the files that are provided in this update, download the file information for cumulative update 4338817