September 20, 2018—KB4457127 (OS Build 14393.2515)

Applies to: Windows 10, version 1607Windows Server 2016

Improvements and fixes


This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addresses an issue that causes Internet Explorer security and certificate dialogs to display prompts in the background instead of the foreground in certain circumstances. 
  • Makes the visibility Group Policy for the Settings Page available under User Configuration and Computer Configuration. The GPOs are at the following paths:
    • User Configuration/Administrative Template/Control Panel/Settings Page Visibility
    • Computer Configuration/Administrative Template/Control Panel/Settings Page Visibility
  • Addresses an issue with showing the correct changes to folder contents on some Network Attached Storage (NAS) configurations. 
  • Addresses an issue with the diagnostic pipeline for devices enrolled in Windows Analytics when the CommercialID registry key, "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection" is present.
  • Addresses an issue that prevents the App-V client’s scheduled task from syncing if the Device Guard lockdown policy is enabled. 
  • Addresses an issue that causes login to fail when using a smart card to log in to a Remote Desktop Server. The error is “STATUS_LOGON_FAILURE”. 
  • Addresses an issue that sometimes causes event log entries to appear corrupted for the following:
    • Microsoft-Windows-Kerberos-Key-Distribution-Center source.
    • Event IDs 4933, 4928, and 4937.
  • Addresses an issue that occurs when using encrypted email. If the customer selects Cancel when first prompted for a PIN, multiple PIN prompts appear before the prompt finally goes away. 
  • Addresses an issue that causes a Direct Access connection to fail when the client authentication certificate is stored in the TPM device. 
  • Addresses an issue that causes the system to log negative events for drivers that are valid and should be trusted. The issue occurs when running Windows Defender Application Control (Device Guard) in audit mode. 
  • Addresses an issue that causes a Remote Desktop Session Host server to occasionally stop responding during login. 
  • Addresses an issue that may cause the Local Security Authority Subsystem Service (LSASS) process to stop working when attempting to process a malformed security identifier (SID). 
  • Addresses an issue that causes printing to an open or existing file to fail without displaying an error message. This issue occurs when using Microsoft Print to PDF or XPS Document Writer. 
  • Addresses an issue that may cause a DNS server to return an error to a query when handling a large recursive response that requires truncation. 
  • Addresses an issue that prevents running subsequent actions when you create multiple actions in a task using Task Scheduler and the task is scheduled under the Stop the existing instance rule. 
  • Addresses an issue with a task that has a repetition setting. The task isn't scheduled and doesn't start after disabling and re-enabling the it. The Next Run Time in Task Scheduler shows the correct time, but the task doesn't start at that time. 
  • Addresses an issue with a scheduled task that has an indefinite duration. The task starts immediately after it's created instead of at the time set on the Triggers tab. 
  • Addresses an issue where a daily, repetitive task starts unexpectedly when the task is first created or starts when the task is updated. 
  • Addresses an issue that occurs when a guest Service Host (svchost) stops working in Windows Server 2016. The Hyper-V time synchronization service (vmictimesync) in the guest may stop working, and a time sync issue may occur. The guest would then be vulnerable to time drift because of inaccurate hardware or incorrect Network Time Protocol (NTP) samples. 
  • Addresses an issue that prevents the lastLogonTimestamp attribute of new Active Directory users from updating. This issue occurs when performing LDAP simple binds against a Windows Server 2016 domain controller. 
  • Addresses an Active Directory Certificate Services (AD CS) issue that causes certificate enrollment requests from some enterprise routers to the MSCEP/NDES server to fail. The requests fail with the error "The Network Device Enrollment Service cannot convert encoded portions of the client's http message (or request body for POSTPKIOperation), or the converted message (or request body for POSTPKIOperation) is larger than 64K (%1). %2". 
  • Addresses an Active Directory Domain Services (AD DS) Privileged Access Management issue that may cause a user to retain association with the configured shadow principal beyond the configured Time to Live (TTL). This issue occurs when a DC is promoted while the TTL is valid.
  • Addresses an issue that causes Windows Server Backup to fail when backing up two volumes together in one location on NetApp. 
  • Addresses an issue where Windows Server Backup fails to restore backups for Microsoft Exchange 2016. 
  • Addresses an issue where creating a Client Access Point may take a long time when a firewall blocks access to child domain controllers. 
  • Addresses memory leaks in the Cluster Health Service. 
  • Addresses an issue that may cause an error when you attempt to access an NFS share. 
  • Addresses an issue where opening Explorer view on a SharePoint server site using TMG proxy fails. This issue occurs when the server requires SSL and TLS client certificate authentication and sends trusted CA issuer lists. 
  • Addresses an issue that may cause a system to stop working when you mount an NFS drive using the command line with the option -u -p. This issue occurs if the length of the password is different from the length of the domain name. 
  • Addresses an issue that may cause setup to fail during OEM-OOBE implementation if French or Spanish language setting is selected on the Hyper-V host. 
  • Addresses an issue that displays the report date as "Unknown" in the Remote Desktop License Manager.
  • Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
  • Addresses an issue in which all Guest Virtual Machines running Unicast NLB fail to respond to NLB requests after the Virtual Machines restart.
  • Addresses an issue that causes many input and output (I/O) failures when QoS is enabled. The system does not attempt a retry, and the error code is “STATUS_Device_Busy”. This occurs during the periodic failover if Windows Cluster uses storage pool and Multipath I/O (MPIO) is enabled. After installing this update, you can create a registry key (Red_DWORD) with the value “0x1” to allow a retry. The registry path is “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorPort\QoSFlags “

If you installed earlier updates, only the new fixes in this package will be downloaded and installed on your device.

 

Known issues in this update


Symptom Workaround
After installing this update, installation and client activation of Windows Server 2019 and 1809 LTSC Key Management Service (KMS) (CSVLK) host keys do not work as expected. This issue is resolved in KB4467684.
After installing this update, Windows Server 2016 promotions that create non-root domains fail in forests in which optional features like Active Directory recycle have been enabled. The error is, “The replication operation encountered a database error”.

This issue is resolved in KB4467684.

After you install the August Preview of Quality Rollup or September 11, 2018 .NET Framework update, instantiation of SqlConnection can throw an exception. For more information about this issue, see the following article in the Microsoft Knowledge Base:

4470809 SqlConnection instantiation exception on .NET 4.6 and later after August-September 2018 .NET Framework updates

Microsoft is working on a resolution and will provide an update in an upcoming release.

How to get this update


Before installing this update

Windows cumulative updates require that you install the latest servicing stack update (SSU) for your operating system before installing the latest cumulative update (LCU). This helps to mitigate potential issues while installing the LCU. For more information, see Servicing stack updates.

If you are using Windows Update, the latest SSU (KB4132216) will be offered to you automatically. To get the stand-alone package for the latest SSU, go to the Microsoft Update Catalog

Install this update

To download and install this update, go to Settings > Update & Security > Windows Update and select Check for updates.

To get the standalone package for this update, go to the Microsoft Update Catalog website.

File information

For a list of files provided in this update, download the file information for cumulative update 4457127