January 9, 2024—KB5034129 (OS Build 20348.2227)

Windows Server 2022 More...Less

Release Date:

1/9/2024

Version:

OS Build 20348.2227

For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page.

Note Follow @WindowsUpdate to find out when new content is published to the Windows release health dashboard.

Improvements

This security update includes quality improvements. When you install this KB:

This update addresses an issue that affects Microsoft Intune. One of its new features does not work properly.
This update addresses an issue that affects account lockout event 4625. The format of the event is wrong in the ForwardedEvents log. This occurs when an account name is in the user principal name (UPN) format.
This update addresses an issue that affects hybrid joined devices. You cannot sign in to them if they are not connected to the internet. This occurs when you use a Windows Hello for Business PIN or biometric credentials. This issue applies to a cloud trust deployment.
This update addresses an issue that affects the Trusted Sites Zone logon policy. You cannot manage it using mobile device management (MDM).
This update addresses an issue that affects Microsoft Excel. It stops responding when you try to share a file as a PDF in Outlook.
This update addresses an issue that affects the Server Manager pop-up text. It removes the words “Azure Automanage.”
This update addresses an issue that affects XPath queries on FileHash and other binary fields. It stops them from matching values in event records.
This update addresses an issue that affects certain network functions on VMs. Deployment of them fails.
This update addresses an issue that affects the Network Controller. The issue makes you create more rules for outbound traffic so that return traffic is not blocked.
This update addresses an issue that affects a WS_EX_LAYERED window. The window might render with the wrong dimensions or at the wrong position. This occurs when you scale the display screen.
This update addresses an issue that affects printing to PDF metadata. It extracts the username that you sign in with and puts it into the author name metadata box. Instead, print to PDF should place your display name in that box.
This update addresses an issue that affects disk partitions. Your system might stop responding. This occurs if you add space from a deleted partition to an existing BitLocker partition.
This update addresses an issue that affects Windows Defender Application Control (WDAC). AppID Tagging policies might greatly increase how long it takes your device to start up.
This update addresses an issue that causes your device to shut down after 60 seconds. This occurs when you use a smart card to authenticate on a remote system.
This update addresses an issue that affects the display of a smart card icon. The icon does not appear when you sign in. This occurs when there are multiple certificates on the smart card.
This update addresses an issue that affects Active Directory domain controllers. They report DS_BUSY errors when you create new users. This only occurs on primary domain controller emulators (PDCe).
This update addresses an issue that affects the Windows Local Administrator Password Solution (Windows LAPS). The LAPS account does not work. This occurs if the password is older than the age that the maximum age device policy allows.
This update addresses an issue that affects the Kerberos Key Distribution Center (KDC). It returns a KDC_ERR_S_PRINCIPAL_UNKNOWN error during trust referrals, which is wrong.
This update addresses an issue that affects the msDS-KeyCredentialLink attribute. In some cases, it is updated when it should not be.
This update addresses an issue that causes lsass.exe to stop responding. Because of this, a restart loop occurs.
This update addresses an issue that affects the Key Distribution Service (KDS). It does not start in the time required if LDAP referrals are needed.

If you installed earlier updates, only the new updates contained in this package will be downloaded and installed on your device.

For more information about security vulnerabilities, please refer to the Security Update Guide and the January 2024 Security Updates.

Windows Server 2022 servicing stack update - 20348.2200

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.

Known issues in this update

Symptom	Workaround
After you install KB5034129, chromium-based internet browsers, such as Microsoft Edge, might not open correctly. Browsers affected by this issue might display a white screen and become unresponsive when you open them. Devices that have browser specific Image File Execution Options (IFEO) might be affected by this issue. When an entry for Microsoft Edge (msedge.exe) or other chromium-based browsers is found in the Windows registry, the issue might occur. A registry entry can be created by developer tools or when certain debugging and diagnostic settings are in place for browsers.	This issue is addressed in KB5034770. Some of you might be using an update that is dated before February 13, 2024. If you encounter this issue, use the workaround steps below. You can prevent this issue by removing certain keys related to Image File Execution Options in the Windows registry. Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows. Modify the Windows registry using the steps below. Open the Windows Registry Editor. Open the Windows start menu and type regedit. Select Registry Editor from the results. Go to the registry location Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\. Type this location in the path field that is below the File menu or use the left-side panel of the editor to find that path. Expand this path in the editor. At that location, find the registry key related to the browser that is in use (denoted with a folder icon). Examples of the key name include msedge.exe for Microsoft Edge or chrome.exe. Click the key. Examine the right-side panel that contains values associated with the key. If the right-side panel only includes a value titled “(Default)”, it should be safe to remove the registry key. Right-click the key in the left-side panel of the editor and select Delete. After this, restart the device. This should address the issue, and the browser should open as expected. If the right-side panel contains several values in addition to the one titled “(Default)”, it is still possible to address the issue by removing the registry key for this browser and restarting the device. However, note that doing so might remove configurations associated with the opening or starting process of the browser. We are working on a resolution and will provide an update in an upcoming release.

Symptom

Workaround

After you install KB5034129, chromium-based internet browsers, such as Microsoft Edge, might not open correctly. Browsers affected by this issue might display a white screen and become unresponsive when you open them.

Devices that have browser specific Image File Execution Options (IFEO) might be affected by this issue. When an entry for Microsoft Edge (msedge.exe) or other chromium-based browsers is found in the Windows registry, the issue might occur. A registry entry can be created by developer tools or when certain debugging and diagnostic settings are in place for browsers.

This issue is addressed in KB5034770. Some of you might be using an update that is dated before February 13, 2024. If you encounter this issue, use the workaround steps below.

You can prevent this issue by removing certain keys related to Image File Execution Options in the Windows registry.

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see How to back up and restore the registry in Windows.

Modify the Windows registry using the steps below.

Open the Windows Registry Editor. Open the Windows start menu and type regedit. Select Registry Editor from the results.
Go to the registry location Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\. Type this location in the path field that is below the File menu or use the left-side panel of the editor to find that path. Expand this path in the editor.
At that location, find the registry key related to the browser that is in use (denoted with a folder icon). Examples of the key name include msedge.exe for Microsoft Edge or chrome.exe. Click the key.
Examine the right-side panel that contains values associated with the key.
1. If the right-side panel only includes a value titled “(Default)”, it should be safe to remove the registry key. Right-click the key in the left-side panel of the editor and select Delete. After this, restart the device. This should address the issue, and the browser should open as expected.
2. If the right-side panel contains several values in addition to the one titled “(Default)”, it is still possible to address the issue by removing the registry key for this browser and restarting the device. However, note that doing so might remove configurations associated with the opening or starting process of the browser.

We are working on a resolution and will provide an update in an upcoming release.

How to get this update

Before installing this update

Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

Install this update

Release Channel	Available	Next Step
Windows Update and Microsoft Update	Yes	None. This update will be downloaded and installed automatically from Windows Update.
Windows Update for Business	Yes	None. This update will be downloaded and installed automatically from Windows Update in accordance with configured policies.
Microsoft Update Catalog	Yes	To get the standalone package for this update, go to the Microsoft Update Catalog website.
Windows Server Update Services (WSUS)	Yes	This update will automatically sync with WSUS if you configure Products and Classifications as follows: Product: Microsoft Server operating system-21H2 Classification: Security Updates

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File Information

For a list of the files that are provided in this update, download the file information for cumulative update 5034129.

For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.2200.