Sign in with Microsoft
Sign in or create an account.
Hello,
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Release Date:
December 13, 2022

Notes: 

  • This article was revised on January 31, 2023, to add a resolution.

  • This article was revised on January 9, 2023, to expand the symptom and add FAQ section.

  • This article was revised on December 15, 2022, to add an additional workaround.

Summary

This article provides help to mitigate an issue when after installing the December 13, 2022, security updates for .NET Framework and .NET, users may experience issues with how WPF-based applications render XPS documents.

Symptom

XPS documents which utilize structural or semantic elements like table structure, storyboards, or hyperlinks may not display correctly in WPF-based readers. Additionally, some inline images may not display correctly, or Null reference exceptions might happen when XPS documents are loaded into WPF-based readers.

Workaround

Microsoft identified a compatibility workaround for this issue and made a PowerShell script to resolve this.

To install the compatibility workaround, follow the steps below.

  1. Download the PowerShell script

  2. Open a PowerShell prompt as an administrator

  3. Within the prompt, navigate to the directory where the script was downloaded

  4. Run the command within the prompt: .\kb5022083-compat.ps1 -Install

If the command succeeds, it will print "Installation completed." to the console window. If the command fails, it will display the reason for failure. To remove the compatibility workaround, follow the same steps as above, but replace step (4) above with: .\kb5022083-compat.ps1 -Uninstall

Once the compatibility workaround is installed, WPF-based applications which display XPS documents should continue working as they did before the December 13, 2022, security updates.

Alternate Workaround

If the first workaround does not resolve the issue you can use a registry entry to disable the enhanced security behavior. This should only be done if you know for certain that all XPS documents your system processes are trustable, for example they are generated by your system, rather than uploaded to your system, and they cannot be changed by anyone. Do not turn off the functionality if you accept XPS documents from the internet, emails from external entities or other untrustable sources.

To disable the enhanced security behavior run this command from an elevated command prompt:

reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /v "DisableDec2022Patch" /t REG_SZ /d "*" /reg:64

Alternatively, you can use Group Policy to create a REG_SZ entry with a key name of HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes, a value name of DisableDec2022Patch, and a value of *

To remove this workaround and return the enhanced security behavior run this command from an elevated command prompt: reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /reg:64 /f

This disables the enhanced functionality machine wide and should only be used when you can fully trust all XPS input into your systems.

Resolution

This issue was addressed in out-of-band updates released January 31, 2023. To get the standalone package for these out-of-band updates, search for the KB number in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog.

If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them. To remove workaround review the workaround or alternative workaround which was applied for instructions.

Product Version

Update

Windows 11, version 22H2

.NET Framework 4.8.1

Catalog

5023327

Windows 11, version 21H2

Catalog

5023367

.NET Framework 4.8

Catalog

5023323

.NET Framework 4.8.1

Catalog

5023320

Windows Server 2022

Catalog

5023368

.NET Framework 4.8

Catalog

5023324

.NET Framework 4.8.1

Catalog

5023321

Azure Stack HCI, version 22H2

.NET Framework 4.8

Catalog

5023324

Azure Stack HCI, version 21H2

.NET Framework 4.8

Catalog

5023324

Windows 10 Version 22H2

Catalog

5023366

.NET Framework 4.8

Catalog

5023322

.NET Framework 4.8.1

Catalog

5023319

Windows 10 Version 21H2

Catalog

5023365

.NET Framework 4.8

Catalog

5023322

.NET Framework 4.8.1

Catalog

5023319

Windows 10 Version 20H2

Catalog

5023364

.NET Framework 4.8

Catalog

5023322

.NET Framework 4.8.1

Catalog

5023319

Windows 10 1809 (October 2018 Update) and Windows Server 2019

Catalog

5023363

.NET Framework 4.7.2

Catalog

5023333

.NET Framework 4.8

Catalog

5023326

Windows 10 1607 (Anniversary Update) and Windows Server 2016

Catalog

5023416

.NET Framework 4.7.2

Catalog

5023332

.NET Framework 4.8

Catalog

5023325

Affected updates

The following .NET versions are affected:

  • .NET Framework 2.0, 3.0, 3.5, 3.5.1, when the December 13, 2022, security update is installed.

  • .NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2, when the December 13, 2022, security update is installed.

  • .NET Framework 4.8, when the December 13, 2022, security update is installed.

  • .NET Framework 4.8.1, when the December 13, 2022, security update is installed.

  • .NET Core 3.1, with the Windows Desktop runtime version 3.1.32.

  • .NET 6, with the Windows Desktop runtime version 6.0.12 or later.

  • .NET 7, with the Windows Desktop runtime version 7.0.1 or later.

The Windows XPS Viewer application provided within the Windows operating system is not affected by this issue.

Frequently Asked Questions (FAQs)

When was this regression introduced?

This regression was introduced in the December 13, 2022, cumulative security updates for .NET and .NET Framework.

If an administrator installs the PowerShell script provided in this article, will it leave the machine vulnerable?

No. The PowerShell script only addresses compatibility. It does not disable the December 13, 2022, security update or otherwise reduce its efficacy.

If an administrator utilizes the registry-based alternative workaround, will it leave the machine vulnerable?

Yes. The alternative workaround listed above disables the WPF portion of the December 13, 2022, security fix. If an administrator utilizes the alternative workaround, they should direct their users not to open XPS documents from untrusted sources on those workstations.

This guidance applies only to WPF-based applications which load XPS documents. Users can continue to use Windows's built-in XPS viewer application to view untrusted XPS documents safely, even on machines which utilize the alternative registry-based workaround.

What is Microsoft doing to address the compatibility issue?

This issue was addressed for some versions of .NET Framework in out-of-band updates released January 31, 2023. For versions of .NET Framework which are not addressed Microsoft is actively investigating an additional update which restores compatibility while also resolving the underlying security issue.

Information about protection and security

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×