Related topics
Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

Release Date:



OS Build 14393.2155

Improvements and fixes

This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addresses an issue where WMI stops responding to queries and WMI-dependent operations fail after exceeding the 256 MB WMI Arbitrator memory limit. Computers that experience high WMI memory usage or that return error WBEM_E_INVALID_CLASS or WBEM_E_NOT_FOUND should install this update. For more information, see KB4096063.

  • Addresses issue with a GDI handle leak in the Windows Ribbon control.

  • Addresses issue where customers can't change the lock screen image from the Settings app. This occurs if the "Force a specific default lock screen and logon image" Group Policy is turned on and the "Prevent changing lock screen and logon image" Group Policy is turned off. 

  • Addresses issue where, during BitLocker decryption or encryption of a drive, files protected with the Encrypting File System (EFS) may become corrupted.

  • Adds support for additional high-speed eMMC devices.

  • Adds support in stornvme for additional SSDs.

  • Addresses issue where UWF file exclusion failed when non-ASCII characters were used in the directory name.

  • Addresses issue where ID:55 and ID:130 might be logged when using UWF in DISK mode, which eventually requires a restart.

  • Addresses issue where the VSS API ResyncLun failed to find the hardware provider.

  • Addresses issue where Hyper-V replication suspends when the primary server restarts and Azure Site Recovery (ASR) is used to replicate Hyper-V virtual machines.

  • Addresses issue where an error might occur when the memory manager finds an undeleted page table space when a process terminates.

  • Addresses issue where Windows Server 2016 Domain Controllers (DC) may periodically restart after a Local Security Authority Subsystem Service (LSASS) module faults with exception code 0xc0000005. This interrupts applications and services bound to the DC at that time. DCs may log the following events:

    • Application Error event ID 1000; the faulty module is NTDSATQ.dll with exception code 0xc0000005.

    • User32 event ID 1074 and Microsoft-Windows-Wininit event ID 1015, which indicates that lsass.exe failed with status code 255.

  • Addresses issue where the AdminSDHolder task fails to run when a protected group contains a member attribute that points to a deleted object. Additionally, Event 1126 is logged with “Active Directory Domain Services was unable to establish a connection with the global catalog. Error value: 8430. The directory service encountered an internal failure. Internal ID: 320130e.”

  • Addresses issue where users may exist in a trusted domain with transitive trust (a child domain across Forest trust or AD FS in a child domain and the user is across Forest trust). However, users cannot locate a PDC or DC for the Extranet Lockout Feature. The following exception occurs: “Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: MSIS6080: A bind attempt to domain <FQDN> failed with error code 1722.” A message appears on the IDP page, "Incorrect user ID or password. Type the correct user ID and password, and try again."

  • Addresses issue where, when Claims Provider Trust is set with OrganizationalAccountSuffix (even after performing HRD), AD FS doesn't save the HRD information. The user will always see the HRD page for any new request. This breaks the SSO request for users because they need to type a username or email and password for each request.

  • Improves the performance of AD FS MFA authentication response time by improving the utilization of Strong Authentication Service (SAS) calls.

  • Addresses issue caused by a new privilege in Windows Server 2016 and Windows 10 version 1607 named "Obtain an impersonation token for another user in the same session”. When applied using Group Policy to those computers, gpresult /h fails to generate reporting data for any setting configured by the Security Configuration Engine (SCE) extension. The error message is “Requested value ‘SeDelegateSessionUserImpersonatePrivilege’ was not found”. The Group Policy Management Console fails to show the privilege in the Settings tab for a GPO where the setting has been configured.

  • Addresses a threading issue that might cause the WinRM service to stop working when under load. This is a client-side solution, so it should be applied to affected computers as well as computers that communicate with it using WinRM.

  • Addresses issue with system performance that causes logons to become unresponsive with the message "Please wait for the Remote Desktop Configuration" because of a deadlock in the WinRM service.

  • Addresses issue where the Remote Desktop License report gets corrupted when it exceeds the 4 KB size limit.

  • Addresses a race condition in RemoteApp that occurs when an activated RemoteApp window opens behind the previous foreground window.

  • Addresses rendering issue in Microsoft Edge for PDF documents with backgrounds created using various third-party publishing tools. 

  • Addresses issue caused by a race condition where Windows Server 2016 may restart after win32kbase.sys faults with error code 0x18.

  • Addresses issue that decreases the Universal CRT’s performance in the _gcvt and _gcvt_s functions.

  • Addresses issue in which the output to a file or pipe was fully buffered in the Universal CRT for the standard error (STDERR) stream.

  • Addresses issue in the Universal CRT by adding the "x" access mode flag to support the fopen() function.

  • Addresses issue with a race condition in the Universal C Runtime (CRT) that occurs when you update the global locale. The issue corrupts the current locale reference count and triggers a double free condition.

  • Addresses issue that may change the cluster network associated with an adapter to a partitioned and unreachable state when you run the PowerShell cmdlet: Restart -NetAdapter.

  • Adds Active Directory Certificate Server (ADCS) support for Certificate Transparency (CT) that is compatible with updated Google Chrome requirements. CT is a technology used by Certificate Authorities to log and publish certificate metadata for improved security. For more information about Certificate Transparency, see KB4093260.

  • Addresses issue that causes Windows Spell Checker to ignore the contents of custom dictionary files larger than 1 MB. You can increase this limit to 2 MB by setting the following DWORD value in the registry under HKEY_CURRENT_USER\Software\Microsoft\Spelling\Dictionaries:

    "AllowBiggerUD" = 1

If you installed earlier updates, only the new fixes in this package will be downloaded and installed on your device.

For more information about the resolved security vulnerabilities, see the Security Update Guide.

Windows Update Improvements

Microsoft has released an update directly to the Windows Update client to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 Feature Update based on device compatibility and Windows Update for Business deferral policy. This does not apply to long-term servicing editions.

Known issues in this update



After installing the March 13, 2018 or later Cumulative Update for Windows 10 version 1607, only the latest Windows 10 feature update is returned as applicable. This prevents the deployment of previously released feature updates using ConfigMgr (current branch) and Windows 10 servicing plans.

This issue is resolved in KB4103723.


How to get this update

This update will be downloaded and installed if you go to the Windows Settings > Update & Security > Windows Update page, and click Check online for updates from Microsoft Update.

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Important When installing both the servicing stack update (SSU) (KB4089510) and the latest cumulative update (LCU) from the Microsoft Update Catalog, install the SSU before installing the LCU

File information

For a list of the files that are provided in this update, download the file information for cumulative update 4088889

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!