Patchday: Updates for Windows 7/Server 2008 R2 (January 12, 2021)

Windows Update[German]On January12, 2021, Microsoft released various (security) updates for Windows 7 SP1 (ESU) and Windows Server 2008 R2. Here is the overview of these updates.


Advertising

Updates for Windows 7/Windows Server 2008 R2

For Windows 7 SP1 and Windows Server 2008 R2 SP1 a rollup and a security-only update have been released. However, these updates are only available for systems with ESU license. The update history for Windows 7 can be found on this Microsoft page.

Starting January 15, 2020, Windows 7 in Starter, Home Basic, Home Premium, Professional (without ESU license) and Ultimate will show a full-screen end-of-support notification. This must then be closed by the user.

As of Jan. 14, 2020, Windows 7 SP1 and Windows Server 2008 R2 SP1 have reached the end of support and will only receive paid security updates in the future as part of the ESU program. ESU license holders are advised to take a look at the Windows Message Cente for details.

Microsoft has updated the Techcommunity article on the ESU program for the last time as of Jan. 12, 2021. Note the information there about the requirements (SSU, SHA-2). In addition, the update KB4538483 must be installed manually from the Update Catalog for ESU systems (see Windows 7 ESU-Update KB4538483 (May 2020)) and at the end of July 2020 update KB4575903 is also required. In addition, an ESU license for the 2nd year is required if updates are to be obtained beyond January 12, 2021 (the update KB4598279 for Windows 7 SP1 was still offered to me with the 2020 ESU license).

Since the updates are offered in the Microsoft Update Catalog, don't try to install them on systems without an ESU license first. The installation fails and a rollback occurs. What does work, however: Using the BypassESU methods. ByPassESU v11 should continue to work for the January 2021 patches (see Windows 7 SP1/Server 2008/R2: Extended Support 2021 – Part 2).

Important: Starting in July 2020, all Windows updates disable the RemoteFX vGPU feature due to the CVE-2020-1036 vulnerability (see also KB4570006). After installing this update, attempts to start virtual machines (VM) that have RemoteFX vGPU enabled fail.

KB4598279 (Monthly Rollup) for Windows 7/Windows Server 2008 R2

Update KB4598279 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains (besides the security fixes from the previous month) improvements and bug fixes and addresses the following:

  • Addresses a security bypass vulnerability that exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface. For more information, see KB4599464.
  • Addresses a security vulnerability issue with HTTPS-based intranet servers. After you install this update, HTTPS-based intranet servers cannot leverage a user proxy to detect updates by default. Scans that use these servers will fail if the clients do not have a configured system proxy.
    If you must leverage a user proxy, you must configure the behavior by using the Windows Update policy Allow user proxy to be used as a fallback if detection using system proxy fails. To make sure that the highest levels of security, additionally leverage Windows Server Update Services (WSUS) Transport Layer Security (TLS) certificate pinning on all devices. For more information, see Changes to scans, improved security for Windows devices.
    Note This change does not affect customers who use HTTP WSUS servers.
  • Addresses an issue in which a principal in a trusted Managed Identity for Application (MIT) realm does not obtain a Kerberos Service ticket from Active Directory domain controllers (DCs). This issue occurs after Windows Updates that contains CVE-2020-17049 protections released between November 10 and December 8, 2020 are installed and PerfromTicketSignature is configured to 1 or higher. Ticket acquisition fails with KRB_GENERIC_ERROR if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
  • Security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Fundamentals, Windows Cryptography, Windows Virtualization, and Windows Hybrid Storage Services.

Compared to the previous months (to the best of our knowledge) nothing has changed for ESU systems. This update is automatically downloaded and installed via Windows Update. The package is also available via Microsoft Update Catalog and is distributed via WSUS. Details about the requirements and known issues can be found in the KB article (without ESU the installation fails, there is also a "STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)" error).

KB4598289 (Security Only) for Windows 7/Windows Server 2008 R2

Update KB4598289 (Security-only update) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 with ESU license. The update addresses the following issues.

Security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Fundamentals, Windows Cryptography, Windows Virtualization, and Windows Hybrid Storage Services.

The update is available via WSUS or in the Microsoft Update Catalog. To install the update, the prerequisites listed in the KB article and above in the rollup update must be met. The update causes the known issues described in KB article KB4598289. I have not found a security update for Internet Explorer 11 for January 2021.


Advertising

Similar articles
Microsoft Office Patchday (January 5, 2021)
Microsoft Security Update Summary (January 12, 2021)
Patchday: Windows 10-Updates (January 12, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (January 12, 2021)
Patchday: Windows 8.1/Server 2012-Updates (January 12, 2021)
Patchday Microsoft Office Updates (January 12, 2021)

Windows 7 SP1: ESU Support for 2021 – Part 1
Windows 7 SP1/Server 2008/R2: Extended Support 2021 – Part 2


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Update, Windows and tagged , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *