Patchday: Windows 10-Updates (April 13, 2021)

[German]On April 13, 2021 (second Tuesday of the month, patchday at Microsoft), various cumulative updates for the supported Windows 10 builds were released. Here are some details about each update.

A list of the updates can be found on this Microsoft website. I have compiled the details below. Since last month Microsoft integrates the Servicing Stack Updates (SSUs) into the cumulative update. But that only applies to Windows 10 version 2004 and above, so there are still separate SSU installations for older Windows 10 versions.

Updates for Windows 10 Version 2004/20H2

For Windows 10 version 2004 released in May 2020 and Windows 10 version 20H2 offered via update search in October 2020, Microsoft provides the same update packages mentioned below.

Update KB5001330 for Windows 10 Version 2004/20H2

Cumulative Update KB5001330 aises the OS build to 19041.928 for Windows 10 version 2004 and to 19042.928 for Windows 10 version 20H2. The update is available for Windows 10 version 2004, Windows 10 version 20H2, and Windows Server version 2004 and Windows Server version 20H2. It includes quality improvements but no new operating system features. In addition, this update removes the Legay Edge browser from Windows 10. Here is the list of improvements, called highlights by Microsoft:

• Updates to improve security when Windows performs basic operations.
• Updates to improve security when using input devices such as a mouse, keyboard, or pen.

Microsoft notes that this update makes quality improvements to the servicing stack (is responsible for Microsoft updates). The SSU versions are raised to 19041.925 and 19042.925. In addition, the following fixes and improvements are made:

• Addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, "KRB_GENERIC_ERROR", if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
• Addresses an issue with security vulnerabilities identified by a security researcher. Because of these security vulnerabilities, this and all future Windows updates will no longer contain the RemoteFX vGPU feature. For more information about the vulnerability and its removal, see CVE-2020-1036 and KB4570006. Secure vGPU alternatives are available using Discrete Device Assignment (DDA) in Windows Server LTSC releases (Windows Server 2016 and Windows Server 2019) and Windows Server SAC releases (Windows Server, version 1803 and later versions).
• Addresses a potential elevation of privilege vulnerability in the way Azure Active Directory web sign-in allows arbitrary browsing from the third-party endpoints used for federated authentication. For more information, see CVE-2021-27092 and Policy CSP – Authentication.
• Security updates to Windows App Platform and Frameworks, Windows Apps, Windows Input and Composition, Windows Office Media, Windows Fundamentals, Windows Cryptography, the Windows AI Platform, Windows Kernel, Windows Virtualization, and Windows Media.

This update is automatically downloaded and installed by Windows Update. This update is also available from the Microsoft Update Catalog and via WSUS. If error 0x800f0823 – CBS_E_NEW_SERVICING_STACK_REQUIRED occurs during installation, the latest standalone SSU (KB4598481) must be installed. For the update, Microsoft continues to cite various known issues in support article KB5001330.

In addition, Microsoft has released an update directly for the Windows Update client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates have not been blocked via GPO.

Updates for Windows 10 Version 1909

Windows 10 version 1903 is out of support on December 8, 2020. The following updates are available for Windows 10 version 1909 released in 2019.

Update KB5001337 for Windows 10 Version 1909

Cumulative update KB5001337 raises the Windows 10 V1909 OS build to 18363.1500. The update is available for Windows 10 version 1909 as well as Windows Server version 1909. Also, this update removes the old Edge browser from this Windows 10 build. In addition, support will end on May 11, 2021 for this Windows version in Home and Pro as well as Pro Workstation and Server SAC editions. The update includes quality improvements but no new operating system features. Here is the list of improvements, called highlights by Microsoft:

• Updates to improve security when Windows performs basic operations.
• Updates to improve security when using input devices such as a mouse, keyboard, or pen.

In addition, the following fixes and improvements to Windows 10 version 1909:

• Addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, "KRB_GENERIC_ERROR", if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
• Addresses an issue with security vulnerabilities identified by a security researcher. Because of these security vulnerabilities, this and all future Windows updates will no longer contain the RemoteFX vGPU feature. For more information about the vulnerability and its removal, see CVE-2020-1036 and KB4570006. Secure vGPU alternatives are available using Discrete Device Assignment (DDA) in Windows Server LTSC releases (Windows Server 2016 and Windows Server 2019) and Windows Server SAC releases (Windows Server, version 1803 and later versions).
• Addresses a potential elevation of privilege vulnerability in the way Azure Active Directory web sign-in allows arbitrary browsing from the third-party endpoints used for federated authentication. For more information, see CVE-2021-27092 and Policy CSP – Authentication.
• Security updates to Windows App Platform and Frameworks, Windows Apps, Windows Input and Composition, Windows Office Media, Windows Fundamentals, Windows Cryptography, the Windows AI Platform, Windows Hybrid Cloud Networking, the Windows Kernel, Windows Virtualization, and Windows Media.

This update is automatically downloaded and installed by Windows Update. This update is also available from the Microsoft Update Catalog and via WSUS. Microsoft strongly recommends that you install the latest Service Stack Update (SSU) for your operating system before you install the latest Cumulative Update (LCU). For the update, Microsoft states various issue, which is documented in the support article.

In addition, Microsoft has released an update directly to the Windows Update client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates have not been blocked via GPO.

Updates for Windows 10 Version 1809

The following updates are available for Windows 10 October 2018 Update (version 1809) and Windows Server 2019.

Update KB5001342 for Windows 10 Version 1809

Cumulative Update KB5001342  raises the OS build (according to MS) to 17763.1879 and includes quality improvements but no new OS features. However, on May 11, 2021, this Windows 10 version drops out of support (applies to Enterprise, Education, IoT Enterprise). Here is the list of improvements, called highlights by Microsoft:

• Updates to improve security when Windows performs basic operations.
• Updates to improve security when using input devices such as a mouse, keyboard, or pen.

In addition, there are the following fixes and improvements to the Windows version:

• Addresses an issue in which a principal in a trusted MIT realm fails to obtain a Kerberos service ticket from Active Directory domain controllers (DC). This occurs on devices that installed Windows Updates that contain CVE-2020-17049 protections and configured PerfromTicketSignature to 1 or higher. These updates were released between November 10, 2020 and December 8, 2020. Ticket acquisition also fails with the error, "KRB_GENERIC_ERROR", if callers submit a PAC-less Ticket Granting Ticket (TGT) as an evidence ticket without providing the USER_NO_AUTH_DATA_REQUIRED flag.
• Addresses an issue with security vulnerabilities identified by a security researcher. Because of these security vulnerabilities, this and all future Windows updates will no longer contain the RemoteFX vGPU feature. For more information about the vulnerability and its removal, see CVE-2020-1036 and KB4570006. Secure vGPU alternatives are available using Discrete Device Assignment (DDA) in Windows Server LTSC releases (Windows Server 2016 and Windows Server 2019) and Windows Server SAC releases (Windows Server, version 1803 and later versions).
• Addresses a potential elevation of privilege vulnerability in the way Azure Active Directory web sign-in allows arbitrary browsing from the third-party endpoints used for federated authentication. For more information, see CVE-2021-27092 and Policy CSP – Authentication.
• Security updates to Windows App Platform and Frameworks, Windows Apps, Windows Input and Composition, Windows Office Media, Windows Fundamentals, Windows Cryptography, the Windows AI Platform, Windows Hybrid Cloud Networking, the Windows Kernel, Windows Virtualization, and Windows Media.

This update is automatically downloaded and installed by Windows Update, but is also available from Microsoft Update Catalog. Microsoft strongly recommends that you install the latest Service Stack Update (SSU) for your operating system before installing the latest Cumulative Update (LCU). Microsoft lists the known issue that the update causes. Error 0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND may occur during the update installation. Details can be found in the KB article.

In addition, Microsoft has released an update directly for the Windows Update client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates have not been blocked via GPO.

Updates for Windows 10 Version 1507 bis 1803

For Windows 10 RTM up to version 1803, various updates are available for the LTSC versions and possibly the Enterprise versions. The Home and Pro variants, on the other hand, have fallen out of support. These updates are automatically downloaded and installed by Windows Update, but are available for download from Microsoft Update Catalog (search for the KB number). Before manual installation, the latest Servicing Stack Update (SSU) must be installed. Details can be found in the respective KB article.

• Windows 10 Version 1803: Update KB5001339 is now only available for Enterprise and Education. The update raises the OS build 17134.2145.
• Windows 10 Version 1607: Update KB5001347 is now only available for Enterprise LTSC. The update raises the OS build to 14393.4350.
• Windows 10 Version 1507: Update KB5001340 is available for the RTM version (LTSC). The update raises the OS build to 10240.18906.

There was no update for the remaining Windows 10 versions, as these versions have fallen out of support. Details on above updates can be found in the respective Microsoft KB articles if in doubt.

Similar articles:
Microsoft Office Patchday (April 6, 2021)
Microsoft Security Update Summary (April 13, 2021)
Patchday: Windows 10-Updates (April 13, 2021)