Patchday: Windows 10-Updates (July 13, 2021)

[German]On July 13, 2021 (second Tuesday of the month, Patchday at Microsoft), several cumulative updates were released for the supported Windows 10 builds (from RTM version to the current version 21H1). Here are some details about the respective patchday security updates.

A list of the updates can be found on this Microsoft website. I have pulled out the details below. Since March 2021, Microsoft has integrated the Servicing Stack Updates (SSUs) into the cumulative update. But that only applies to Windows 10 version 2004 and above, so there are still separate SSU installation for older Windows 10 versions.

Updates for Windows 10 Version 2004/20H2/21H1

For Windows 10 version 2004 released in May 2020, as well as Windows 10 version 20H2 offered via update search in October 2020 and Windows 10 version 21H1 released in May 2021,

Update KB5004237 for Windows 10 Version 2004/20H2/21H1

Cumulative Update KB5004237 raises the OS build for Windows 10 version 2004 to 19041.1110 and for Windows 10 version 20H2 to 19042.1110. For Windows 10 version 21H1, it becomes OS build 19043.1110. The update is available for Windows 10 version 2004, Windows 10 version 20H2, Windows 10 version 21H1, and for Windows Server version 2004, Windows Server version 20H2, and Windows Server version 21H1. It includes quality improvements but no new operating system features. The Legay Edge browser was removed from Windows 10 in April 2021. Here is the list of improvements, called highlights by Microsoft:

• Updates for verifying usernames and passwords.
• Updates to improve security when Windows performs basic operations.
• Updates an issue that might make printing to certain printers difficult. This issue affects various brands and models, but primarily receipt or label printers that connect using a USB port.

Microsoft notes that this update makes quality improvements to the servicing stack (is responsible for Microsoft updates). In addition, there are the following general fixes and improvements:

• Addresses an issue that might make printing to certain printers difficult. This issue affects various brands and models, but primarily receipt or label printers that connect using a USB port.
• Removes support for the PerformTicketSignature setting and permanently enables Enforcement mode for CVE-2020-17049. For more information and steps to enable full protection on domain controller servers, see Managing deployment of Kerberos S4U changes for CVE-2020-17049.
• Adds Advanced Encryption Standard (AES) encryption protections for CVE-2021-33757. For more information, see KB5004605.
• Addresses a vulnerability in which Primary Refresh Tokens are not strongly encrypted. This issue might allow the tokens to be reused until the token expires or is renewed. For more information about this issue, see CVE-2021-33779.
• Security updates to Windows Apps, Windows Management, Windows Fundamentals, Windows Authentication, Windows User Account Control (UAC), Operating System Security, Windows Virtualization, Windows Linux, the Windows Kernel, the Microsoft Scripting Engine, the Windows HTML Platforms, the Windows MSHTML Platform, and Windows Graphics.

Important: Prerequisite for the installation is an installed update KB5003173 from May 11, 2021. This was already the case with the preview update from May 2021 – so you can save the "cumulative" for Windows 10 2004 to 21H1 for the foreseeable future (thanks to Martin E. for the hint). This update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog and via WSUS and WUfB. For the update, Microsoft states several known issues in the support article.

In addition, Microsoft has released an update directly for the Windows Update client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates were not blocked via GPO.

Updates for Windows 10 Version 1909

Windows 10 version 1903 is out of support on December 8, 2020. For Windows 10 version 1909 released in 2019, the following updates are available.

Update KB55004245 for Windows 10 Version 1909

Cumulative Update KB5004245 raises the Windows 10 V1909 OS build to 18363.1679. The update is available for Windows 10 Enterprise/Education version 1909 as well as Windows Server version 1909. The legacy Edge browser was removed back in April. The update includes quality improvements but no new operating system features. Here is the list of improvements, called highlights by Microsoft:

• Updates for verifying usernames and passwords.
• Updates to improve security when Windows performs basic operations.

In addition, the following fixes and improvements to Windows 10 version 1909 are provided:

• Adds Advanced Encryption Standard (AES) encryption protections for CVE-2021-33757. For more information, see KB5004605.
• Security updates to Windows Apps, Windows Management, Windows Fundamentals, Windows Authentication, Windows User Account Control (UAC), Operating System Security, Windows Virtualization, Windows Linux, the Windows Kernel, the Microsoft Scripting Engine, the Windows HTML Platforms, the Windows MSHTML Platform, and Windows Graphics.

This update is automatically downloaded and installed by Windows Update. This update is also available from the Microsoft Update Catalog and via WSUS and WUfB. Microsoft strongly recommends that you install the latest Service Stack Update (SSU) for your operating system before installing the latest Cumulative Update (LCU). For the update, Microsoft cites various issues that are documented in the support article.

In addition, Microsoft has released an update directly to the Windows Update client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates have not been blocked via GPO.

Updates for Windows 10 Version 1809

Windows 10 October 2018 Update (version 1809) has fallen out of support, but the following update is available for Windows 10 Enterprise 2019 LTSC and Windows Server 2019.

Update KB5004244 for Windows 10 Version 1809

Cumulative Update KB5004244 raises the OS build (according to MS) to 17763.2061 and includes quality improvements but no new OS features. Also for this Windows 10 version, which only receives updates for Enterprise, Education, IoT Enterprise LTSC (the rest of the variants are out of the security update supply on May 11, 2021), Microsoft provided the following improvements, called highlights:

• Updates to improve security when Windows performs basic operations.
• Updates for verifying usernames and passwords.

In addition, the following fixes and improvements to Windows 10 version 1909 are provided:

• Removes support for the PerformTicketSignature setting and permanently enables Enforcement mode for CVE-2020-17049. For more information and steps to enable full protection on domain controller servers, see Managing deployment of Kerberos S4U changes for CVE-2020-17049.
• Adds Advanced Encryption Standard (AES) encryption protections for CVE-2021-33757. For more information, see KB5004605.
• Addresses a vulnerability in which Primary Refresh Tokens are not strongly encrypted. This issue might allow the tokens to be reused until the token expires or is renewed. For more information about this issue, see CVE-2021-33779.
• Security updates to Windows Apps, Windows Management, Windows Fundamentals, Windows Authentication, Windows User Account Control (UAC), Operating System Security, Windows Fundamentals, Windows Virtualization, Windows Linux, the Windows Kernel, the Microsoft Scripting Engine, the Windows HTML Platforms, the Windows MSHTML Platform, and Windows Graphics.

See the notes about Kerberos S4U for domain controllers. This update is automatically downloaded and installed by Windows Update, but is also available from the Microsoft Update Catalog, via WSUS, and WUfB. Microsoft strongly recommends that you install the latest Service Stack Update (SSU) for your operating system before installing the latest Cumulative Update (LCU). Microsoft lists the known issue that the update causes. Error 0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND may occur during the update installation. Details can be found in the KB article.

In addition, Microsoft has released an update directly for the Windows Update client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates have not been blocked via GPO.

Updates for Windows 10 Version 1507 till 1607

Updates for the Enterprise LTSC versions are available for Windows 10 RTM up to version 1607. These updates are automatically downloaded and installed by Windows Update, but are available for download from the Microsoft Update Catalog (search by KB number). Before manual installation, the latest Servicing Stack Update (SSU) must be installed. Details can be found in the respective KB article.

• Windows 10 Version 1607: Update KB5004238 is now only available for Enterprise LTSC. The update lifts the OS build 14393.4530.
• Windows 10 Version 1507: Update KB5004249 is available for the RTM version (LTSC). The update upgrades the OS build to 10240.19003.

There was no update for the remaining Windows 10 versions, as these versions are no longer supported. Details about the above updates can be found in the respective Microsoft KB articles.

Similar articles:
Microsoft Office Patchday (July 6, 2021), Fix for Outlook Crashes
Out-of-Band Update closes Windows PrintNightmare Vulnerability (July 6, 2021)
PrintNightmare out-of-band update also for Windows Server 2012 and 2016 (July 7, 2021)
Microsoft Security Update Summary (July 13, 2021)
Patchday: Windows 10-Updates (July 13, 2021)
Patchday: Windows 8.1/Server 2012-Updates (July 13, 2021)
Patchday: Updates für Windows 7/Server 2008 R2 (July 13, 2021)
Patchday Microsoft Office Updates (July 13, 2021)