Patch Tuesday text next to the default backgrounds of Windows 7 8 and 10

Just like clockwork, Microsoft is today releasing cumulative updates to all supported Windows versions as part of its Patch Tuesday updates. These include Windows 10 versions that are fully supported – such as the three latest versions, and other SKUs that are supported for certain types of customers, along with Windows 8.1 and users that have opted for Windows 7 Extended Security Updates (ESUs).

While Windows 8.1 and 7 usually receive a single update a month, the firm released emergency updates for the PrintNightmare vulnerability earlier this month, which will also be bundled into these packages.

As is always the case with updates for Windows 8.1 and Windows 7, there are two types of updates. They are monthly rollup packages and security-only updates. While monthly rollups are automatically served through Windows Updates, security-only updates can be manually acquired from the Update Catalog and installed on systems.

For Windows 8.1 and the corresponding Windows Server release, the update is KB5004298, which can also be downloaded from the Update Catalog here. The improvements and fixes made in this update are as follows:

  • Addresses an issue in which 16-bit applications fail with an error message that states a general fault in VBRUN300.DLL.
  • Addresses an issue in which some EMFs built by using third-party applications that use ExtCreatePen and ExtCreateFontIndirect render incorrectly.
  • Adds Advanced Encryption Standard (AES) encryption protections for CVE-2021-33757. For more information, see KB5004605.
  • Removes support for the PerformTicketSignature setting and permanently enables Enforcement mode. For more information and additional steps to enable protection on domain controller servers, see Managing deployment of Kerberos S4U changes for CVE-2020-17049.
  • Security updates to Windows Apps, Windows Fundamentals, Windows Authentication, Windows Operating System Security, Windows Graphics, Microsoft Scripting Engine, Windows HTML Platforms, and Windows MSHTML Platform.

The security-only update for Windows 8.1 is served by KB5004285, which can be downloaded manually from here. The changelog is similar to that of the monthly rollup, bringing fixes for CVE-2021-33757 and removing the PerformTicketSignature setting. It also contains the single known issue found in the rollup.

The firm has listed one known issue that is common across both updates, which has been present for a long time. It is not clear when the renaming issue will be fixed. Here is the explanation of that issue provided by the company:

Symptom

Workaround

Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege.

Do one of the following:

  • Perform the operation from a process that has administrator privilege.
  • Perform the operation from a node that doesn’t have CSV ownership.

Microsoft is working on a resolution and will provide an update in an upcoming release.

Windows 7 and Windows Server 2008 R2 SP1 users that have opted for ESUs will receive monthly rollup via KB5004289 that can be found for manual download here. The security-only update is KB5004307 which can be manually downloaded from here. The changelogs for both the monthly rollup and security-only update are identical to that of Windows 8.1, which is listed above.

The updates for Windows 7, however, have an additional known issue that might cause the update to fail. The rename bug in Cluster Shared Volume (CSV) folders affects this OS as well. Here is the changelog that details the additional issue:

Symptom

Workaround

After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.

This is expected in the following circumstances:

  • If you are installing this update on a device that is running an edition that is not supported for ESU. For a complete list of which editions are supported, see KB4497181.
  • If you do not have an ESU MAK add-on key installed and activated.

If you have purchased an ESU key and have encountered this issue, please verify you have applied all prerequisites and that your key is activated. For information on activation, please see this blog post. For information on the prerequisites, see the "How to get this update" section of this article.

As usual, the monthly rollups will be served through Windows Update for supported devices. The security-only updates are to be manually pulled from the Update Catalog links.