Download KB5020023 for Windows 8.1 and Windows RT 8.1

KB5020023 is the monthly rollup update for Windows Server 2012 R2 and Windows 8.1. This monthy rollup update supersedes KB5018474 monthly rollup update that was released in October 2022. For this post, we are specifically looking at update files for Windows 8.1 and Windows RT 8.1.

Salient points about KB5020023 for Windows 8.1 and Windows RT 8.1

  • KB5020023 is a cumulative update and it replaces KB5018474.
  • KB5020023 contains all the changes that are part of the security-only update KB5020010 for Windows 8.1 and Windows RT 8.1.
  • KB5018922 is the Servicing Stack Update that corresponds to KB5020023. Microsoft recommends installing KB5018922 prior to installing KB5020023.
  • Internet Explorer Cumulative Update KB5019958 is included in KB5020023. So, there is no need to install it separately.
  • If you install a language pack on Windows 8.1 after installing KB5020023, the monthly rollup update will be rendered ineffective. So, you will need to deploy the monthly rollup update again.
  • For the Kerberos authentication issues, OOB update KB5021653 has been released on 17th November 2022.
  • The actual sequence for the monthly rollup update for Windows 8.1 would be to install KB5018922, follow it up with installing KB5020023, and then install the OOB update KB5021653.
  • KB5020023 is also available for Windows Server 2012 R2. You can read more about Windows Server 2012 R2 KB5020023 on this page.

Download KB5020023 for Windows 8.1 and Windows RT 8.1

You can deploy KB5020023 through an offline installer file. The MSU update file can be downloaded from the Microsoft Update Catalog page for KB5020023. For ready reference, we share the direct download link for KB5020023 for Windows 8.1 and Windows RT 8.1.

Before installing the downloaded file for KB5020023, please ensure that you have downloaded the KB5018922 Servicing Stack Update file as well. It needs to be deployed prior to installing KB5020023.

Windows versionDownload updateUpdate size
Windows 8.1 x86Download KB5020023368.3 MB
Windows 8.1 x64Download KB5020023567.6 MB
Windows 8.1 x86Download KB50189224.7 MB
Windows 8.1 x64Download KB501892210.5 MB

Deploy KB5020023 automatically

You can also deploy KB5020023 automatically on Windows 8.1 32-bit and x64 installations. For this, you can use one of the following preferred methods:

  • Windows Update
  • Microsoft Update
  • WSUS or Windows Server Update Service

If you choose WSUS, please configure the product category and classification as under:

  • Product: Windows 8.1, Windows Embedded 8.1 Industry Enterprise, Windows Embedded 8.1 Industry Pro
  • Classification: Security update

For automated deployments of KB5020023, KB5018922 is offered automatically as part of the update process. No separate step is needed for SSU installation.

Post-deployment issues on KB5020023

Post-deployment of KB5020023, you may run into Kerberos authentication issues on Windows 8.1. This may lead to authentication issues as mentioned hereunder:

  • Domain user sign in might fail.
  • Remote Desktop connections using domain users might fail to connect.
  • Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
  • Printing that requires domain user authentication might fail.
  • You might be unable to access shared folders on workstations and file shares on servers

In other words, user and service account authentication to the domain may be affected due to KB5020023 installation. The system log of ‘Event viewer’ may show the following error:

While processing an AS request for target service , the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of will generate a proper key.

These authentication issues have been resolved in out of band update KB5021653. The OOB update has been released on 17th November. It can be downloaded from the Microsoft Update Catalog site page for KB5021653. The download links for this OOB or emergency update are shared below.

Windows versionDownload OOB UpdateUpdate size
Windows 8.1 x86Download KB502165323.6 MB
Windows 8.1 x64Download KB502165336.2 MB

We would like to reiterate that the OOB update KB5021653 needs to be deployed only if you have deployed KB5020023. KB5021653 contains a fix for Kerberos authentication issues on Windows 8.1 and Windows 2012 R2. KB5021653 needs to co-exist with KB5020023.

Other issues resolved in KB5020023 for Windows 8.1

The following issues have been resolved or improvements brought into the Windows 8.1 installations as part of KB5020023 monthly rollup update:

  • Addresses a Distributed Component Object Model (DCOM) authentication hardening issue to automatically raise authentication level for all non-anonymous activation requests from DCOM clients. This will occur if the authentication level is less than RPC_C_AUTHN_LEVEL_PKT_INTEGRITY.
  • Updates the daylight-saving time (DST) for Jordan to prevent moving the clock back 1 hour on October 28, 2022. Additionally, changes the display name of Jordan standard time from “(UTC+02:00) Amman” to “(UTC+03:00) Amman”.
  • Addresses an issue where Microsoft Azure Active Directory (AAD) Application Proxy Connector cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: “The handle specified is invalid (0x80090301).”
  • Addresses an issue where, after installing the January 11, 2022 or later update, the Forest Trust creation process fails to populate the DNS name suffixes into the trust information attributes.
  • Addresses an issue where the Microsoft Visual C++ Redistributable Runtime does not load into the Local Security Authority Server Service (LSASS) when Protected Process Light (PPL) is enabled.
  • Addresses security vulnerabilities in the Kerberos and Netlogon protocols as outlined in CVE-2022-38023CVE-2022-37966, and CVE-2022-37967. For deployment guidance, see the following articles: