KB5010359 – Windows Server 2016 – February Cumulative Update

Cumulative update KB5010359 for Windows Server 2016 has been released on 8th February 2022. The update will replace the January updates for Windows Server 2016, KB5009546, and out of band update KB5010195. The update weighs 1541.5 MB in size. Plan your deployment considering the size of the update. This cumulative update brings in a lot of improvements. It also fixes the vulnerabilities on the server operating system. However, there are no critical vulnerabilities that have been shared for Windows Server 2016. This update will push the build on your Windows Server 2016 to OS Build 14393.4946.

The salients points about the KB5010359 for Windows Server 2016 are:

  • KB5010359 is a cumulative update. It supersedes January updates –KB5009546 and KB5010195.
  • The update file for Windows Server 2016 is a little under 1.5 GB.
  • There are no critical vulnerabilities that affect the Windows Server 2016 in Feburary update. This is assuming you have patched the previous month’s updates completely.
  • .NET framework needs to be patched with the latest patch for version 4.7.2 or 4.8.
  • Zero-day DNS vulnerability does not apply to the Windows Server 2016.

What critical vulnerabilities or zero-day vulnerabilities are patched for Windows Server 2016?

There has been a talk around the critical vulnerabilities and zero-day vulnerability for Windows Servers. These vulnerabilities are mentioned below:

  • CVE-2022-21907-HTTP Protocol Stack- This vulnerability is a CVSS 9.8 vulnerability that is vulnerable to a remote code execution attacks through the HTTP protocol stack. However, this vulnerability affects Windows server versions Windows Server 2019 or higher. CVE-2022-21907 does not affect the Windows Server 2016.
  • CVE-2022-21984-DNS Server – This vulnerability is a CVSS 8.8 vulnerability. It can affect the Microsoft DNS Server and cause a remote code execution. However, this vulnerability affects Windows 10, Windows 11 and Windows Server 20H2 version, Windows Server 2022. CVE-2022-21984 DNS Server vulnerability does not affect the Windows Server 2016.

In terms of vulnerabilities, therefore, there are no critical severity vulnerabilities to talk about for the month of February.

How can I install the KB5010359 cumulative update for Windows Server 2016?

KB5010359 is a regular cumulative update. Since this is a normal update, it is available to be patched through all the regular ways.

  • You can deploy KB5010359 on Windows Server 2016 automatically through Windows Update. The update will get automatically downloaded and patched on the server if Windows Update is configured properly.
  • KB5010359 can also be deployed through the Windows Update for Business.
  • Windows Server Update Service (WSUS) can be configured to import the KB5010359 update and patch the server automatically. You will need to configure the WSUS to work with Windows Server 2016 product and to download security updates.
  • Windows Server 2016 can be also patched with KB5010359 manually. To do so, you will need to download the patch from the Microsoft Update catalog. This update is a little under 1.5 GB in size. You can download KB5010359 from this page. You can download the MSU file directly from this link.

You may have to plan a maintenance window to carry out the implement KB5010359 on the server as the patch may require a reboot.

Early adopters of the cumulative update have suggested that the KB5010359 works as per expectations. There are no issues that have been reported after the deployment of the KB5010359 on the Windows Server 2016.

What bugs or improvements have been made in KB5010359?

There have been a number of improvements and bug fixes that have been carried out as part of the KB5010359 update for Windows Server 2016. We mention these improvements in brief:

  • Fixes issue with failed LDAP bindings.
  • Updates daylight savings time to start in February 2022 instead of March 2022 in Jordan.
  • Updates the phone number for Windows Activation for locales that have the wrong phone number.
  • Fixes Windows error “IRQL_NOT_LESS_OR_EQUAL”.
  • Fixes an issue that causes the improper cleanup of Dynamic Data Exchange (DDE) objects. This prevents session teardown and causes a session to stop responding.
  • Fixes issues with  IKEEXT.dll that occurs on Always On VPN (AOVPN) and DirectAccess servers. The exception code is 0xC000005.
  • Fixes an issue that affects Administrative Template settings you configure using a Group Policy Object (GPO). When you change the value of the policy setting to NOT CONFIGURED, the system fails to remove the previous setting. This issue is most noticeable for roaming user profiles.
  • Resolved a memory leak that occurs when you call WinVerifyTrust().
  • Addresses a known issue that affects versions of Windows Server that are in use as a Key Management Services (KMS) host. Client devices running Windows 10 Enterprise LTSC 2016 might not activate.
  • Adds an audit event to Active Directory domain controllers that identifies clients that are not compliant with RFC 4456.
  • Fixes issue with Kerberos.dll that could stop working within the Local Security Authority Subsystem Service (LSASS).

What are the known issues in KB5010359 for Windows Server 2016?

There is a .NET framework issue that can cause issues in setting up Active Directory Forest Trust Information. This issue would happen if you had installed the previous month’s update – KB5009546 or KB5010195. The resolution for the .NET framework issue on Windows Server 2016 is provided below:

  • Update the .NET framework to version 4.7.2, 4.7.1, 4.7 or 4.62 as per the out of band update KB5011329. This update is 371 KB in size.
  • If you have been running .NET framework 4.8 on your server, please apply the out of band update KB5011264 to resolve the issue. This update file is of 358 KB size.

Can I install KB5010359 without installing January updates?

Yes, you can install KB5010359 without installing the January update -KB5009546 and KB5010195. The update supersedes the January update KB5009546. The entire update would include the changes that had been made in the previous month’s update. It would also include the incremental changes on top of the KB5009546 to patch the Windows Server 2016 completely.

This update file is worth a little under 1.5 GB in size. So, you may have to plan its deployment in a longer maintenance window. Should you run into any issues, you can uninstall the patch from the Windows server.

Summary

KB5010359 cumulative update for Windows Server 2016 has quite a few improvements. Patching the Windows Server 2016 with KB5010359 will cover you if you had not installed the KB5009546 security update in the previous month. It may be worth noting that there are no critical vulnerabilities on Windows Server 2016 that have been patched in this month’s updates.

You may also like to read more about content related to Windows updates: