KB5019081 is the latest cumulative update for Windows Server 2022 and Windows Server 2022 Server Core Installation. It was released on 8th November 2022 as part of Microsoft’s ‘Patch Tuesday’ program. We look at the key elements of KB5019081 below.
Salient points about KB5019081 for Windows Server 2022
- KB5019081 has now been replaced with KB5021249. KB5021249 is December month’s cumulative update and you can read more about KB5021249 on this page.
- KB5019081 is a cumulative update that supersedes October month’s cumulative update KB5018421. KB5018421 was released on 11th October 2022. You can read more about KB5018421 on this page.
- KB5019081 also contains OOB (out of bound) update KB5020436 and preview update KB5018485. If you have not deployed KB5020436 and KB5018485 yet, you can skip these and install KB5019081 directly on the server.
- If you are upgrading from KB5018421 to KB5019081, you will progress from server build 20348.1129 to 20348.1249. OOB update KB5020436 corresponds to server build 20348.1129 and preview update KB5018485 corresponds to server build 20348.1131.
- Servicing Stack update version that corresponds to KB5019081 is 20348.1066. However, SSU is rolled into the cumulative update for Windows Server 2022. So, separate installation or deployment of Servicing Stack Update is not required for Windows Server 2022.
- Windows Server 2022 is affected by 39 vulnerabilities as per Microsoft’s November 2022 security bulletin. 7 of these vulnerabilities have a ‘CRITICAL’ severity level and are shared below in the vulnerability section.
- Four zero-day threats affect Windows Server 2022 and these are shared below for ready reference.
Issues and improvements in KB5019081 for Windows Server 2022
The following issue fixes and improvements have been reported for Windows Server 2022:
- It addresses security vulnerabilities in the Kerberos and Netlogon protocols as outlined in CVE-2022-38023, CVE-2022-37966, and CVE-2022-37967. For deployment guidance, see the following:
Installing KB5019081 on Windows Server 2022
KB5019081 can be deployed automatically or manually. For automated deployment of KB5019081, we can use either of the following processes:
- Windows Update
- Windows Update for Business
- WSUS or Windows Server Update Service
For WSUS, you will need to configure the Product classification as under:
- Product: Microsoft Server operating system-21H2
- Classification: Security Updates
You can also install KB5019081 manually. For this, you can use an offline installer file that is made available through the Microsoft Update Catalog page for KB5019081. You will need to download the MSU update file that corresponds to version 21H2 or 22H2 for Windows Server 2022. For ready reference, the direct download links for KB5019081 are shared below.
| Cumulative Update for Windows Server 2022 | Size of the update |
|---|---|
| Download KB5019081 for Windows Server 2022 version 21H2 | 312.9 MB |
| Download KB5019081 for Windows Server 2022 version 22H2 | 312.9 MB |
Post-deployment of KB5019081, the server may require a reboot.
Post-deployment issues after KB5019081
You may run into a variety of Kerberos authentication issues on Windows Server 2022 after the installation of KB5019081. The system log on the Event viewer may record the following message:
While processing an AS request for target service , the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of will generate a proper key.
Some of these issues on account of Kerberos authentication problems could be the following:
- Domain user sign in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
- Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
- Remote Desktop connections using domain users might fail to connect.
- You might be unable to access shared folders on workstations and file shares on servers.
- Printing that requires domain user authentication might fail.
There is no resolution yet, and Microsoft is working on providing a fix for the Kerberos authentication issues on Windows Server 2022.
Vulnerabilities on Windows Server 2022 – KB5019081
The following 7 vulnerabilities have ‘CRITICAL’ severity levels for Windows Server 2022.
| Vulnerability | Impact | Severity |
|---|---|---|
| CVE-2022-41039 | Remote Code Execution | CRITICAL with CVSS score 8.1 |
| CVE-2022-41088 | Remote Code Execution | CRITICAL with CVSS score 8.1 |
| CVE-2022-37966 | Elevation of Privileges | CRITICAL with CVSS score 8.1 |
| CVE-2022-38015 | Denial of Service | CRITICAL with CVSS score 6.5 |
| CVE-2022-37967 | Elevation of Privileges | CRITICAL with CVSS score 7.2 |
| CVE-2022-41128 | Remote Code Execution | CRITICAL with CVSS score 8.8 |
| CVE-2022-41118 | Remote Code Execution | CRITICAL with CVSS score 7.5 |
| CVE-2022-41091 | Security Feature Bypass | IMPORTANT with CVSS score 6.5 |
Zero-day threats on Windows Server 2022 – KB5019081
The following four zero-day threats have been exploited in the recent past or are being exploited as we write this.
| Vulnerability | Impact | Severity |
|---|---|---|
| CVE-2022-41091 | Windows Mark of the Web Security Feature Bypass Vulnerability | 5.4 |
| CVE-2022-41125 | Elevation of Privileges on Windows CNG Key Isolation Service. | 7.8 |
| CVE-2022-41128 | Remote Code Execution on Windows Scripting Languages (only affects Windows Server 2019, does not affect Windows Server 2019 Server Core installation). | 8.8 |
| CVE-2022-41073 | Elevation of Privileges on Windows Print Spooler. | 7.8 |
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.