KB5019081 Cumulative Update for Windows Server 2022

KB5019081 is the latest cumulative update for Windows Server 2022 and Windows Server 2022 Server Core Installation. It was released on 8th November 2022 as part of Microsoft’s ‘Patch Tuesday’ program. We look at the key elements of KB5019081 below.

Salient points about KB5019081 for Windows Server 2022

  • KB5019081 is a cumulative update that supersedes October month’s cumulative update KB5018421. KB5018421 was released on 11th October 2022. You can read more about KB5018421 on this page.
  • KB5019081 also contains OOB (out of bound) update KB5020436 and preview update KB5018485. If you have not deployed KB5020436 and KB5018485 yet, you can skip these and install KB5019081 directly on the server.
  • If you are upgrading from KB5018421 to KB5019081, you will progress from server build 20348.1129 to 20348.1249. OOB update KB5020436 corresponds to server build 20348.1129 and preview update KB5018485 corresponds to server build 20348.1131.
  • Servicing Stack update version that corresponds to KB5019081 is 20348.1066. However, SSU is rolled into the cumulative update for Windows Server 2022. So, separate installation or deployment of Servicing Stack Update is not required for Windows Server 2022.
  • Windows Server 2022 is affected by 39 vulnerabilities as per Microsoft’s November 2022 security bulletin. 7 of these vulnerabilities have a ‘CRITICAL’ severity level and are shared below in the vulnerability section.
  • Four zero-day threats affect Windows Server 2022 and these are shared below for ready reference.

Issues and improvements in KB5019081 for Windows Server 2022

The following issue fixes and improvements have been reported for Windows Server 2022:

  • It addresses security vulnerabilities in the Kerberos and Netlogon protocols as outlined in CVE-2022-38023CVE-2022-37966, and CVE-2022-37967. For deployment guidance, see the following:
    • KB5020805: How to manage the Kerberos Protocol changes related to CVE-2022-37967
    • KB5021130: How to manage Netlogon Protocol changes related to CVE-2022-38023
    • KB5021131: How to manage the Kerberos Protocol changes related to CVE-2022-37966

Installing KB5019081 on Windows Server 2022

KB5019081 can be deployed automatically or manually. For automated deployment of KB5019081, we can use either of the following processes:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Service

For WSUS, you will need to configure the Product classification as under:

  • Product: Microsoft Server operating system-21H2
  • Classification: Security Updates

You can also install KB5019081 manually. For this, you can use an offline installer file that is made available through the Microsoft Update Catalog page for KB5019081. You will need to download the MSU update file that corresponds to version 21H2 or 22H2 for Windows Server 2022. For ready reference, the direct download links for KB5019081 are shared below.

Cumulative Update for Windows Server 2022Size of the update
Download KB5019081 for Windows Server 2022 version 21H2312.9 MB
Download KB5019081 for Windows Server 2022 version 22H2312.9 MB

Post-deployment of KB5019081, the server may require a reboot.

Post-deployment issues after KB5019081

You may run into a variety of Kerberos authentication issues on Windows Server 2022 after the installation of KB5019081. The system log on the Event viewer may record the following message:

While processing an AS request for target service , the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of will generate a proper key.

Some of these issues on account of Kerberos authentication problems could be the following:

  • Domain user sign in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
  • Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
  • Remote Desktop connections using domain users might fail to connect.
  • You might be unable to access shared folders on workstations and file shares on servers.
  • Printing that requires domain user authentication might fail.

There is no resolution yet, and Microsoft is working on providing a fix for the Kerberos authentication issues on Windows Server 2022.

Vulnerabilities on Windows Server 2022 – KB5019081

The following 7 vulnerabilities have ‘CRITICAL’ severity levels for Windows Server 2022.

VulnerabilityImpactSeverity
CVE-2022-41039Remote Code ExecutionCRITICAL with CVSS score 8.1
CVE-2022-41088Remote Code ExecutionCRITICAL with CVSS score 8.1
CVE-2022-37966Elevation of PrivilegesCRITICAL with CVSS score 8.1
CVE-2022-38015Denial of ServiceCRITICAL with CVSS score 6.5
CVE-2022-37967Elevation of PrivilegesCRITICAL with CVSS score 7.2
CVE-2022-41128Remote Code ExecutionCRITICAL with CVSS score 8.8
CVE-2022-41118Remote Code ExecutionCRITICAL with CVSS score 7.5
CVE-2022-41091Security Feature BypassIMPORTANT with CVSS score 6.5

Zero-day threats on Windows Server 2022 – KB5019081

The following four zero-day threats have been exploited in the recent past or are being exploited as we write this.

VulnerabilityImpactSeverity
CVE-2022-41091Windows Mark of the Web Security Feature Bypass Vulnerability5.4
CVE-2022-41125Elevation of Privileges on Windows CNG Key Isolation Service.7.8
CVE-2022-41128Remote Code Execution on Windows Scripting Languages (only affects Windows Server 2019, does not affect Windows Server 2019 Server Core installation).8.8
CVE-2022-41073Elevation of Privileges on Windows Print Spooler.7.8