KB5019961 Cumulative Update for Windows 11

KB5019961 is the latest cumulative update for Windows 11 computers. This cumulative update was released on November 8 as part of the ‘Patch Tuesday’ program. The update is available for x64 and ARM64 systems. We look at the key elements of KB5019961 below.

Salient points about KB5019961 for Windows 11

  • KB5019961 is a cumulative update that replaces or supersedes October month’s cumulative update KB5018418. You can read more about KB5018418 on this page.
  • KB5019961 corresponds to Windows 11 build 22000.1219. If you are upgrading from Windows 11 patched with KB5018418 to KB5019961, you will be upgrading from Windows 11 build 22000.1098 to 22000.1219.
  • KB5019961 also contains all the changes that are part of the out of band update KB5020387. KB5020387 corresponds to Windows 11 build 22000.1100. KB5020387 was released on 17th October 2022.
  • KB5019961 includes all changes that are part of the preview update KB5018483. KB5018483 corresponds to Windows 11 build 22000.1165.
  • If you have not deployed the OOB update KB5020387 or KB5018483 preview update, you can skip those. Installing KB5019961 will take care of the OOB and preview updates for you.
  • The Servicing Stack Update that corresponds to Windows 11 is 22000.1035. However, the SSU is rolled into the cumulative update for Windows 11. So, separate installation of SSU is not needed on Windows 11 computers.
  • Post-deployment of KB5019961, you may run into Kerberos authentication issues on Windows 11 computers. A fix is being worked upon as we write this.
  • Windows 11 x64 installations are affected by 37 vulnerabilities while Windows 11 ARM64 systems are affected by 35 vulnerabilities. 5 of these vulnerabilities have a ‘CRITICAL’ severity level for Windows 11 deployments.
  • Zero-day threats that affect Windows 11 x64 and ARM64 editions are CVE-2022-41091, CVE-2022-41073, CVE-2022-41125, and CVE-2022-41128. Details of these vulnerabilities are shared below.

Installing KB5019961 on Windows 11 computers

Windows 11 is a new operating system. You can install KB5019961 on Windows 11 x64 or ARM64 installations automatically through one of the following methods:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Service

You can also deploy KB5019961 on Windows 11 manually through an offline installer file. You can download the offline installer file in MSU format from the Microsoft Update Catalog page for KB5019961. For ready reference, the direct download links of the update installer files are shared below for Windows 11 x64 and Windows ARM 64 editions.

Windows 11 EditionDownload KB5019961Size of the update file
Windows 11 x64Download KB5019961308.4 MB
Windows 11 ARM64Download KB5019961423.5 MB

Post-deployment issues on Windows 11 after installing KB5019961

Post-deployment of KB5019961 on Windows 11, you may run into the following issues on target computers:

Kerberos Authentication issues

  • Kerberos authentication issues on Windows 11 may result after installing KB5019961 on the system. There is no resolution yet. However, Microsoft is working on a solution that is likely to be part of future cumulative updates.
  • You may see the following errors in the system log of Event Viewer on your computers:
While processing an AS request for target service <service>, the account <account name> did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of <account name> will generate a proper key.

Kerberos authentications could cause one or more of the following errors:

  • Domain user sign in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
  • Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
  • Remote Desktop connections using domain users might fail to connect.
  • You might be unable to access shared folders on workstations and file shares on servers.
  • Printing that requires domain user authentication might fail.

The Kerberos authentication issues affect Windows 11 computers that are part of the Active Directory networks. Standalone Windows 11 computers are not affected by the Kerberos authentication issues.

Direct Access Issues

Apart from the Kerberos authentication issues, you may also experience issues in using Direct Access to connect to your corporate network. You could resolve Direct Access connectivity issues on Windows 11 by restarting the system. Alternatively, you use the ‘Known Issue Rollback’ by installing a special group policy that can be applied for the corresponding Windows 11 versions.

Vulnerabilities on Windows 11 – KB5019961

There have been 37 vulnerability disclosures for Windows 11 x64 and 35 vulnerability disclosures for Windows 11 ARM64 systems. Out of these, we are sharing the five vulnerabilities that carry ‘CRITICAL’ severity levels for Windows 11.

VulnerabilityCVSSImpactSeverity
CVE-2022-410398.1Remote Code ExecutionCRITICAL
CVE-2022-410888.1Remote Code ExecutionCRITICAL
CVE-2022-380156.5Denial of ServiceCRITICAL
CVE-2022-411288.8Remote Code ExecutionCRITICAL
CVE-2022-411187.5Remote Code ExecutionCRITICAL

Windows 11 ARM64 deployments are not affected by CVE-2022-38015.

Zero-day vulnerabilities on Windows 11 – KB5019961

The following four zero-day threats affect Windows 11 x64 and Windows 11 ARM64 deployments.

VulnerabilityImpactSeverity
CVE-2022-41091Windows Mark of the Web Security Feature Bypass Vulnerability5.4
CVE-2022-41125Elevation of Privileges on Windows CNG Key Isolation Service.7.8
CVE-2022-41128Remote Code Execution on Windows Scripting Languages (only affects Windows Server 2019, does not affect Windows Server 2019 Server Core installation).8.8
CVE-2022-41073Elevation of Privileges on Windows Print Spooler.7.8

These vulnerabilities have been patched in KB5019961 for Windows 11 computers in x64 and ARM64 editions.