KB5019966 Cumulative Update for Windows Server 2019

KB5019966 is the November month’s cumulative update for Windows Server 2019. It was released on November 8, 2022. Below, we discuss the main aspects of KB5019966 for Windows Server 2019.

Salient points about KB5019966 for Windows Server 2019

  • KB5019966 is the latest cumulative update that supersedes October month’s cumulative update KB5018419. KB5018419 was released on October 11, 2022.
  • KB5019966 also contains all changes that are part of the OOB or out-of-band update KB5020438. The OOB update was released on October 17, 2022.
  • If you did not deploy the KB5020438 OOB update, you can skip it and instead install KB5019966 directly on the server.
  • If you are upgrading from KB5018419 to KB5019966, your server will be moving from build 17763.3532 to 17763.3650.
  • If you are upgrading after the OOB update KB5018419, you are moving from build 17763.3534 to 17763.3650.
  • Before installing KB5019966 on Windows Server 2019, you need to install the SSU or Servicing Stack Update KB5005112 on the server. This SSU was released in August 2021.
  • 7 ‘CRITICAL’ vulnerabilities affect Windows Server 2019 as per the latest Microsoft security reports. Details are shared below. There are a total of 37 vulnerabilities that have been shared for Windows Server 2019 in November month’s ‘Patch Tuesday’ reports.
  • Zero-day vulnerability CVE-2022-41091 affects Windows Server 2019 and Windows Server 2019 Server Core installation. The threat is patched in KB5019966. Besides this, there are three other zero-day threats that affect Windows Server 2019. These threats are CVE-2022-41125, CVE-2022-41128 and CVE-2022-41073.
  • You may run into Kerberos authentication issues on Windows Server 2019 after deploying KB5019966. Microsoft released an out of band (OOB update) update to address the Kerberos authentication issues on Windows Server 2019.
  • KB5021655 is the OOB update for Windows Server 2019 that resolves Kerberos authentication issues on the server after deploying KB5019966.

You can read more about the previous month’s cumulative update for Windows Server 2019 on this page for KB5018419.

Full sequence of steps for deploying KB5019966 on Windows Server 2019

For deploying the November cumulative updates on Windows Server 2019, you need to ensure that the following three steps are completed successfully:

  • Install the Servicing Stack Update prior to installing KB5019966. SSU KB5005112 needs to be installed on Windows Server 2019.
  • Once the SSU is deployed, install KB5019966. You can deploy it manually or automatically.
  • After installing KB5019966, deploy the OOB update KB5021655 on Windows Server 2019 to complete the patching.

OOB update KB5021655 will need to be deployed only if you have deployed the KB5019966 cumulative update. Both updates need to co-exist on the server.

Vulnerabilities affecting Windows Server 2019

37 ‘IMPORTANT’ or ‘CRITICAL’ vulnerabilities affect Windows Server 2019 and Windows Server 2019 Server Core installation. One of these is a zero-day threat and the seven others have a ‘CRITICAL’ impact on the affected servers. Details of these vulnerabilities are shared below in a ready reference table.

VulnerabilityImpactSeverity
CVE-2022-41039Remote Code ExecutionCRITICAL with CVSS score 8.1
CVE-2022-41088Remote Code ExecutionCRITICAL with CVSS score 8.1
CVE-2022-37966Elevation of PrivilegesCRITICAL with CVSS score 8.1
CVE-2022-38015Denial of Service CRITICAL with CVSS score 6.5
CVE-2022-37967Elevation of PrivilegesCRITICAL with CVSS score 7.2
CVE-2022-41128Remote Code ExecutionCRITICAL with CVSS score 8.8
CVE-2022-41118Remote Code ExecutionCRITICAL with CVSS score 7.5
CVE-2022-41091Security Feature BypassIMPORTANT with CVSS score 6.5

Zero-day vulnerability on Windows Server 2019 under KB5019966

The following four zero-day threats affect Windows Server 2019.

VulnerabilityImpactSeverity
CVE-2022-41091Windows Mark of the Web Security Feature Bypass Vulnerability5.4
CVE-2022-41125Elevation of Privileges on Windows CNG Key Isolation Service.7.8
CVE-2022-41128Remote Code Execution on Windows Scripting Languages (only affects Windows Server 2019, does not affect Windows Server 2019 Server Core installation).8.8
CVE-2022-41073Elevation of Privileges on Windows Print Spooler.7.8

All these zero-day threats are being exploited or have been exploited in the recent past. This makes it imperative to install the cumulative update for Windows Server 2019.

Issues and Improvements in KB5019966 for Windows Server 2019

The following issues and improvements have been implemented as part of the KB5019966 cumulative update for Windows Server 2019.

  • New! It makes Microsoft compliant with US Government (USG) version 6 revision 1 (USGv6-r1).
  • It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. It automatically raises the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
  • It addresses a DCOM issue that affects the Remote Procedure Call Service (rpcss.exe). It raises the authentication level to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY instead of RPC_C_AUTHN_LEVEL_CONNECT if RPC_C_AUTHN_LEVEL_NONE is specified.
  • It stops the start of daylight saving time in Jordan at the end of October 2022. The Jordan time zone will permanently shift to the UTC + 3 time zone.
  • It address an issue that affects the Microsoft Azure Active Directory (AAD) Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is, “The handle specified is invalid (0x80090301).”
  • It addresses an issue that affects the font of three Chinese characters. When you format these characters as bold, the width size is wrong.
  • It updates the Windows kernel vulnerable driver blocklist that is in the DriverSiPolicy.p7b file. This update also ensures that the blocklist is the same across Windows 10 and Windows 11. For more information, see KB5020779.
  • It addresses an issue that affects focus order. This issue occurs when you tab from the password field on a credentials page.
  • It addresses an issue that affects the Forest Trust creation process. It fails to add the Domain Name System (DNS) name suffixes to the trust information attributes. This occurs after you install the January 11, 2022, or later updates.
  • It addresses a timing condition in Remote Desktop. It causes a device to stop working during the licensing process.
  • It addresses an issue that affects Server Manager. It might reset the wrong disk when several disks have the same UniqueId. For more information, see KB5018898.
  • It addresses an issue that causes the Host Networking Service to stop working. This leads to traffic interruptions.
  • It addresses an issue that might occur when you enable deduplication. The issue might cause a deadlock.
  • It addresses security vulnerabilities in the Kerberos and Netlogon protocols as outlined in CVE-2022-38023, CVE-2022-37966, and CVE-2022-37967. For deployment guidance, see the following:
    • KB5020805: How to manage the Kerberos Protocol changes related to CVE-2022-37967
    • KB5021130: How to manage Netlogon Protocol changes related to CVE-2022-38023
    • KB5021131: How to manage the Kerberos Protocol changes related to CVE-2022-37966

Implementing KB5019966 on Windows Server 2019

KB5019966 can be implemented automatically through one of the following preferred methods:

  • Windows Update
  • Windows Update for Business
  • Windows Server Update Service or WSUS

While installing KB5019966, you need to ensure that the SSU KB5015112 from August 2021 is already deployed on the server.

You can also implement KB5019966 on Windows Server 2019 through an offline MSU installer file that can be downloaded from the Microsoft Update Catalog.

Download KB5005112 for Windows Server 2019 – This is a direct download link of the offline installer file for KB5005112. It will be needed before you deploy KB5019966 on Windows Server 2019. The size of the offline installer file for the Servicing Stack Update is 13.8 MB. Installing the SSU will not cause the server to reboot.

The ready download links for KB5019966 for Windows Server 2019 are shared below:

Download KB5019966 for Windows Server 2019 as an offline installer file – The size of the MSU installer file for Windows Server 2019 is 594 MB. Installing the MSU file will cause a server reboot.

Once you have deployed KB5019966, you need to download the OOB update KB5021655 for resolving Kerberos authentication issues on Windows Server 2019. You can download it directly from this link or use the Microsoft Catalog page for KB5021655 to download the MSU installer file.

If you wish to read more about the KB5019966 offline installer file, please do check out Microsoft’s catalog page for KB5019966.