KB5019970 Cumulative Update for Windows 10

KB5019970 is the latest cumulative update for Windows 10 initial version. It was released on November 8, 2022, and covers 32-bit and x64 deployments of the original version of Windows 10. We look at some key points about KB5019970 below.

Salient points about KB5019970 for Windows 10

  • KB5019970 is a cumulative update for the original version of Windows 10 that was released in 2015.
  • KB5019970 supersedes KB5018425 cumulative update released in October 2022. You can read more about KB5018425 on this page.
  • KB5019970 also includes all the changes that are part of the out of band (OOB) update KB5020244 that was released on 18th October 2022.
  • Post-deployment of KB5019970, Windows 10 build should upgrade to 10240.19567. If you are upgrading from KB5018425 to KB5019970, you are moving from Windows 10 build 10240.19507 to 10240.19567.
  • Four zero-day vulnerabilities affect Windows 10 systems and these have been resolved in KB5019970. Details are shared in the vulnerability section.
  • KB5014024 is the Servicing Stack Update that corresponds to KB5019970. SSU KB5014024 needs to be deployed prior to installing KB5019970.

Installing KB5019970 on Windows 10

Before proceeding with installation, do ensure that you are aware of the fact that KB5019970 is the cumulative update for the original version of Windows 10. For newer Windows 10 versions, there are separate updates that need to be deployed.

KB5019970 can be applied automatically or manually.

For automated installations or deployments, you can use one of the following methods:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Service

For WSUS, you will need to configure the product classification as under:

  • Product: Windows 10
  • Classification: Security Updates

This should help you pull the corresponding security updates for Windows 10.

When you deploy KB5019970 through one of the automated methods, you will automatically get KB5014024 SSU as part of the deployment process. No additional action is needed to deploy KB5014024 for the automated patching process.

You can also install KB5019970 manually through an offline installer file. The MSU update file is available for download from the Microsoft Catalog page for KB50199702. For your ready reference, the download links for 32 bit and x64 installations of Windows 10 are shared below.

Windows 10 editionDownload updateUpdate size
Windows 10 version 1507 x86 editionDownload KB5019970723.1 MB
Windows 10 version 1507 x64 editionDownload KB50199701235.9 MB

Upon deployment of KB5019970, the computer may require a restart.

It may be pertinent to mention over there that you will need to also deploy KB5014024 Servicing Stack Update. You can download the update file from the Microsoft Update catalog page for KB5014024. Or, you could download the MSU update file from the direct download links shared below.

Windows 10 editionDownload updateUpdate size
Windows 10 version 1507 x86 editionDownload KB5014024 SSU5.3 MB
Windows 10 version 1507 x64 editionDownload KB5014024 SSU11.7 MB

Servicing Stack Updates will not cause system reboot.

Issues fixed and improvements in KB5019970

The following issues have been fixed or improvements made in KB5019970 for Windows 10.

  • It addresses an issue that affects Distributed Component Object Model (DCOM) authentication hardening. We will automatically raise the authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. This occurs if the authentication level is below Packet Integrity.
  • It stops the start of daylight saving time in Jordan at the end of October 2022. The Jordan time zone will permanently shift to the UTC + 3 time zone.
  • It addresses an issue that affects the Microsoft Azure Active Directory (AAD) Application Proxy connector. It cannot retrieve a Kerberos ticket on behalf of the user. The error message is, “The handle specified is invalid (0x80090301).”

KB5019970 Post-deployment issues on Windows 10

Post-deployment of KB5019970, you may experience Kerberos authentication issues that could cause one or all of the following errors:

  • Domain user sign in might fail. This also might affect Active Directory Federation Services (AD FS) authentication.
  • Group Managed Service Accounts (gMSA) used for services such as Internet Information Services (IIS Web Server) might fail to authenticate.
  • Remote Desktop connections using domain users might fail to connect.
  • You might be unable to access shared folders on workstations and file shares on servers.
  • Printing that requires domain user authentication might fail.

The system log in the Event viewer will display the following error log message:

While processing an AS request for target service , the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 3. The accounts available etypes : 23 18 17. Changing or resetting the password of will generate a proper key.

Microsoft is working on a permanent resolution for this issue. The fix is expected to be released in one of the future cumulative updates.

Zero-day vulnerabilities on Windows under KB5019970

There are four zero-day threats on Windows 10 systems. These have been patched in KB5019970. The following vulnerabilities affect Windows 10:

VulnerabilityImpactSeverity
CVE-2022-41091Windows Mark of the Web Security Feature Bypass Vulnerability5.4
CVE-2022-41125Elevation of Privileges on Windows CNG Key Isolation Service.7.8
CVE-2022-41128Remote Code Execution on Windows Scripting Languages (only affects Windows Server 2019, does not affect Windows Server 2019 Server Core installation).8.8
CVE-2022-41073Elevation of Privileges on Windows Print Spooler.7.8