KB5022842 is February 2023 cumulative update for Windows Server 2022 and Windows Server 2022 Server core installation. It was released on 14th February.
Key points about KB5022842
- KB5022842 supersedes KB5022291. KB5022291 was released in January 2023.
- KB5022842 corresponds to server build 20348.1547 while the KB5022291 update corresponded to server build 20348.1487. If you patched KB5022291, you will be upgrading from server build 20348.1487 to server build 20348.1547.
- Servicing stack update 20348.1540 corresponds to cumulative update KB5022842. It is included in the cumulative update. No separate installation of the Servicing Stack Update is needed for Windows Server 2022.
- Windows Server 2022 and Windows Server 2022 Server core installation are affected by 33 vulnerabilities. 3 of these vulnerabilities are ‘CRITICAL’ severity vulnerabilities with CVSS scores of 9.8.
- Windows Server 2022 and Windows Server 2022 Server core installation are impacted by CVE-2023-21823 zero-day vulnerability. This is a Remote Code Execution vulnerability in Windows Graphics Component. It has a CVSS rating of 7.8. The vulnerability has already been exploited.
- Windows Server 2022 and Windows Server 2022 Server core installation are also impacted by CVE-2023-23376. This vulnerability is an ‘Elevation of Privilege’ threat in the Windows Common Log File System Driver. The vulnerability has a CVSS score of 7.8 and has been exploited already.
The three ‘CRITICAL’ vulnerabilities are listed below for your ready reference. Each of these is a Remote Code Execution threat with CVSS score of 9.8 levels.
| Vulnerability | CVSS | Impact |
|---|---|---|
| CVE-2023-21689 | 9.8 | Remote Code Execution in Microsoft Protected Extensible Authentication Protocol (PEAP) |
| CVE-2023-21690 | 9.8 | Remote Code Execution in Microsoft Protected Extensible Authentication Protocol (PEAP) |
| CVE-2023-21692 | 9.8 | Remote Code Execution in Microsoft Protected Extensible Authentication Protocol (PEAP) |
Apart from this, you need to be aware of an issue on Windows Server 2022 running on VMWare ESXi servers. Microsoft has published a note wherein it states –
After installing KB5022842 on guest virtual machines (VMs) running Windows Server 2022 on some versions of VMware ESXi, Windows Server 2022 might not start up. Only Windows Server 2022 VMs with Secure Boot enabled are affected by this issue. Affected versions of VMware ESXi are versions vSphere ESXi 7.0.x and below.
Download KB5022842 for Windows Server 2022
You can download KB5022842 from the Microsoft update catalog. Or, you could download the offline installer file in the MSU format from the direct links shared below. You will need to pick Windows Server 2022 version 21H2 or 22H2 for the corresponding version of the update files.
- Download KB5022842 from the Microsoft catalog page
- Download KB5022842 for Windows Server 2022 version 21H2 – the size of this offline installer file is 317.7 MB
- Download KB5022842 for Windows Server 2022 version 22H2 – the size of the offline installer file is 317.7 MB
No SSU needs to be deployed separately on Windows Server 2022 as part of the update process.
Apart from the manual deployment of KB5022842, you can also choose to install KB5022842 automatically through one of the following ways:
- Windows Update
- Windows Update for Business
- WSUS or Windows Server Update Service
WSUS-based deployments will not work on Windows Server 2022 servers version 22H2. The updates will download to the WSUS server but might not propagate further to client devices. This issue is caused by the accidental removal of required Unified Update Platform (UUP) MIME types during the upgrade to Windows Server 2022 from a previous version of Windows Server i.e. Windows Server 2016 and Windows Server 2019.
KB5022842 Windows Server 2022 – Changelog
The following changes, bug fixes or improvements have been made as part of the KB5022842 update:
- It updates the text and web link for Windows Admin Center (WAC) notifications. These appear after you sign in to the desktop unless you have turned them off. The WAC notifications highlight the available Windows Server management options.
- This update addresses an issue that affects searchindexer.exe. It randomly stops you from signing in or signing out.
- This update addresses an issue that affects local Kerberos authentication. It fails if the local Key Distribution Center (KDC) service is not active.
- This update addresses an issue that affects cbs.log. This issue logs messages that are not error messages in cbs.log.
- This update addresses an issue that affects a virtual machine (VM) that has a dual stack IPv4 and IPv6 private IP (PIP) address. When you migrate the VM from one host to another, the PIPv6 address stays mapped to the old host’s IPv6 Physical Address (PA). Because of this, the IPv6 PIP stops working.
- This update addresses an issue that affects the Domain Name System (DNS) suffix search list. When you configure it, the parent domain might be missing.
- This update addresses an issue that affects all commands that change security tags. On Windows 11, version 22H2 computers, the change will fail if you update the Network Controller but not the Remote Server Administration Tools (RSAT) clients.
- This update addresses an issue that might occur when the Input Method Editor (IME) is active. Applications might stop responding when you use the mouse and keyboard at the same time.
- This update addresses an issue that might affect FindWindow() or FindWindowEx(). They might return the wrong window handle.
- This update addresses an issue that affects AppV. It stops file names from having the correct letter case (uppercase or lowercase).
- This update addresses an issue that affects Microsoft Edge. The issue removes conflicting policies for Microsoft Edge. This occurs when you set the MDMWinsOverGPFlag in a Microsoft Intune tenant and Intune detects a policy conflict.
- This update addresses an issue that affects Active Directory Federation Service (AD FS). The issue fails to apply the RequirePDC flag setting of “false.”
- This update addresses an issue that affects MSInfo.exe. It does not correctly report the enforcement status of the Windows Defender Application Control (WDAC) user mode policy.
- This update addresses an issue that affects the Resilient File System (ReFS) MSba tag. The issue causes a nonpaged pool leak.
- This update addresses an issue that affects the Resilient File System (ReFS). The issue causes high nonpaged pool usage, which depletes system memory.
- This update addresses an issue that affects parity virtual disks. Using Server Manager to create them fails.
You can read more about KB5022842 in the release notes published by Microsoft.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.