KB5022894 is a security-only update for Windows Server 2012 R2 and Windows Server 2012 R2 Server core installation. It was released under the ‘Patch Tuesday’ project on 14th February 2023. The update contains fixes for security vulnerabilities on Windows Server 2012 R2.
KB5022894 has now been succeeded by KB5023764 security update for Windows Server 2012 R2 for the month of March 2023. You can read more about KB5023764 on this page.
Key points about KB5022894 for Windows Server 2012 R2
- KB5022894 is a standalone update that focuses on patching security vulnerabilities on the Windows Server 2012 R2.
- For complete security, all the previous security updates for Windows Server 2012 R2 should have been deployed on the server. The last security update for Windows Server 2012 R2 was released in January 2023. KB5022346 is the security update for January 2023.
- We suggest using the monthly rollup update KB5022899 for Windows Server 2012 R2 as it contains the cumulative update for Internet Explorer. KB5022894 is limited to security aspects only. The monthly rollup update is cumulative and exhaustive.
- Servicing Stack update KB5018922 needs to be deployed prior to installing KB5022894. This update was released in October 2022.
- The cumulative update for Internet Explorer KB5022835 needs to be deployed before installing KB5022894 for Windows Server 2012 R2. This is the latest update for Internet explorer and was released on 14th February.
- Windows Server 2012 R2 and Windows Server 2012 R2 Server core are impacted by 32 security vulnerabilities. Out of these 32 vulnerabilities, 3 vulnerabilities are ‘CRITICAL’ severity vulnerabilities. All these three vulnerabilities have a CVSS score of 9.8.
The three ‘CRITICAL’ vulnerabilities are shared below for your ready reference for Windows Server 2012 R2.
| Vulnerability | CVSS | Impact |
|---|---|---|
| CVE-2023-21689 | 9.8 | Remote Code Execution in Microsoft Protected Extensible Authentication Protocol (PEAP) |
| CVE-2023-21690 | 9.8 | Remote Code Execution in Microsoft Protected Extensible Authentication Protocol (PEAP) |
| CVE-2023-21692 | 9.8 | Remote Code Execution in Microsoft Protected Extensible Authentication Protocol (PEAP) |
Deployment of KB5022894 on Windows Server 2012 R2
KB5022894 can be installed using Windows Server Update Service (WSUS) and through an offline installer file.
The manual deployment happens through the MSU update file for Windows Server 2012 R2. Before applying the MSU update for KB5022894, you will need to deploy the SSU and the cumulative update for Internet explorer.
So, we will share the download links for the SSU, cumulative update for Internet explorer, and the security update KB5022894 below.
- Download KB5018922 Servicing stack update for Windows Server 2012 R2 from the Microsoft update catalog page for KB5018922. The SSU file has a size of 10.5 MB. No server restart is needed after installing the Servicing stack update.
- Download KB5022835 cumulative update for Internet Explorer 11 from the Microsoft update catalog page for KB5022835. The size of this update file is 55 MB.
- Once you have deployed the Servicing stack update and the cumulative update for Internet Explorer 11, you can download the security-only update KB5022894 from the Microsoft update catalog page for KB5022894. The size of the update file is 35.9 MB.
Since this is a standalone security update, KB5022894 is unavailable for deployment through the Windows update program.
Post-deployment issues after installing KB5022894
The domain join issue affects Windows Server 2012 R2 after the deployment of KB5022894. A brief issue summary has been shared by Microsoft:
After this update or a later Windows update is installed, domain join operations might be unsuccessful and error “0xaac (2732): NERR_AccountReuseBlockedByPolicy” occurs. Additionally, text stating “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy” might be displayed.
A workaround has been published by Microsoft under the security article KB5020276. You can read more about it on this page for KB5020276. We do expect that the fix will eventually form a part of one of the future releases of updates for Windows Server 2012 R2.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.