KB5028169 Cumulative Update for Windows Server 2016

KB5028169 is the latest cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. The update is part of the July month’s ‘Patch Tuesday’ project.

KB5028169 has been superseded by the August 2023 cumulative update KB5029242. You can read more about the KB5029242 update on this page.

Salient points

  • KB5028169 is a cumulative update that supersedes KB5027219. KB5027219 was released in June as part of the June update cycle.
  • You can read more about June month’s cumulative update KB5027219 on this page.
  • KB5028169 also contains all changes that are part of the out of band (OOB) update KB5028623 released on 23rd June 2023. If you did not apply the OOB update yet, you can skip it and go straight to KB5028169. All changes that are part of KB5028623 are included in the KB5028169 cumulative update.
  • KB5028169 corresponds to server build 14393.6185. The previous server build for June cumulative update was 14393.5989. The OOB update corresponds to server build 14393.5996.
  • Servicing Stack Update KB5023788 needs to be deployed prior to installing KB5028169. This is a newer SSU as it was released on 14th March 2023. So, do ensure that it has already been patched.
  • Performance issues with Desktop Windows Manager (DWM) have been addressed in this update.
  • 87 security vulnerabilities have been disclosed for Windows Server 2016 in July month’s security bulletin. 6 of these vulnerabilities have a ‘CRITICAL’ severity level.
  • Four security vulnerabilities have a CVSS score of 9.8. Details of these threats are shared in the vulnerability section.
  • Six zero-day threats that affect Windows Server 2016 are also shared in the zero-day threat section below.

Download KB5028169

KB5028169 can be automatically applied using any one of the following programs:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Service

WSUS remains the most preferred method to patch Windows Servers.

KB5028169 can be applied manually by installing an offline installer file. The offline installer file is in the MSU extension.

The offline installer file can be downloaded from the Microsoft Update Catalog page for KB5028169. Since SSU KB5023788 is also required as part of the installation, we will need to download the offline installer file for the Servicing Stack Update.

The direct download links for the patch files are shared below.

Upon installation of the Servicing Stack Update, the server will not reboot. However, the installation of cumulative updates will be complete after the server reboot.

We always recommend scheduling a planned change management process to implement cumulative updates on Windows servers.


There are 87 vulnerabilities that have been disclosed for Windows Server 2016. We restrict our discussion to CRITICAL vulnerabilities and zero-day threats below.

CRITICAL vulnerabilities on Windows Server 2016

CVE DetailsImpactCVSS ScoreSeverityComments
CVE-2023-35367Remote Code Execution9.8CRITICALWindows Routing and Remote Access Service (RRAS) are affected
CVE-2023-35365Remote Code Execution9.8CRITICALWindows Routing and Remote Access Service (RRAS) are affected
CVE-2023-35366Remote Code Execution9.8CRITICALWindows Routing and Remote Access Service (RRAS) are affected
CVE-2023-32057Remote Code Execution9.8CRITICALMicrosoft Message Queuing is affected
CVE-2023-35352Security Feature Bypass7.5CRITICALWindows Remote Desktop is affected
CVE-2023-35297Remote Code Execution7.5CRITICALWindows Pragmatic General Multicast (PGM) is affected

Zero-day threats on Windows Server 2016

The following zero-day vulnerabilities affect Windows Server 2016 as per July month’s security bulletin:

CVE DetailsImpactCVSSSeverityComments
CVE-2023-32046Elevation of Privilege Vulnerability7.8ImportantWindows MSHTML Platform is affected
CVE-2023-32049Security Feature Bypass Vulnerability8.8ImportantWindows SmartScreen is affected
CVE-2023-35311Security Feature Bypass Vulnerability8.8ImportantMicrosoft Outlook is affected
CVE-2023-36874Service Elevation of Privilege Vulnerability7.8ImportantWindows Error Reporting is affected
CVE-2023-36884Remote Code Execution Vulnerability8.3ImportantOffice and Windows HTML are affected
CVE-2023-24932Secure Boot Security Feature Bypass Vulnerability6.7ImportantAn attacker with physical access or Administrative rights to a target device could install an affected boot policy.

KB5028169 Changelog

The following changes or improvements are part of the KB5028169 cumulative update for Windows Server 2016:

  • This update addresses an issue that affects all the registry settings under the Policies paths. They might be deleted. This occurs when you do not rename the local temporary user policy file during Group Policy processing.
  • This update affects the Desktop Window Manager (DWM). It improves its reliability.
  • This update improves several simplified Chinese fonts and the Microsoft Pinyin Input Method Editor (IME). They now support GB18030-2022. Characters in the Standard Chinese Characters List (GB18030-2022 implementation level 2) are available in Microsoft Yahei (regular, light, and bold), Dengxian (optional font: regular, light, and bold), and Simsun. The Simsun Ext-B font (GB18030-2022 implementation level 3) now supports Unicode CJK Unified Ideographs Extensions E and F.

Microsoft July 2023 Security Updates

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.