KB5028169 cumulative update July 2023

KB5028169 is the latest cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. The update is part of the July month’s ‘Patch Tuesday’ project.

KB5028169 has been superseded by the August 2023 cumulative update KB5029242. You can read more about the KB5029242 update on this page.

Topics covered in this post

Salient points

KB5028169 is a cumulative update that supersedes KB5027219. KB5027219 was released in June as part of the June update cycle.
You can read more about June month’s cumulative update KB5027219 on this page.
KB5028169 also contains all changes that are part of the out of band (OOB) update KB5028623 released on 23rd June 2023. If you did not apply the OOB update yet, you can skip it and go straight to KB5028169. All changes that are part of KB5028623 are included in the KB5028169 cumulative update.
KB5028169 corresponds to server build 14393.6185. The previous server build for June cumulative update was 14393.5989. The OOB update corresponds to server build 14393.5996.
Servicing Stack Update KB5023788 needs to be deployed prior to installing KB5028169. This is a newer SSU as it was released on 14th March 2023. So, do ensure that it has already been patched.
Performance issues with Desktop Windows Manager (DWM) have been addressed in this update.
87 security vulnerabilities have been disclosed for Windows Server 2016 in July month’s security bulletin. 6 of these vulnerabilities have a ‘CRITICAL’ severity level.
Four security vulnerabilities have a CVSS score of 9.8. Details of these threats are shared in the vulnerability section.
Six zero-day threats that affect Windows Server 2016 are also shared in the zero-day threat section below.

Download KB5028169

KB5028169 can be automatically applied using any one of the following programs:

Windows Update
Windows Update for Business
WSUS or Windows Server Update Service

WSUS remains the most preferred method to patch Windows Servers.

KB5028169 can be applied manually by installing an offline installer file. The offline installer file is in the MSU extension.

The offline installer file can be downloaded from the Microsoft Update Catalog page for KB5028169. Since SSU KB5023788 is also required as part of the installation, we will need to download the offline installer file for the Servicing Stack Update.

Download KB5023788 SSU for Windows Server 2016 from Microsoft Update Catalog – This SSU was released in March 2023 and the file size is 11.7 MB.
Download KB5028169 cumulative update for Windows Server 2016 – The size of the installer file for KB5028169 is 1642.5 MB.

The direct download links for the patch files are shared below.

Upon installation of the Servicing Stack Update, the server will not reboot. However, the installation of cumulative updates will be complete after the server reboot.

We always recommend scheduling a planned change management process to implement cumulative updates on Windows servers.

Vulnerabilities

There are 87 vulnerabilities that have been disclosed for Windows Server 2016. We restrict our discussion to CRITICAL vulnerabilities and zero-day threats below.

CRITICAL vulnerabilities on Windows Server 2016

CVE Details	Impact	CVSS Score	Severity	Comments
CVE-2023-35367	Remote Code Execution	9.8	CRITICAL	Windows Routing and Remote Access Service (RRAS) are affected
CVE-2023-35365	Remote Code Execution	9.8	CRITICAL	Windows Routing and Remote Access Service (RRAS) are affected
CVE-2023-35366	Remote Code Execution	9.8	CRITICAL	Windows Routing and Remote Access Service (RRAS) are affected
CVE-2023-32057	Remote Code Execution	9.8	CRITICAL	Microsoft Message Queuing is affected
CVE-2023-35352	Security Feature Bypass	7.5	CRITICAL	Windows Remote Desktop is affected
CVE-2023-35297	Remote Code Execution	7.5	CRITICAL	Windows Pragmatic General Multicast (PGM) is affected

Zero-day threats on Windows Server 2016

The following zero-day vulnerabilities affect Windows Server 2016 as per July month’s security bulletin:

CVE Details	Impact	CVSS	Severity	Comments
CVE-2023-32046	Elevation of Privilege Vulnerability	7.8	Important	Windows MSHTML Platform is affected
CVE-2023-32049	Security Feature Bypass Vulnerability	8.8	Important	Windows SmartScreen is affected
CVE-2023-35311	Security Feature Bypass Vulnerability	8.8	Important	Microsoft Outlook is affected
CVE-2023-36874	Service Elevation of Privilege Vulnerability	7.8	Important	Windows Error Reporting is affected
CVE-2023-36884	Remote Code Execution Vulnerability	8.3	Important	Office and Windows HTML are affected
CVE-2023-24932	Secure Boot Security Feature Bypass Vulnerability	6.7	Important	An attacker with physical access or Administrative rights to a target device could install an affected boot policy.

KB5028169 Changelog

The following changes or improvements are part of the KB5028169 cumulative update for Windows Server 2016:

This update addresses an issue that affects all the registry settings under the Policies paths. They might be deleted. This occurs when you do not rename the local temporary user policy file during Group Policy processing.
This update affects the Desktop Window Manager (DWM). It improves its reliability.
This update improves several simplified Chinese fonts and the Microsoft Pinyin Input Method Editor (IME). They now support GB18030-2022. Characters in the Standard Chinese Characters List (GB18030-2022 implementation level 2) are available in Microsoft Yahei (regular, light, and bold), Dengxian (optional font: regular, light, and bold), and Simsun. The Simsun Ext-B font (GB18030-2022 implementation level 3) now supports Unicode CJK Unified Ideographs Extensions E and F.

Microsoft July 2023 Security Updates

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.