KB5031356 for Windows 10 versions 21H2 and 22H2

KB5031356 is the cumulative update for Windows 10 version 21H2 and version 22H2. The update was released on 10 October 2023 under the ‘Patch Tuesday’ program.

Salient points

• KB5031356 is a cumulative update. It supersedes KB5030211 released in September 2023.
• KB5031356 also includes all changes that are part of the preview update KB5030300. The preview update was released on 26 September 2023.
• KB5031356 corresponds to build 19044.3570 for Windows 10 version 21H2.
• KB5031356 corresponds to build 19045.2570 for Windows 10 version 22H2.
• 73 security vulnerabilities affect the x64 version of Windows 10 version 21H2 and 22H2. 12 of these vulnerabilities have a ‘CRITICAL’ severity level. All these vulnerabilities have a potential ‘Remote Code Execution’ threat.
• 71 security vulnerabilities affect the x86 versions of Windows 10 version 21H2 and version 22H2. 11 of these vulnerabilities have a ‘CRITICAL’ severity level. All these 11 vulnerabilities are ‘Remote Code Execution’ threats.
• 71 security vulnerabilities affect the ARM64 version of Windows 10 version 21H2 and version 22H2. 11 of these vulnerabilities have a ‘CRITICAL’ severity level. All these 11 vulnerabilities are ‘Remote Code Execution’ threats.
• Zero-day threat CVE-2023-44487 affects all platforms of Windows 10 version 21H2 and version 22H2. You can choose to deploy the KB5031356 security update or mitigate the risk as per the instructions shared below.
• Zero-day threat CVE-2023-36563 also affects Windows 10 version 21H2 and version 22H2. This is patched in KB5031356.
• Servicing Stack Update 19044.3562 corresponds to Windows 10 version 21H2. Separate installation of the SSU is not needed as it is included in the main security or cumulative update.
• Servicing Stack Update 19045.3562 corresponds to Windows 10 version 22H2. Separate installation of the SSU is not needed as it is included in the main security or cumulative update.
• KB5031356 can result in 2 issues on Windows 10 workstations. Microsoft has already shared workarounds for both.
• This update may not install completely and generate an Error 8007000D (ERROR_INVALID_DATA). Microsoft has shared a workaround to resolve the installation issues for KB5031356.

KB5031356 Prerequisites for installation

For offline OS image servicing:

You need KB5011543 or later cumulative update on the system. KB5011543 was released in March 2022. If this is not possible, please install the May 2022 Servicing Stack Update KB5014032.

For WSUS or Microsoft Catalog packages:

You need KB5003173 cumulative update from May 2021 or later. If this is not possible, please install the August 2021 Servicing Stack Update KB5005260.

Download KB5031356

KB5031356 can be applied automatically using one of the following methods:

• Windows Update
• Windows Update for Business
• WSUS or Windows Server Update Services

WSUS remains the most preferred way to patch Windows 10 workstations. You will need to pull security updates for Windows 10 version 1903 and later.

For manual deployments, you need to download the offline installer file from the Microsoft Update Catalog site. The offline installer needs to be downloaded for the specific Windows 10 version on your computers. Or, you could use the direct download links shared below for the offline installer files for Windows 10 version 21H2 and version 22H2.

Download KB5031356 for Windows 10 version 21H2 and version 22H2

• Download KB5031356 from Microsoft Update Catalog site

You will need to ensure that the offline installer file corresponding to the platform architecture is used. So, please pick the file relevant for x64, x86 or ARM64 platforms.

CVE-2023-44487 – Zero-day HTTP/2 Rapid Reset Attack Vulnerability

Windows 10 versions 21H2 and 22H2 are affected by CVE-2023-44487. This is a zero-day threat that could cause a ‘Denial of Service’ attack.

The threat has been patched in KB5031356 for Windows 10 versions 21H2 and 22H2. However, Microsoft has also published a mitigation plan.

There are 2 workarounds available for the HTTP/2 Rapid Reset Attack vulnerability.

1. Disable HTTP/2 Protocol through the registry editor
2. Limit the RST_STREAMS through the registry editor

Disable HTTP/2 Protocol on the web server

To mitigate CVE-2023-44487, you will need to create a new registry DWORD entry and disable the HTTP/2 protocol on the web server. Please follow the steps below:

1. Use the registry editor to open HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters.
2. Find DWORD value EnableHttp2Tls. Set it to 0 to disable HTTP/2 Protocol.
3. Find DWORD value EnableHttp2Cleartext and set it 0 to disable HTTP/2 Protocol.

It is always a good idea to create a system restore point on Windows 10 before making changes to the registry.

If you wish to enable the HTTP/2 Protocol, you can do so by setting the DWORD values to 1.

Limit RST_STREAMS on the webserver for CVE-2023-44487

If you cannot disable HTTP/2 Protocol on the webserver, you can limit the RST_STREAMS on the webserver to prevent a Rapid Reset attack.

You will need to alter the following registry keys:

Registry key	Default value	Valid value range	Registry key function
Http2MaxClientResetsPerMinute	400	0–65535	Sets the allowed number of resets (RST_STREAMS) per minute for a connection. When you reach this limit, a GOAWAY message is sent to client for the connection.
Http2MaxClientResetsGoaway	1	0-1	Disables or enables the GOAWAY message to send when you reach the limit. If you set this to 0, the connection ends as soon as you reach the limit.

These registry keys have been added to the stack as part of the Windows Update process.

KB5031356 – Error 8007000D (ERROR_INVALID_DATA)

Microsoft has reported an issue with installing KB5031356. There may be a possibility that the installation of KB5031356 may not be complete. It may generate an error – Error 8007000D (ERROR_INVALID_DATA) in the Update History that can be accessed in Start > Settings > Windows Update > Update history.

To resolve the issue, you will need to use the Known-issue rollback. Known Issue Rollback (KIR) is a new capability that can quickly return an impacted device back to productive use if an issue arises during a Windows update.

To use the Known-issue rollback for KB5031356, please use the following steps:

1. Run Command Prompt as Administrator.
2. ​In the Command Prompt window, type the following command: 
   Dism /online /cleanup-image /RestoreHealth
3. ​Wait for the process to complete successfully, and then close the windows.
4. Install this update. To do this, select Start > Settings > Windows Update > Check for updates.

The Known-issue rollback does not resolve the issue on an immediate basis. Rather, you may have to wait for up to 48 hours for the resolution to propagate to end points and other business devices.

KB5031356 – 65000 Error in the “Require Device Encryption

Another reporting issue affects Bitlocker. Actual device encryption is not impacted.

Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the “Require Device Encryption” setting for some devices in your environment. 

Affected environments are those with the “Enforce drive encryption type on operating system drives” or “Enforce drive encryption on fixed drives” policies set to enabled and selecting either “full encryption” or “used space only”. Microsoft Intune is affected by this issue but third-party MDMs might also be affected.

To mitigate this issue in Microsoft Intune, you can set the “Enforce drive encryption type on operating system drives” or “Enforce drive encryption on fixed drives” policies to not configured.