KB5033369 Cumulative Update for Windows 11 21H2

KB5033369 is the cumulative update for Windows 11 version 21H2. It was released under the ‘Patch Tuesday’ project of Microsoft on 12 December 2023.

Salient points

  • KB5033369 has been superseded by the KB5034121 cumulative update. You can read more about it on this KB5034121 page.
  • KB5033369 is a cumulative update. The update supersedes the KB5032192 cumulative update released in November 2023.
  • KB5033369 corresponds to Windows 11 21H2 build 22000.2652.
  • KB5032192 corresponds to Windows 11 21H2 build 22000.2600.
  • You will transition from build 2600 to 2652 when you upgrade from KB5032192 to KB5033369 on Windows 11 21H2.
  • 16 security vulnerabilities affect Windows 11 21H2 editions for x64 platforms.
  • 16 security vulnerabilities affect Windows 11 21H2 editions for ARM64 platforms.
  • 3 of these security vulnerabilities carry a ‘CRITICAL’ severity for Windows 11 21H2 x64 and ARM64 deployments.
  • A single zero-day threat affects the Windows 11 21H2 edition for x64 and ARM64 systems. This is the CVE-2023-20588 AMD vulnerability.
  • Servicing Stack Update 22000.2592 corresponds to KB5032192 and KB5033369. It is a part of the cumulative update.
  • There has been no new Service Stack Update release for December 2023. If you installed KB5032192, the Servicing Stack Update 22000.2592 would already have been deployed on the Windows 11 21H2 endpoint.
  • Separate installation of the Servicing Stack Update is not needed for KB5033369.

We look at the download links for KB5033369 and the different vulnerabilities below. KB5033369 installer files are available for x64 and ARM64 systems.

It may be pertinent to add that Windows 11 version 21H2 for Home, Pro, Pro Education, and Pro for Workstation have reached the end of service on October 10, 2023.  The monthly security and quality updates will not be available for these Windows 11 21H2 versions.

Download KB5033369

KB5033369 can be applied automatically using the following methods:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Services

WSUS remains the best method or preferred approach to rolling out updates to Windows 11 endpoints.

You can also deploy KB5033369 manually. For manual deployments, you need an offline installer file for KB5033369. The offline installer file is available in the MSU file extension separately for x64 and ARM64 systems.

You can download the offline installer file for x64 or ARM64 platforms. The offline installer file can be downloaded from the Microsoft Update Catalog site. Or, you could also download the offline installer file from the direct download links shared below.

Your Windows 11 21H2 system will reboot after KB5033369 is deployed.

If you have already deployed KB5032192, only the incremental changes of KB5033369 will be installed on the Windows 11 21H2 system. This process of incremental updates is generally very fast and swift.

Vulnerabilities

Windows 11 21H2 x64 edition is affected by 16 security vulnerabilities and ARM64 edition is affected by 16 security vulnerabilities. We discuss the zero-day threat and three CRITICAL threats that impact Windows 11 21H2 for x64 and ARM64 systems.

Zero-day vulnerabilities

The following is the zero-day threat affecting Windows 11 version 21H2 for x64 and ARM64 systems. A zero-day threat is publicly disclosed and already exploited by various threat actors. Therefore, it is imperative that the zero-day vulnerabilities are patched on a priority basis.

The following zero-day threat was first reported in August 2023. It has been mitigated in the current Windows Update cycle. Therefore, we suggest immediate deployment of the cumulative update KB5033369 for Windows Server 11 22H2 and 23H2 editions.

CVE detailsCVSSSeverityImpact Description
CVE-2023-205885.5IMPORTANTInformation DisclosureA division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.

CRITICAL vulnerabilities

The 3 CRITICAL vulnerabilities affecting Windows 11 21H2 are shared below. All these vulnerabilities could lead to ‘Remote Code Execution’ attacks.

CVE detailsCVSSSeverityImpact Description
CVE-2023-356308.8CRITICALRemote Code ExecutionThis threat impacts the Internet Connection Sharing (ICS).

Successful exploitation of this vulnerability requires the attacker to modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message.
This attack is limited to systems connected to the same network segment as the attacker. 
CVE-2023-356288.1CRITICALRemote Code ExecutionThis vulnerability arises on account of Windows MSHTML Platform.

The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.

This could result in the attacker executing remote code on the victim’s machine.
CVE-2023-356418.8CRITICALRemote Code ExecutionThis threat affects the Internet Connection Sharing (ICS).

To exploit this vulnerability, an attacker would need to send a maliciously crafted DHCP message to a server that runs the Internet Connection Sharing service.

This attack is limited to systems connected to the same network segment as the attacker

Post-deployment issues – KB5033369

After installing KB5031358, you may experience a reporting issue in the Bitlocker configuration service provider. This issue continues after installing KB5032192 and KB5033369 as well. Microsoft is working on a resolution for the issue.

Issue description

Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the “Require Device Encryption” setting for some devices in your environment. Affected environments are those with the “Enforce drive encryption type on operating system drives” or “Enforce drive encryption on fixed drives” policies set to enabled and selecting either “full encryption” or “used space only”. Microsoft Intune is affected by this issue but third-party MDMs might also be affected.

It may be worth repeating that the issue is a reporting issue and does not impact the actual drive encryption.

Microsoft is working on providing a resolution for the issue.

The following changes are part of the KB5033369 cumulative update for Windows 11 21H2 editions:-

  • This update affects the Netherlands time zone. It adds the recent man-made landmass outside of Rotterdam to the shape files.
  • This update affects Microsoft Defender for Endpoint (MDE). It enables Conditional Access (CA) scenarios.
  • This update addresses security issues for your Windows operating system.     

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.