KB5033369 is the cumulative update for Windows 11 version 21H2. It was released under the ‘Patch Tuesday’ project of Microsoft on 12 December 2023.
- KB5033369 has been superseded by the KB5034121 cumulative update. You can read more about it on this KB5034121 page.
- KB5033369 is a cumulative update. The update supersedes the KB5032192 cumulative update released in November 2023.
- KB5033369 corresponds to Windows 11 21H2 build 22000.2652.
- KB5032192 corresponds to Windows 11 21H2 build 22000.2600.
- You will transition from build 2600 to 2652 when you upgrade from KB5032192 to KB5033369 on Windows 11 21H2.
- 16 security vulnerabilities affect Windows 11 21H2 editions for x64 platforms.
- 16 security vulnerabilities affect Windows 11 21H2 editions for ARM64 platforms.
- 3 of these security vulnerabilities carry a ‘CRITICAL’ severity for Windows 11 21H2 x64 and ARM64 deployments.
- A single zero-day threat affects the Windows 11 21H2 edition for x64 and ARM64 systems. This is the CVE-2023-20588 AMD vulnerability.
- Servicing Stack Update 22000.2592 corresponds to KB5032192 and KB5033369. It is a part of the cumulative update.
- There has been no new Service Stack Update release for December 2023. If you installed KB5032192, the Servicing Stack Update 22000.2592 would already have been deployed on the Windows 11 21H2 endpoint.
- Separate installation of the Servicing Stack Update is not needed for KB5033369.
We look at the download links for KB5033369 and the different vulnerabilities below. KB5033369 installer files are available for x64 and ARM64 systems.
It may be pertinent to add that Windows 11 version 21H2 for Home, Pro, Pro Education, and Pro for Workstation have reached the end of service on October 10, 2023. The monthly security and quality updates will not be available for these Windows 11 21H2 versions.
KB5033369 can be applied automatically using the following methods:
- Windows Update
- Windows Update for Business
- WSUS or Windows Server Update Services
WSUS remains the best method or preferred approach to rolling out updates to Windows 11 endpoints.
You can also deploy KB5033369 manually. For manual deployments, you need an offline installer file for KB5033369. The offline installer file is available in the MSU file extension separately for x64 and ARM64 systems.
You can download the offline installer file for x64 or ARM64 platforms. The offline installer file can be downloaded from the Microsoft Update Catalog site. Or, you could also download the offline installer file from the direct download links shared below.
- Download KB5033369 from the Microsoft Update Catalog site
- Direct download KB5033369 for Windows 11 21H2 for x64 edition – the size of the installer file is 356 MB
- Direct download KB5033369 for Windows 11 21H2 for ARM64 edition – the size of the installer file is 483.3 MB
Your Windows 11 21H2 system will reboot after KB5033369 is deployed.
If you have already deployed KB5032192, only the incremental changes of KB5033369 will be installed on the Windows 11 21H2 system. This process of incremental updates is generally very fast and swift.
Windows 11 21H2 x64 edition is affected by 16 security vulnerabilities and ARM64 edition is affected by 16 security vulnerabilities. We discuss the zero-day threat and three CRITICAL threats that impact Windows 11 21H2 for x64 and ARM64 systems.
The following is the zero-day threat affecting Windows 11 version 21H2 for x64 and ARM64 systems. A zero-day threat is publicly disclosed and already exploited by various threat actors. Therefore, it is imperative that the zero-day vulnerabilities are patched on a priority basis.
The following zero-day threat was first reported in August 2023. It has been mitigated in the current Windows Update cycle. Therefore, we suggest immediate deployment of the cumulative update KB5033369 for Windows Server 11 22H2 and 23H2 editions.
|A division-by-zero error on some AMD processors can potentially return speculative data resulting in loss of confidentiality.
The 3 CRITICAL vulnerabilities affecting Windows 11 21H2 are shared below. All these vulnerabilities could lead to ‘Remote Code Execution’ attacks.
|Remote Code Execution
|This threat impacts the Internet Connection Sharing (ICS).
Successful exploitation of this vulnerability requires the attacker to modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message.
This attack is limited to systems connected to the same network segment as the attacker.
|Remote Code Execution
|This vulnerability arises on account of Windows MSHTML Platform.
The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.
This could result in the attacker executing remote code on the victim’s machine.
|Remote Code Execution
|This threat affects the Internet Connection Sharing (ICS).
To exploit this vulnerability, an attacker would need to send a maliciously crafted DHCP message to a server that runs the Internet Connection Sharing service.
This attack is limited to systems connected to the same network segment as the attacker
Post-deployment issues – KB5033369
After installing KB5031358, you may experience a reporting issue in the Bitlocker configuration service provider. This issue continues after installing KB5032192 and KB5033369 as well. Microsoft is working on a resolution for the issue.
Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the “Require Device Encryption” setting for some devices in your environment. Affected environments are those with the “Enforce drive encryption type on operating system drives” or “Enforce drive encryption on fixed drives” policies set to enabled and selecting either “full encryption” or “used space only”. Microsoft Intune is affected by this issue but third-party MDMs might also be affected.
It may be worth repeating that the issue is a reporting issue and does not impact the actual drive encryption.
Microsoft is working on providing a resolution for the issue.
KB5033369 – Changelog
The following changes are part of the KB5033369 cumulative update for Windows 11 21H2 editions:-
- This update affects the Netherlands time zone. It adds the recent man-made landmass outside of Rotterdam to the shape files.
- This update affects Microsoft Defender for Endpoint (MDE). It enables Conditional Access (CA) scenarios.
- This update addresses security issues for your Windows operating system.
December 2023 Cumulative or Security Updates
- KB5033371 for Windows 10 version 1809
- KB5033373 for Windows 10 version 1607
- KB5033379 for Windows 10
- KB5033372 for Windows 10 21H2 and 22H2
- KB5033375 Cumulative Update for Windows 11 22H2 and 23H2
- KB5033369 Cumulative Update for Windows 11 21H2
- KB5033420 Monthly Rollup Update for Windows Server 2012 R2
- KB5033429 Monthly Rollup Update for Windows Server 2012
- KB5033383 Cumulative Update for Windows Server 2022
- KB5033118 Cumulative Update for Windows Server 2022
- KB5033371 Cumulative Update for Windows Server 2019
- KB5033373 Cumulative Update for Windows Server 2016
- Microsoft Edge upgrades to version 120.0.2210.61
November 2023 Cumulative or Security Updates
- KB5032196 Cumulative Update for Windows Server 2019
- KB5032197 Cumulative Update for Windows Server 2016
- KB5032198 Cumulative Update for Windows Server 2022
- KB5032247 Monthly Rollup Update for Windows Server 2012
- KB5032249 Monthly Rollup for Windows Server 2012 R2
- KB5032190 Windows 11 22H2 and 23H2 Editions
- KB5032192 for Windows 11 21H2 edition
We are sorry that this post was not useful for you!
Let us improve this post!
Tell us how we can improve this post?
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.