KB5033371 Cumulative Update for Windows Server 2019

KB5033371 is a cumulative update for Windows Server 2019 and Windows Server 2019 Server Core installation. The update was released on 12 December as part of the ‘Patch Tuesday’ project of Microsoft.

  • KB5033371 has been superseded by KB5034127 in January 2024. You can read more about it on this page.
  • KB5033371 is a cumulative update that supersedes the KB5032196 cumulative update.
  • KB5032196 was released on 14 November 2023. You can read more about it on the KB5032196 page.
  • KB5033371 corresponds to build 17763.5206. KB5032196 corresponds to server build 17763.5122. If you had installed KB5032196, you would be transitioning from build 5122 to 5206.
  • KB5005112 is the Servicing Stack Update that needs to be installed before installing KB5033371. KB5005112 was released in August 2021. There is a high likelihood of the SSU being already installed on the server. If KB5005112 is already installed, you can skip to direct installation of KB5033371.
  • The issue with Bitlocker device encryption reporting continues to impact Windows Server 2019. It was first reported after the installation of October 2023 cumulative updates. Microsoft is working on providing a resolution.
  • 19 security vulnerabilities have been reported for Windows Server 2019 in the December 2023 security bulletin released by Microsoft.
  • 3 of these security vulnerabilities have a CRITICAL severity level.
  • 1 Zero-day threat affects Windows Server 2019. CVE-2023-20588 is the zero-day threat impacting AMD servers and could cause a ‘Loss of Confidentiality’. Details of the vulnerability are shared in the vulnerabilities section below.

Details of security vulnerabilities on Windows Server 2019 are listed in the vulnerabilities section below.

KB5033371 can be applied automatically using one of the following methods:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Services

WSUS remains the most preferred method to automatically deploy security and cumulative updates.

For manual deployment of KB5033371, you will need to follow a 2-step process.

  • Ensure Servicing Stack Update KB5005112 is already installed. If not, download and install KB5005112.
  • Download and install KB5033371 cumulative update.

The download for the Servicing Stack Update and the cumulative update can be completed from the Microsoft Update Catalog site. The installer is available as offline installer file in the .MSU format.

The size of the Servicing Stack Update file is 13.8 MB. The server will not restart after installing the SSU.

KB5033371 for Windows Server 2019 can be downloaded from the Microsoft Update Catalog site. Or, you could use the direct download link below.

The size of the cumulative update KB5033371 is 621.6 MB. KB5033371 will cause a server reboot. Please plan for implementation as part of an organized change management process.

If you have already installed KB5032196, only incremental changes of KB5033371 will be downloaded and installed on the server. This will be a quick process.

19 security vulnerabilities affect Windows Server 2019 as part of the December 2023 security reports. 3 of these vulnerabilities are CRITICAL severity vulnerabilities. There is a single zero-day threat that affects Windows Server 2019.

We have listed the CRITICAL vulnerabilities and the zero-day threat for Windows Server 2019 below.

The zero-day vulnerabilities are publicly known and exploited vulnerabilities. Therefore, immediate patching needs to be carried out to mitigate the risk arising out of zero-day vulnerabilities within the IT infrastructure.

The following zero-day threat was first reported in August 2023. It has been mitigated in the current Windows Update cycle. Therefore, we suggest immediate deployment of the cumulative update KB5033371.

Windows Server 2019 is impacted by 3 CRITICAL ‘Remote Code Execution’ threats. The three CRITICAL security vulnerabilities on Windows Server 2019 are listed below.

CVE detailsCVSSSeverityImpact Description
CVE-2023-356308.8CRITICALRemote Code ExecutionThis threat impacts the Internet Connection Sharing (ICS).

Successful exploitation of this vulnerability requires the attacker to modify an option->length field in a DHCPv6 DHCPV6_MESSAGE_INFORMATION_REQUEST input message.
This attack is limited to systems connected to the same network segment as the attacker. 
CVE-2023-356288.1CRITICALRemote Code ExecutionThis vulnerability arises on account of Windows MSHTML Platform.

The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client. This could lead to exploitation BEFORE the email is viewed in the Preview Pane.

This could result in the attacker executing remote code on the victim’s machine.
CVE-2023-356418.8CRITICALRemote Code ExecutionThis threat affects the Internet Connection Sharing (ICS).

To exploit this vulnerability, an attacker would need to send a maliciously crafted DHCP message to a server that runs the Internet Connection Sharing service.

This attack is limited to systems connected to the same network segment as the attacker

KB5033371 reports the Bitlocker Device Encryption reporting issue. The issue was first reported after the deployment of the October 2023 cumulative update KB5031361. It is essential to note that the issue is a reporting issue only and actual device encryption is not impacted.

Using the FixedDrivesEncryptionType or SystemDrivesEncryptionType policy settings in the BitLocker configuration service provider (CSP) node in mobile device management (MDM) apps might incorrectly show a 65000 error in the “Require Device Encryption” setting for some devices in your environment. Affected environments are those with the “Enforce drive encryption type on operating system drives” or “Enforce drive encryption on fixed drives” policies set to enabled and selecting either “full encryption” or “used space only”. Microsoft Intune is affected by this issue but third-party MDMs might also be affected.

To mitigate this issue in Microsoft Intune, you can set the “Enforce drive encryption type on operating system drives” or “Enforce drive encryption on fixed drives” policies to not configured.

The following changes or improvements are part of the KB5033371 cumulative update for Windows Server 2019:

  • This update changes the English name of the former Republic of Turkey. The new, official name is the Republic of Türkiye.
  • This update affects the Netherlands time zone. It adds the recent man-made landmass outside of Rotterdam to the shape files.
  • This update affects Microsoft Defender for Endpoint (MDE). It enables Conditional Access (CA) scenarios.
  • This update addresses security issues for your Windows operating system. 

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.