KB5034767 Cumulative Update for Windows Server 2016

KB5034767 is a cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. The update was released on 13 February as part of Microsoft’s ‘Patch Tuesday’ project.

  • KB5034767 is a cumulative update that supersedes the KB5034119 cumulative update.
  • KB5034119 was released on 9 January 2024 and you can read more about it on this KB5034119 page.
  • KB5034767 corresponds to server build 14393.6709.
  • KB5034119 corresponds to server build 14393.6614. If you had installed KB5034119, you would be transitioning from build 6614 to 6709 when installing KB5034767.
  • KB5034862 is the Servicing Stack Update that needs to be installed before installing KB5034767. KB5034862 is the latest Servicing Stack update for Windows Server 2016 released on 13 February 2024.
  • 34 security vulnerabilities have been reported for Windows Server 2016 in the February 2024 security bulletin released by Microsoft.
  • One of these security vulnerabilities has a CRITICAL severity level for Windows Server 2016.
  • There is a single zero-day threat that impacts Windows Server 2016. The details are shared in the vulnerabilities section

KB5034767 can be applied automatically using one of the following methods:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Services

WSUS remains the most preferred method to automatically deploy security and cumulative updates.

For automated deployments, the Servicing Stack Update KB5034862 will be automatically installed before KB5034767 is installed on Windows Server 2016.

For manual deployment of KB5034767, you will need to follow a 2-step process.

  • Download and install KB5034862 Servicing Stack Update. This is the latest Servicing Stack Update for Windows Server 2016 released in February 2024.
  • Download and install the KB5034767 cumulative update.

The download for the Servicing Stack Update and the cumulative update can be completed from the Microsoft Update Catalog site. The installer is available as an offline installer file in the .MSU format.

The size of the Servicing Stack Update file is 11.7 MB. The server will not restart after installing the SSU.

KB5034767 for Windows Server 2016 can be downloaded from the Microsoft Update Catalog site. Or, you could use the direct download link below.

The size of the cumulative update KB5034767 is 1627.1 MB. KB5034767 will cause a server reboot. Please plan for implementation as part of an organized change management process.

34 security vulnerabilities affect Windows Server 2016 as part of the January 2024 security reports. One of these vulnerabilities is a CRITICAL severity vulnerability. Another vulnerability is a zero-day threat.

We have listed the CRITICAL vulnerability and zero-day vulnerability for Windows Server 2016 below.

There is a single CRITICAL security vulnerability affecting Windows Server 2016 and Windows Server 2016 Server Core installation. The CRITICAL vulnerability could lead to a ‘Security Feature Bypass’ impact on the server.

The single CRITICAL security vulnerability on Windows Server 2016 is listed below.

CVE detailsCVSSSeverityImpact Description
CVE-2024-213577.5CRITICALRemote Code ExecutionThis attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network.

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

The following zero-day vulnerability affects Windows Server 2016:

CVE detailsCVSSSeverityImpact Description
CVE-2024-213517.6IMPORTANTSecurity Feature BypassWhen you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check. 

An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience.

The following changes or improvements are part of the KB5034767 cumulative update for Windows Server 2016:

  • This update addresses security issues for your Windows operating system. 
  • This update affects Unified Extensible Firmware Interface (UEFI) Secure Boot systems. It adds a renewed signing certificate to the Secure Boot DB variable. You can now opt for this change.
  • This update addresses an issue that affects the download of device metadata. Downloads from the Windows Metadata and Internet Services (WMIS) over HTTPS are now more secure.
Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.