KB5034768 Cumulative Update for Windows Server 2019

KB5034768 is a cumulative update for Windows Server 2019 and Windows Server 2019 Server Core installation. The update was released on 13 February 2024 as part of the ‘Patch Tuesday’ project of Microsoft.

KB5034768 has now been superseded by KB5035849. You can read more about KB5035849 on this page.

  • KB5034768 is a cumulative update that supersedes the KB5034127 cumulative update.
  • KB5034127 was released on 9 January 2024. You can read more about it on the KB5034127 page.
  • KB5034768 corresponds to server build 17763.5458
  • KB5034127 corresponds to build 17763.5329. If you had installed KB5034127, you would be transitioning from build 5329 to server build 5458.
  • KB5005112 is the Servicing Stack Update that needs to be installed before installing KB5034768. KB5005112 was released in August 2021. There is a high likelihood of the SSU being already installed on the server. If KB5005112 is already installed, you can skip to direct installation of KB5034768.
  • 39 security vulnerabilities have been reported for Windows Server 2019 in the February 2024 security bulletin released by Microsoft.
  • One of these security vulnerabilities has a CRITICAL severity level.
  • 2 Zero-day vulnerabilities affect the Windows Server 2019. Details of the vulnerabilities are shared below.

Details of security vulnerabilities on Windows Server 2019 are listed in the vulnerabilities section below.

KB5034768 can be applied automatically using one of the following methods:

  • Windows Update
  • Windows Update for Business
  • WSUS or Windows Server Update Services

WSUS remains the most preferred method to deploy security and cumulative updates automatically.

For manual deployment of KB5034768, you will need to follow a 2-step process.

  • Ensure Servicing Stack Update KB5005112 is already installed. If not, download and install KB5005112.
  • Download and install KB5034768 cumulative update.

The download for the Servicing Stack Update and the cumulative update can be completed from the Microsoft Update Catalog site. The installer is available as offline installer file in the .MSU format.

The size of the Servicing Stack Update file is 13.8 MB. The server will not restart after installing the SSU.

KB5034768 for Windows Server 2019 can be downloaded from the Microsoft Update Catalog site. Or, you could use the direct download link below.

The size of the cumulative update KB5034768 is 623.4 MB. KB5034768 will cause a server reboot. Please plan for implementation as part of an organized change management process.

If you have already installed KB5034127, only incremental changes of KB5034768 will be downloaded and installed on the server. This will be a quick process.

39 security vulnerabilities affect Windows Server 2019 as part of the February 2024 security reports. One of these vulnerabilities is a CRITICAL severity vulnerability.

We have listed the CRITICAL vulnerability for Windows Server 2019 below.

Windows Server 2019 is impacted by two CRITICAL vulnerabilities. The CRITICAL security vulnerabilities on Windows Server 2019 are listed below.

CVE detailsCVSSSeverityImpact Description
CVE-2024-213577.5CRITICALRemote Code ExecutionThis vulnerability affects Windows Pragmatic General Multicast (PGM).

Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. Windows Pragmatic General Multicast (PGM) produces multicast traffic that runs on layer 4 and is routable. Therefore this vulnerability can be exploited over the network.

An attacker could exploit this vulnerability by sending specially crafted malicious traffic directed at a vulnerable server.
CVE detailsCVSSSeverityImpact Description
CVE-2024-213517.6IMPORTANTSecurity Feature BypassWhen you download a file from the internet, Windows adds the zone identifier or Mark of the Web as an NTFS stream to the file. So, when you run the file, Windows SmartScreen checks if there is a zone identifier Alternate Data Stream (ADS) attached to the file. If the ADS indicates ZoneId=3 which means that the file was downloaded from the internet, the SmartScreen does a reputation check. 

An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience.
CVE-2024-214128.1IMPORTANTSecurity Feature BypassAn unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.

The following changes or improvements are part of the KB5034768 cumulative update for Windows Server 2019:

  • This update addresses security issues for your Windows operating system. 
  • This update addresses an issue that affects the download of device metadata. Downloads from the Windows Metadata and Internet Services (WMIS) over HTTPS are now more secure.
  • This update addresses an issue that affects a local account. You cannot sign in to an account that Windows LAPS manages. This occurs if you set the “Require Smart Card for Interactive Logon” policy.
  • This update addresses an issue that affects Windows Management Instrumentation (WMI). A caching issue occurs. The issue causes CurrentTimeZone to change to the wrong value.
  • This update addresses an issue that affects the Windows nesting limit. You can now set it to a low of 35 instead of 50. This is the registry value in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERNestedWindowLimit. To learn more, see What is the window nesting limit?. Do not change this limit unless a kernel stack overflow and a recursion in DestroyWindow() cause stop errors.
  • This update affects Unified Extensible Firmware Interface (UEFI) Secure Boot systems. It adds a renewed signing certificate to the Secure Boot DB variable. You can now opt for this change.
  • This update includes quarterly changes to the Windows Kernel Vulnerable Driver Blocklist file, DriverSiPolicy.p7b. It adds to the list of drivers that are at risk for Bring Your Own Vulnerable Driver (BYOVD) attacks.
  • This update changes a setting in Active Directory Users & Computers. By default, the snap-in now uses a strong certificate mapping of X509IssuerSerialNumber. It does not use the weak mapping of x509IssuerSubject.
  • This update addresses an issue that affects the Local Security Authority Subsystem Service (LSASS). It might stop working. This occurs when you access the Active Directory database.

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.