Microsoft released security updates for all supported versions of Microsoft Windows and other company products on July 11, 2017.
The following guide provides you with in-depth information on the July 2017 Microsoft Patch Day. It starts with an executive summary that covers important to-know bits about the updates.
What follows is the distribution of updates for individual operating systems, server and client, and other Microsoft products.
It lists security updates, security advisories, and non-security updates afterwards, each with a short description and link to the Microsoft Knowledgebase article.
Last but not least, you get direct links to download the cumulative security and non-security, and only-security updates for all supported operating systems, and download information.
You can check out the June 2017 Patch day overview for information in case you missed it.
You can download this Excel spreadsheet for a list of all security updates that Microsoft released on the July 2017 Patch Day. Just click on the following link to download the document to your computer: Microsoft Security Updates july 2017
Tip: Make sure you create a backup of your system before you install the patches.
Executive Summary
Windows 10 version 1703 -- July 11, 2017 -- KB4025342 (OS Build 15063.483)
Windows 8.1 and Windows Server 2012 R2 -- July 11, 2017—KB4025333 (Security-only update)
Windows 8.1 and Windows Server 2012 R2 -- July 11, 2017—KB4025336 (Monthly Rollup)
Windows 7 SP1 and Windows Server 2008 R2 SP1 -- July 11, 2017—KB4025337 (Security-only update)
Windows 7 SP1 and Windows Server 2008 R2 SP1 -- July 11, 2017 -- KB4025341 (Monthly Rollup)
KB4022746 -- Security Update for Windows Server 2008 and Windows XP Embedded -- Security update for the Kerberos SNAME security feature bypass vulnerability in Windows Server 2008: July 11, 2017
KB4022748 -- Security Update for Windows Server 2008 -- Security update for the Windows kernel information disclosure vulnerability in Windows Server 2008: July 11, 2017
KB4022883 -- Security Update for WES09 and POSReady 2009 -- Windows kernel information disclosure vulnerability: June 13, 2017
KB4022914 -- Security Update for Windows Server 2008 -- Security update for the Windows kernel information disclosure vulnerability in Windows Server 2008: July 11, 2017
KB4025240 -- Security Update for Windows Server 2008 and Windows XP Embedded -- Security update for the Microsoft browser security feature bypass vulnerability in Windows Server 2008: July 11, 2017
KB4025252 -- Cumulative Security Update for Internet Explorer
KB4025397 -- Security Update for Windows Server 2008 -- Security update for the Windows Performance Monitor information disclosure vulnerability in Windows Server 2008: July 11, 2017
KB4025398 -- Security Update for Windows Server 2008 and Windows XP Embedded -- Security update for the MSINFO.exe information disclosure vulnerability in Windows Server 2008: July 11, 2017
KB4025409 -- Security Update for Windows Server 2008 and Windows XP Embedded -- Security update for the Windows elevation of privilege vulnerability in Windows Server 2008: July 11, 2017
KB4025497 -- Security Update for Windows Server 2008 and Windows XP Embedded -- Security update for the Windows Explorer remote code execution vulnerability in Windows Server 2008: July 11, 2017
KB4025674 -- Security Update for Windows Server 2008 -- Security update for the Windows Explorer denial of service vulnerability in Windows Server 2008: July 11, 2017
KB4025872 -- Security Update for Windows Server 2008 -- Security update for the Windows PowerShell remote code execution vulnerability in Windows Server 2008: July 11, 2017
KB4025877 -- Security Update for WES09 and POSReady 2009 -- This security update resolves vulnerabilities in Windows Server 2008 that could allow elevation of privilege or information disclosure.
KB4026059- Security Update for Windows Server 2008 --Security update for the Windows CLFS elevation of privilege vulnerability in Windows Server 2008: July 11, 2017
KB4026061 -- Security Update for Windows Server 2008 and Windows XP Embedded -- Security update for the WordPad remote code execution vulnerability in Windows Server 2008: July 11, 2017
KB4032955 -- Security Update for Windows Server 2008 and Windows XP Embedded -- Security update for the Windows Search remote code execution vulnerability in Windows Server 2008: July 11, 2017
KB4033107 -- July 11, 2017, update for Microsoft Office
Important note for CVE-2017-8563: After installing the updates for CVE-2017-8563, to make LDAP authentication over SSL/TLS more secure, administrators need to create a LdapEnforceChannelBinding registry setting on a Domain Controller.
Microsoft Security Advisory 4033453 -- Vulnerability in Azure AD Connect Could Allow Elevation of Privilege
The update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts.
The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.
KB4034374 -- 2017-07 Dynamic Update for Windows 10 Version 1703 -- Compatibility update for upgrading to Windows 10 Version 1703: July 11, 2017
KB890830 -- Windows Malicious Software Removal Tool - July 2017 -- Remove specific prevalent malware with Windows Malicious Software Removal Tool
Windows PCs are configured by default to search for, download and install updates automatically. This is not a real-time action, and if time is of the essence, you may run a manual check for updates at any time.
Windows 7 SP1 and Windows Server 2008 R2 SP
Windows 8.1 and Windows Server 2012 R2
Windows 10 and Windows Server 2016 (version 1703)
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
Dynamic Update for 1703 (KB4034374):
http://download.windowsupdate.com/c/msdownload/update/software/crup/2017/07/windows10.0-kb4034374-x64_d3a152e9b04967413f9ece84aa87aea25de3a677.cab
http://download.windowsupdate.com/c/msdownload/update/software/crup/2017/07/windows10.0-kb4034374-x86_5176b3fd767266b0e9019417cc7d28dee6ac259b.cab
Dynamic Update for 1703 (KB4025342):
http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/07/windows10.0-kb4025342-x64_d5d2a01364bb3ad0e12aa914922b233a8d499843.msu
http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/07/windows10.0-kb4025342-x86_167badec6b6a9cd5af65d15e61f8fa6e2d23e704.msu
Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4025339):
(changelog: http://sihmar.com/kb4025339-build-14393-1480-windows-10-changelog/
http://news.softpedia.com/news/microsoft-releases-windows-10-cumulative-updates-kb4025342-kb4025339-kb4025344-516924.shtml
Are their an update for Edge to disable JavaScript (no seriously) or install extension or whatever name for Edge?
Hello All,
Today I had downloaded the offline wsusscn2.cab file from go.microsoft.com/fwlink/?LinkID=74689. See support.microsoft.com/en-us/kb/926464 for more details.
But when I check the properties of the cab file under the Digital Signature Tab its showing the date as 13 June, 2017. Just wanted to check if anyone else out there is seeing the same when they are downloading the cab file for month of July 2017.
And is this cab file valid or any new cab file will be released by the Microsoft in few hours from now.
Any reply and help on this is appreciated.
Same problem here with the wsusscn2.cab file from June instead of July.
hi, typo under first appearance of KB4025341
– And all security updates of KB402337 **should be KB4025337 **
Thanks, corrected :)
Martin,
Forgive me for asking but am I to assume that the Cumulative security update for IE11 is now included in the Security Only Update for a given OS? In this particular case that would mean that KB4025333 for 8.1 includes the fixes detailed in the following link: https://support.microsoft.com/en-us/help/4025252/cumulative-security-update-for-internet-explorer-july-11-2017 (although that makes no mention of the Security only update package).
Also, are 8.1 users supposed to make the registry change recommended in https://support.microsoft.com/en-us/help/4025333/windows-8-update-kb4025333 ?
Thanks in advance.
Security updates for Internet Explorer are not included in the Security-only update package that Microsoft releases: https://blogs.technet.microsoft.com/windowsitpro/2017/01/13/simplified-servicing-for-windows-7-and-windows-8-1-the-latest-improvements/
It’s all very confusing. Thanks anyway.
Anybody experience issue with after installed updates on server 2012 and server gets error “online-cannot get role and feature data”. It happens to three of my machines already.
Nm, stupid McAfee access protection
I noticed that there is an update for version 1607. I have been trying to update this for many weeks and all I get is failed installs of update. All of the fails are from kb4025339 and 4022715. They have downloaded dozens of times in the past few weeks but always fail. Sometime they will download 3 or 4 times a day. Next day they are gone.
Do you know if those links would help me at all. I’m about ready to wipe my drive, but I would lose lots of stuff I cant replace.
I have tried all the usual fixes but no help. Using Win10x64, 16 gig ram and lot of hd space, I have the manual installs but fail part way thru.
Lynn
I did download the new update for 1607. It’s a big file, a bit over 1 gig. It downloaded fine and a message popped up asking if I wanted to install the update. I clicked yes and waited close to ten minutes. A message popped that said install complete, restart your computer. I hit restart and got the message about updating and don’t turn off you computer.
After about 10 minutes, it rebooted and got the “installing updates, don’t turn off you computer”. Eventually it got to a zero percent level and stayed for a minute or two, then gave message “cannot install update, undoing changes” Another ten minutes of that message, then another reboot and back to desktop. Checked the install list and nothing new there.
Back to square one.
Lynn
Lynn1102, I’m having the same issue with the KB4025339 and I still haven’t been able to resolve it. I’ve researched online for days and it seems like no one else has experienced the issue. If you find a resolution, please post it and I’ll do the same.
Kelvin
I have spent weeks trying to figure it out. The computer mostly works, but some things have been killed because of the failed downloads. My start button no longer works, my search bar doesn’t work. My printer doesn’t work and all downloads of printer software all fail in one way or another.
On Windows bbs, (windowsbbs.com) there were many having similar problems. I don’t know if the got it fixed or gave up. On that site there is a section called repair windows 10. That goes to a tutorial on how to fix it. In step 2, there is an all in one program that does most of the stuff you’ve tried, but also does a lot more, and it’s all in one free program. It does take a while to run but many claim to have had good luck with it. It didn’t work for me, but it did clean up other problems.
How do I set the registry key for LdapEnforceChannelBinding on a domain server?
Microsoft has it listed as a key- https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry and not as the name of the DWORD.
Path: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/NTDS/Parameters
Key: LdapEnforceChannelBinding
DWORD value: 0
DWORD value: 1
DWORD value: 2
If keys and sub-keys are the “folders”, then the new registry hive path would be HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/NTDS/Parameters/LdapEnforceChannelBinding
If I then add a new DWORD value type, what do I name it?
Or
Are they calling the DWORD the key and I should name it LdapEnforceChannelBinding?