Windows 10 updates: KB4489894, KB4489890, KB4489888 and KB4489889

Yesterday was the third Tuesday of the month and that means, usually, that Microsoft releases another batch of cumulative updates for various versions of Windows 10.

Microsoft released the updates KB4489894, KB4489890, KB4489888 and KB4489889 yesterday for Windows 10 version 1803, 1709, 1703, and 1607 respectively. The update for the current version of Windows 10, Windows 10 version 1809, is delayed as usually.

The updates share most of the improvements and fixes. The updates can be downloaded manually from the Microsoft Update Catalog website or installed by running a manual check for updates.  It is recommended to sit them out unless you are affected by the issues that they fix.

Windows 10 version 1803 -- KB4489894

• New version: OS Build 17134.677
• Support link: KB4489894
• Windows Update Catalog link: KB4489894

The update includes the following fixes and improvements:

• Time zone information update for Kazakhstan, Buenos Aires, Argentina,  São Tomé and Príncipe.
• Fixed an issue that prevented Microsoft Office updates from downloading from the Microsoft Store.
• Additional Japan New Era fixes.
• Fixed an Access 97 database issue if tables or columns have custom properties (stops the operation).
• Addressed an issue that caused devices to stop sporadically if East Asian languages were used.
• Fixed an issue that caused laptop screens to remain black when resuming from sleep.
• Fixed the Group Policy "Turn off app notifications on the lock screen".
• Addresses an issue that may prevent users from signing in and cause account lockouts when using the App-V client to start applications. Fix involves changing a Registry Key:
  • Setting: UseDcForGetUserInfo
  • Path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Shared\
  • Type: REG_DWORD
  • Value: Setting the following DWORD to nonzero will enable the solution.
• Fixed an unlocking issue using smart cards that prevented users from unlocking the device under certain circumstances.
• Fixed an issue that caused the authentication credentials dialog from appearing in Enterprise environments.
• Fixed a server or client restart issue when attempting to log in using a smart card.
• Addressed an issue that listed multiple device entries for a single hybrid domain joined device.
• Addresses an issue that removes the ALLOWCLSIDS policy from the policy XML file when you run the Add-SignerRule for Windows Defender Application Control.
• Fixed an issue that prevented smart cards from working properly in conjunction with Citrix 7.15.2000 Workstation VDA software.
• Fixed an authentication issue  that caused Windows Account Manager to fail.
• Fixed an issue that caused certification renewals to fail.
• Added new Group Policy "Enable Windows to soft-disconnect a computer from a network" which determines how Windows should disconnect from a network when it determines that the computer should not be connected to the network anymore.
  • Path: Computer Configuration\Policies\Administrative Templates\Network\Windows Connection Manager
  • Enabled: Windows will soft-disconnect.
  • Disabled: Windows disconnects immediately.
  • Not configured: Same as Enabled.
• Fixed issue for "Stop 0x133" in NTFS.sys.
• Fixed an issue that made Windows reuse an expired Dynamic Host Configuration Protocol (DHCP) lease if the lease expired during shutdown.
• Fixed an issue with Virtual Machine Management Service to stop working.
• Fixed an issue in which the graphics device interface (GDI) DeleteObject() caused the calling process to stop working.
• "Seamless" integration with Microsoft Cloud App Security (MCAS) for Windows Defender Advanced Threat Protection customers.
• Enhances automated investigation and remediation, including memory forensics, for Windows Defender ATP customers.
• Addresses minor issues with unknown options (unknown OPT) in the Extension Mechanisms for DNS (EDNS) for the Windows DNS Server role.

Known issues:

1. MSXML6 may cause applications to stop responding if "an exception was thrown during node operations".
   1. Microsoft is working on a solution.
2. Custom URI Schemes for Application Protocol handlers may not start the corresponding application.
   1. Enable Protected Mode in Internet Explorer for local Intranet and trusted sites.
   2. Go to Tools > Internet Options > Security.
   3. Select "Local Intranet" and "Trusted Sites"
   4. Enable Protected Mode.
3. Stop error may be thrown when using Secure Shell from Windows Subsystem for Linux with agent forwarding using -A or configuration settings.
   1. Disable forwarding of the authentication agent connection.
4. After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
   1. Run from an elevated command prompt: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No
   2. Open Windows Deployment Services, expand servers, right-click WDS server and open properties, clear Enable Variable Windows Extension on TFTP tab.
   3. Set the Registry key HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension to 0.
   4. Restart.
5. If you enable per font end-user-defined characters (EUDC), the system will stop working and a blue screen will appear at startup

Windows 10 version 1709 -- KB4489890

• New version: OS Build 16299.1059
• Support link: KB4489890 
• Windows Update Catalog link: KB4489890

The improvements, fixes and known issues match those of  KB4489894 for the most part.

The following improvements are unique to this update:

• Addressed an issue that causes the “Windows created a temporary warning.” message to appear if you create a page file on a drive with FILE_PORTABLE_DEVICE characteristics.
• Addressed an issue that causes the user interface (UI) to stop responding for several seconds when you scroll a window while many child windows are open.
• Addressed an issue with Microsoft Outlook profiles on devices that are domain joined and workplace joined. Creation of new Microsoft Outlook profile may fail, or created Microsoft Outlook profiles may fail to work later.

The update shares known issues with KB4489894. Issue 3 is not listed, the rest are.

Windows 10 version 1703 -- KB4489888

• New version: OS Build 15063.1716
• Support link: KB4489888
• Windows Update Catalog link: KB4489888

Improvements are shared for the most part (but fewer). Microsoft lists three known issues for this update (MSXML6, Custom URI Schemes, and EUDC).

Windows 10 version 1607 -- KB4489889

• New version: OS Build 15063.1716
• Support link: KB4489889 
• Windows Update Catalog link: KB4489889 

The update shares fixes with the other updates. There are some unique ones, however:

• Addressed a reliability issue in dxgkrnl.sys.
• Addressed an issue that caused a yellow exclamation mark to appear in Windows Device Manager on human interface devices (HID).
• Addressed an issue that caused the touch screen to stop working after a restart.
• Addressed an issue that prevented App-V applications from starting and generated the error "0xc0000225".
  • Setting the value of HKLM\Software\Microsoft\AppV\\MAV\Configuration\MaxAttachWaitTimeInMilliseconds to a non-zero value resolves the issue. The max is 10,000.
• Addressed an issue that caused certificate renewal to fail when using CERT_RENEWAL_PROP_ID with the ICertPropertyRenewal interface.
• Addressed an issue that prevented users from receiving all the available Windows updates using the Unified Write Filter (UWF) servicing mode while UWF is enabled.
• Addressed an issue in the Microsoft Service Control Manager (SCM) component that caused a system to stop responding at startup.
• Addressed an issue in Active Directory Federation Services (AD FS) that caused a duplicate relying party trust to appear in the AD FS management console.
• Fixed an issue with previous versions of files becoming unavailable.
• Fixed an issue that caused a long delay when resuming from hybrid sleep.
• Addressed an issue in a Storage Spaces Direct environment that led to an error at shutdown during a "restart in a loop" scenario.
• Addressed an issue that caused a cluster to stop working when a file share witness became read-only.
• Addressed an issue that occured when updating cluster nodes one by one. If you restarted a node at a lower patched level, the node at a higher patched level became unexpectedly quarantined.
• Addressed a high Active Directory Federation Services (ADFS) Web Application Proxy (WAP) latency issue (over 10,000ms) that occured while Extranet Smart Lockout (ESL) was enabled on ADFS.
• Enables activation of insider builds of Windows 10 Enterprise for Virtual Desktops in Microsoft Azure.
• Addressed an issue in which the Policy Replication Status report in the Group Policy Management Console (GPMC) consistently displayed one less domain controller than was present in the entire domain or a specific Group Policy.
• Addressed a character limit issue in the “Settings Page Visibility” Group Policy in the following policy path: "User Configuration\Administrative Templates\Control Panel".

The update shares the known issues MSXML6, CustomURI Schemes, Preboot Execution Environment (PXE), and EUDC. Microsoft lists the following unique issues:

• For hosts managed by System Center Virtual Machine Manager (SCVMM), SCVMM cannot enumerate and manage logical switches deployed on the host after installing the update.
  • Run mofcomp on Scvmmswitchportsettings.mof and VMMDHCPSvr.mof.Follow the best practices while patching to avoid a stop error in vfpext.sys in an SDN v2 environment (NC managed hosts).
• Cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.
• Internet Explorer 11 may have authentication issues.

Now You: Did you install any of these updates?

Advertisement