Applies ToAzure Local, version 21H2

Release Date:

22/03/2022

Version:

OS Build 20348.617

For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Azure Stack HCI, version 21H2, see its update history page

Improvements

This non-security update includes quality improvements. Key changes include:     

  • Addresses an issue that affects searchindexer.exe and prevents Microsoft Outlook’s offline search from returning recent emails. 

  • Addresses an issue that causes searchindexer.exe to stop responding during a dismount operation in the Remote Desktop setup environment.

  • Addresses an issue in which modern browsers fail to correctly render HTML that is generated by gpresult/h.

  • Addresses an issue that causes an “Access denied” exception for a file during a PowerShell test for AppLocker.

  • Addresses an issue that returns an error message when you browse for a domain or organizational unit (OU). This issue occurs because of improper zeroing out of memory.

  • Addresses an issue that might cause the Group Policy Service to stop processing telemetry information for Group Policy Registry Preferences.

  • Addresses an access violation error that causes HTTP.sys to stop working when you enable BranchCache.

  • Addresses an issue that might prevent a DNS Server query resolution policy from working as expected when you specify a fully qualified domain name (FQDN) and subnet conditions.

  • Addresses a heap leak in PacRequestorEnforcement that degrades the performance of a domain controller.

  • Addresses an issue that affects the Key Distribution Center (KDC) Proxy. The KDC Proxy cannot properly obtain Kerberos tickets for signing in to Key Trust Windows Hello for Business.

  • Adds support for Microsoft Account (MSA) Pass-through scenarios in Azure Active Directory(AAD) Web Account Manager (WAM).

  • Addresses an issue that logs Event ID 37 during certain password change scenarios, including failover cluster name object (CNO) or virtual computer object (VCO) password changes.

  • Addresses an issue that might unintentionally add a Trusted Platform Module (TPM) protector when you use the Silent BitLocker enablement policy.

  • Addresses an issue that prevents the User Account Control (UAC) dialog from correctly showing the application that is requesting elevated privileges.

  • Addresses an issue that prevents Event 4739 from displaying the new values of certain attributes after a policy change.

  • Addresses an issue that prevents Android device users from signing in to some Microsoft applications, such as Microsoft Outlook or Microsoft Teams. This issue occurs after rolling over token signing and decrypting certificates, resetting a user's password, or when an administrator has revoked refresh tokens.  

  • Addresses an issue that might cause domain joining to fail in environments that use disjoint DNS hostnames.

  • Addresses an issue that prevents the Back button of the credentials window, where you sign in, from being visible in high contrast black mode.

  • Addresses an issue that causes the Move-ADObject command to fail when you move computer accounts across domains. The error message is, “Multiple values were specified for an attribute that can have only one value”.

  • Addresses an issue that prevents you from accessing Server Message Block (SMB) shares using an IP Address when SMB hardening is enabled.

  • Addresses an issue that occurs when the Best Practices Analyzer (BPA) values for SMB have not been updated for more recent platforms.

  • Addresses an issue that affects Windows Management Instrumentation (WMI) and prevents you from creating a CSV query. This issue occurs after you set up Storage Replica (SR) for cluster recovery.

  • Addresses an issue that causes a mismatch between NetBIOS and DNS Active Directory domain names when you create a cluster.

  • Addresses an issue that causes the Suspend-ClusterNode-Drain command to fail because of a localized name for the Health Service cluster resource name.

To return to the Azure Stack HCI documentation site

Windows 10 servicing stack update - 20348.610

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.

Known issues in this update

Symptom

Workaround

After installing updates released January 11, 2022 or later, apps that use the Microsoft .NET Framework to acquire or set Active Directory Forest Trust Information might have issues. The apps might fail or close or you might receive an error from the app or Windows. You might also receive an access violation (0xc0000005) error. 

Note for developers Affected apps use the System.DirectoryServices API.

To resolve this issue manually, apply the out-of-band updates for the version of the .NET Framework used by the app.

Note These out-of-band updates are not available from Windows Update and will not install automatically. To get the standalone package, search for the KB number for your version of Windows and .NET Framework in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog

For instructions on how to install this update for your operating system, see the KB articles listed below:

  • Windows Server 2022: 

  • Windows Server 2019: 

  • Windows Server 2016: 

  • Windows Server 2012 R2: 

  • Windows Server 2012:

After installing this update, some apps might render content incorrectly or outside of the app's window. Affected apps are using WebView2 to render content generated locally or downloaded from the internet.

This issue is addressed using a Known Issue Rollback (KIR). Please note that it might take up to 24 hours for the KIR to propagate automatically to consumer devices and non-managed business devices. Restarting your Windows device might help the KIR to apply to your device faster. For enterprise-managed devices that have installed an affected update and encountered this issue, you can address it by installing and configuring a special Group Policy listed below.

Important Verify that you are using the correct Group Policy for your version of Windows.

Group Policy downloads with Group Policy name:

Important You must install and configure the Group Policies specific to your version of Windows to address this issue.

To configure the special Group Policy, use the following steps:

  1. If the KIR Group Policy has not been installed, install it from the link above.

  2. Open Group Policy Editor, navigate to either Local Computer Policy or the Domain policy on your domain controller then: Administrative Templates -> <Name as listed above>, then select the version of Windows you want to use this group policy on. 

    Note You might need to select the Windows 10 version that use the same update as a version of Server you are using. For example, you might need to select Windows 10, version 1809 if you are using Windows Server 2019.

  3. Set it to, "Disabled".

  4. If you are setting this on a domain controller, you must wait for the Group Policy to replicate group policy changes in Active Directory and the SYSVOL.

  5. Devices that apply a KIR GP in a local or domain policy must either apply a background or manual group policy refresh.

  6. Restart the affected device.

    Note You should not need to restart the domain controller after installing this KIR Group Policy.

  7. Allow the Group Policy to refresh on affected devices before installing the affected Windows update.

For information on deploying and configuring these special Group Policies, see How to use Group Policy to deploy a Known Issue Rollback.

How to get this update

Before installing this update

Microsoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.

To install the LCU on your Azure Stack HCI cluster, see Update Azure Stack HCI clusters.

Install this update

Release Channel

Available

Next Step

Windows Update and Microsoft Update

Yes

Go to Settings Update & Security > Windows Update. In the Optional updates available area, you’ll find the link to download and install the update.

Windows Update for Business

No

None. These changes will be included in the next security update to this channel.

Microsoft Update Catalog

No

To get the standalone package for this update, go to the Microsoft Update Catalog website.

Windows Server Update Services (WSUS)

No

You can import this update into WSUS manually. See the Microsoft Update Catalog for instructions.

If you want to remove the LCU

To remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command: DISM /online /get-packages.

Running Windows Update Standalone Installer (wusa.exe) with the /uninstall switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File Information

For a list of the files that are provided in this update, download the file information for cumulative update 5011558.

For a list of the files that are provided in the servicing stack update, download the file information for the SSU - version 20348.610

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.