Windows 10 v2004, 20H2 & 21H1 – Citrix Known Issues

Microsoft releases software updates for Windows 10 twice a year through the Semi-Annual Channel. Microsoft released its Semi-Annual Channel ‘May 2020 update’ (v2004) in May 2020 and ‘October 2020 update’ (20H2) in October 2020.

This article is intended to capture known issues with Windows 10 v2004 and 20H2 that have been identified so far through Citrix internal testing and customer reports.

Note:

  • This is a live article and is updated as and when new information is available.
  • This article also outlines issues seen with Windows 10 20H2. Unless explicitly specified, issues seen with Windows 10 v2004 are seen with Windows 10 20H2 also.

Known Issues

The following are the known issues:

Issue 1

Issue Description

Citrix User Profile Manager (UPM) may stop working after Windows 10 with VDA installed is upgraded to v2004 OR it may break the native Windows applications like notepad, calculator etc when UPM is configured on fresh install of v2004.

[TPV-2706]

Problem Cause

Changes in Windows 10 v2004 is causing this issue.

Solution

This issue is fixed in Citrix Virtual Apps and Desktops 7 2003 and later versions.

Issue 2

Issue Description

Printers part of Citrix Universal Print Server (UPS) are not mapped within ICA session of Windows 10 v2004 VDA.

Problem Cause

Changes in Windows 10 v2004 Operating System is causing the printer mapping failure.

Solution

This issue is resolved with the Microsoft Defender Advanced Threat Protection signature updates released around June 2020.


Issue 3

Issue Description

On Virtual Machine’s (hosted on vSphere) with VM version 14 and boot option EFI, a failure may be seen when you upgrade Windows 10 machine to v2004 with an error “We can’t tell if your PC is ready to continue installing Windows 10. Try restating the setup”

[TPV-2703]

Solution

Installing the latest VMWare tools 11.0.0.x before attempting to upgrade to v2004 resolves this issue.

Issue 4

Issue Description

On Windows 10 v2004 end point with Receiver/Workspace App, when a network interruption is caused by disabling the Network Interface from Control Panel, Session Reliability feature fails to work.

[RFWIN-15116]

Problem Cause

Changes in Windows 10 v2004 Operating System is making the Session Reliability to fall back to Auto Client Reconnect when the network is disrupted.

Solution

This issue has been fixed in Citrix Workspace App.

  • Users on Current Release of Workspace App are advised to upgrade to version 2002 or its replacement that contains the fix.
  • Users on the LTSR version of Workspace App are advised to upgrade to version 1912 or its replacement that contains the fix.

Issue 5

Issue Description

On Windows 10 v2004 end point with Receiver/Workspace App, when a network interruption is caused using Firewall, Session Reliability feature fails to work.

[RFWIN-15263]

Problem Cause

Changes in Windows 10 v2004 Operating System is making the Session Reliability to fall back to Auto Client Reconnect as soon as the the network is disrupted.

Solution

This issue has been fixed with KB4571744. Install this KB OR its replacement on end-points to resolve this issue.


Issue 6

Issue Description

ICA launch of Citrix VDA installed on Windows 10 Virtual Desktop v2004 fails OR ICA session disconnects within 2 minutes with error message “Idle Timer Expired “ or “Logon timer Expired”.

[TPV-3025]

Problem Cause

Changes in Windows 10 v2004 Operating System is causing this issue.

Solution

For Citrix VDA version 2006 and above:

Issue is resolved in KB4586853, Install this KB OR its replacement on your VDAs to resolve this issue.

For Citrix VDA versions before 2006:

ICA launch still fails and Citrix is working on fixing it. Please use the below workaround.

Workaround

The WDDM graphics display driver for Remote Desktop Connection which is enabled by default in Windows 10 v2004 and above needs to be disabled as it is not supported by the Citrix VDA. To disable, set the below policies through the group policies for your OU:

  • Browse to Administrative Templates (Computers) -> Windows Components – > Remote Desktop Service -> Remote Desktop Session Host.
  • Disable the setting “Use WDDM graphics display driver for Remote Desktop Connection”

Issue 7

Issue Description

A failure during component initialization may be seen when 7.15 LTSR VDA (with any CU) is upgraded to CU6 on Windows 10 v2004. This issue is not seen with a fresh install of CU6 VDA on Windows 10 v2004.

[LCM-7909]

Problem Cause

An error “Failed to configure component ‘ICA for workstation services’ because it is not installed” is seen. Changes in Windows 10 v2004 is causing this issue.

Solution

Citrix is working with Microsoft to resolve this issue.

Workaround

  • Uninstalling the existing CU and installing CU6 resolves this issue.
  • Upgrading 7.15 LTSR VDA to CU6 prior to upgrading VDA OS to Windows 10 v2004 is advised.


Issue 8

Issue Description

Following upgrade to Windows 10 v2004, user personalization layer (UPL) services will no longer be able to start during logon. This prevents user layer disks from attaching or being created when users log into their desktops. Note, this issue does not impact App Layering User Layers, it only affects user personalization layer for Virtual Apps and Desktops

[UNI-78456]

Problem Cause

During upgrade to Windows 10 v2004 Microsoft is removing the UPL service key and service from the Winlogon chain.

Solution

This issue is fixed in Citrix Virtual Apps and Desktops 2009 or newer. This issue has also been fixed with the latest updates of 20H1/20H2.

Issue 9

Issue Description

App Layering fails to import a new OS Layer for Windows 10 v2004 with the error: “A failure occurred while importing the OS: Cannot handle more than two partitions on a disk.”

[UNI-79067]

Problem Cause

Importing Windows 10 v2004 as a new OS Layer fails due to Windows creating a recovery partition during installation which results in their being a total of three partitions for the image. This is greater than the maximum two partitions allowed for OS Import.

Solution

This issue is fixed in Application Layering 2009 or newer. Citrix recommends to upgrade the Enterprise Layer Manager (ELM) and do the import again.

Issue 10

Issue Description

Published images from App Layering running Windows 10 v2004 can take 5 minutes or longer to log into Windows and/or for the Start Menu to appear after login.

[UNI-79147]

Problem Cause

The issue is caused by missing dependencies between the App Layering uniservice, and the Windows Delivery Optimization Service (dosvc) and Storage Service (StorSvc).

Solution

This issue is fixed in Application Layering 2011 or newer. Citrix recommends to upgrade the Enterprise Layer Manager (ELM) and redeploy any images.

Issue 11

Issue Description

Audio redirection may fail after a reconnect of ICA session on Windows 10 Multi-session editions with Citrix VDA.

[CVADHELP-15804]

Problem Cause

Changes made in Windows 10 v2004 is causing this issue.

Solution

There is no solution. Citrix is working on a fix to resolve this issue.


Issue 12

Issue Description

Upgrade to Windows 10 20H2 may fail on machines that are configured to have domain administrator profiles managed by UPM

[UPM-3083]

Problem Cause

Changes made in Windows 10 v2004 is causing this issue.

Solution

There is no solution. Citrix is working with Microsoft to resolve this issue.

Workaround

Ensure the domain administrator profiles are not managed by UPM before upgrading to Windows 10 20H2.

Issue 13

Issue Description

Unable to launch publish desktop. Desktop Viewer disappears after it opens.

[CVADHELP-15537]

Problem Cause

Changes made in Windows 10 v2004 is causing this issue.

Workaround

Downgrade OS to Windows 10 v1909.

Related:

  • No Related Posts

Installation Issues with Receiver While Upgrading OS to Windows 10

This article is intended for Citrix administrators and technical teams only.Non-admin users must contact their company’s Help Desk/IT support team and can refer to CTX297149 for more information

Users need to upgrade their Receiver for Windows to 4.3 before performing a Windows 10 OS in-place upgrade.

Note: Receiver 4.2 and earlier versions are not supported by Windows 10.

Issue description

If you are using Receiver for Windows prior to 4.3 installed on the machine and try to upgrade from Windows 7, Windows 8 or Windows 8.1 to Windows 10, you might not be able to uninstall Receiver through Add/Remove Programs. Upgrade or uninstallation fails.

Scenarios

Non-working Scenario

If a computer with Windows 7, Windows 8 or Windows 8.1 and Receiver for Windows 4.2.100 or earlier is upgraded to Windows 10, users are unable to remove Receiver using the control panel. The following error message is displayed. Upgrading to Receiver for Windows 4.3 also fails.

User-added image

Working scenario – 1

  1. Upgrade Receiver for Windows to 4.3.

  2. Upgrade to the computer to Windows 10.

Working scenario – 2

  1. On a computer which does not have Receiver installed, upgrade to Windows 10.

  2. Install Receiver for Windows 4.3

Related:

  • No Related Posts

Microsoft Windows Security Updates December 2020

Today is the last Microsoft Patch Day of the year 2020. Microsoft released security updates and non-security updates for all supported client and server versions of the company’s Windows operating system, and updates for other company products such as Microsoft Office, Microsoft Edge, Internet Explorer, or the .NET Framework.

Our Patch Day overview provides you with detailed information on released patches, security issues, and related information. You can download an Excel spreadsheet of the released security updates, check out the operating system distribution, find links to all support pages, and the list of known issues here in this guide.

Check out the November 2020 Security Updates overview here in case you missed it.

Microsoft Windows Security Updates December 2020

Download the following Excel spreadsheet that contains the released security updates to your system. Note that Microsoft’s new platform is quite slow and that it may be possible that updates are missing. Let us know in the comments if you notice anything missing: Security Updates 2020 12 Microsoft Windows

Executive Summary

Operating System Distribution

  • Windows 7(extended support only): 9 vulnerabilities: 0 critical and 9 important
  • Windows 8.1: 5 vulnerabilities: 0 rated critical and 5 rated important
  • Windows 10 version 1809: 19 vulnerabilities: 1 critical and 18 important
  • Windows 10 version 1903 and 1909: 18 vulnerabilities: 1 critical and 17 important
  • Windows 10 version 2004 and 20H2: 19 vulnerabilities, 1 critical, 18 important

Windows Server products

  • Windows Server 2008 R2 (extended support only): 9 vulnerabilities: 0 critical and 9 important
  • Windows Server 2012 R2: 6 vulnerabilities: 0 critical and 6 important.
  • Windows Server 2016: 16 vulnerabilities: 1 critical and 15 important.
  • Windows Server 2019: 20 vulnerabilities: 1 critical and 19 are important

Other Microsoft Products

  • Internet Explorer 11: 0 vulnerabilities:
  • Microsoft Edge (classic): 1 vulnerabilities: 1 critical
    • CVE 2020 17131 — Chakra Scripting Engine Memory Corruption Vulnerability
  • Microsoft Edge (Chromium)
    • see here (latest security patches from the Chromium project)

Windows Security Updates

Windows 7 SP1 and Windows Server 2008 R2

Updates and improvements:

  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Windows 8.1 and Windows Server 2012 R2

Updates and improvements:

  • Fixed an issue that prevented PDF24 Creator version 9.1.1 from opening .txt files. (Monthly Rollup only)
  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Windows 10 version 1809

Updates and improvements:

  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Windows 10 version 1903 and 1909

Updates and improvements:

  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Windows 10 version 2004 and 20H2

Updates and improvements:

  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Other security updates

KB4592468 — 2020-12 Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012 (KB4592468)

KB4592497 — 2020-12 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012 (KB4592497)

KB4592498 — 2020-12 Security Monthly Quality Rollup for Windows Server 2008 (KB4592498)

KB4592504 — 2020-12 Security Only Quality Update for Windows Server 2008 (KB4592504)

KB4592464 — 2020-12 Cumulative Update for Windows 10 Version 1507 (KB4592464)

KB4593226 — 2020-12 Cumulative Update for Windows Server 2016 and Windows 10 Version 1607 (KB4593226)

KB4592473 — 2020-12 Cumulative Update for Windows 10 Version 1703 (KB4592473)

KB4592446 — 2020-12 Cumulative Update for Windows 10 Version 1803 (KB4592446)

Servicing Stack Updates:

2020-12 Servicing Stack Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB4592510)

2020-12 Servicing Stack Update for Windows Server, version 20H2, Windows 10 Version 20H2, Windows Server, version 2004, and Windows 10 Version 2004 (KB4593175)

Known Issues

Windows 7 SP1 and Windows Server 2008 R2

  • Updates will fail to install with the error ““Failure to configure Windows updates. Reverting Changes. Do not turn off your computer” if ESU is not supported or activated.
  • Certain operations may fail on cluster shared volumes. Workarounds available.

Windows 8.1 and Server 2012 R2

  • Certain operations may fail on cluster shared volumes. Workarounds available.

Windows 10 version 1809

  • Devices with “some” Asian language packs may throw the error “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”. Microsoft suggests to either try and uninstall the language packs and make sure that a recent version of Windows 10 is installed, or to reset the PC.

Windows 10 version 1903 and 1909

  • System and user certificates may be lost when updating a device from Windows 10 version 1809 or later, to a later version of Windows 10. Does not affect Windows Update devices or Windows Update for business devices. Workaround available.

Windows 10 version 2004 and 20H2

  • System and user certificates may be lost when updating a device from Windows 10 version 1809 or later, to a later version of Windows 10. Does not affect Windows Update devices or Windows Update for business devices. Workaround available.
  • The correct Furigana characters may not be displayed when using the Microsoft Japanese Input Method Editor. Microsoft is working on a resolution.

Security advisories and updates

ADV 200013 — Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver

ADV 990001 — Latest Servicing Stack Updates

Non-security related updates

Microsoft Office Updates

You find Office update information here.

How to download and install the December 2020 security updates

windows updates december 2020

Updates are already available via Windows Updates and other update management systems. Default Windows installations are configured to find and install updates automatically, but it is also possible to download updates manually to install them.

Tip: it is essential that you create a backup of the system before you install Windows updates as things may go wrong and backups help you restore the previous status quo.

You can check manually for updates in the following way:

  1. Open the Start Menu of the Windows operating system, type Windows Update and select the result.
  2. Select check for updates in the application that opens. Updates may be installed automatically when they are found or offered by Windows; this depends on the operating system and version that is used, and update settings.

Direct update downloads

Below are resource pages with direct download links, if you prefer to download the updates to install them manually.

Windows 7 and Server 2008 R2

  • KB4592471 — 2020-12 Security Monthly Quality Rollup for Windows 7
  • KB4592503 — 2020-12 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

  • KB4592484 — 2020-12 Security Monthly Quality Rollup for Windows 8.1
  • KB4592495 — 2020-12 Security Only Quality Update for Windows 8.1

Windows 10 (version 1809)

  • KB4592440 — 2020-12 Cumulative Update for Windows 10 Version 1809

Windows 10 (version 1903)

  • KB4592449 — 2020-12 Cumulative Update for Windows 10 Version 1903

Windows 10 (version 1909)

  • KB4592449 — 2020-12 Cumulative Update for Windows 10 Version 1909

Windows 10 (version 2004)

  • KB4592438 — 2020-12 Cumulative Update for Windows 10 Version 2004

Windows 10 (version 20H2)

  • KB4592438 — 2020-12 Cumulative Update for Windows 10 Version 20H2

Additional resources

Summary
Microsoft Windows Security Updates December 2020 overview
Article Name
Microsoft Windows Security Updates December 2020 overview
Description
Microsoft released security updates and non-security updates for all supported versions of the company’s Windows operating system, client and server, as well as other company products such as Microsoft Office on the December 2020 Patch Day.
Author
Martin Brinkmann
Publisher
Ghacks Technology News
Logo
Ghacks Technology News
Advertisement

Related:

  • No Related Posts

Microsoft Windows Security Updates November 2020

Microsoft has released security updates for all support client and server versions of Windows as well as other company products such as Microsoft Office, Microsoft Edge, and Internet Explorer.

Our November 2020 Patch Day overview provides you with details on the released patches. It begins with an executive summary listing the most important bits of information; this is followed by the operating system distribution, details about cumulative updates for Windows, other released security updates, download links, and lots of links to Microsoft support pages.

Check out the October 2020 Security Updates overview here in case you missed it.

Microsoft Windows Security Updates November 2020

You can download the following Excel spreadsheet that includes information about the released security updates in November 2020. It is provided as an archive that you need to extract on the local system. A viewer such as Microsoft Excel or LibreOffice Cacl is needed to open the spreadsheet.

Click on the following link to download the spreadsheet to your system: Security Updates 2020-11-10-070727pm

Executive Summary

  • Microsoft released security updates for all supported client and server versions of Windows.
  • All server and client versions of Windows are affected by the same two critical vulnerabilities.
  • Security updates are also released for Microsoft Office, Internet Explorer, Microsoft Edge, Microsoft Exchange Server, Microsoft Dynamics, Microsoft Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, Azure DevOps and Visual Studio.
  • Products with known issues: SharePoint Server 2016 and 2019, Windows 10 versions 2004, 1903, 1809, Windows 7, Windows 8.1, Windows Server products and Microsoft Exchange Server

Operating System Distribution

  • Windows 7(extended support only): 20 vulnerabilities: 2 critical and 18 important
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows 8.1: 33 vulnerabilities: 2 rated critical and 31 rated important
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows 10 version 1809: 48 vulnerabilities: 2 critical and 45 important, 1 low
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows 10 version 1903 and 1909: 53 vulnerabilities: 2 critical and 54 important, 1 low
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows 10 version 2004 and 20H2: 52 vulnerabilities, 2 critical, 49 important, 1 low
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability

Windows Server products

  • Windows Server 2008 R2 (extended support only): 20 vulnerabilities: 2 critical and 18 important
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows Server 2012 R2: 34 vulnerabilities: 2 critical and 22 important.
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows Server 2016: 40 vulnerabilities: 2 critical and 38 important.
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows Server 2019: 46 vulnerabilities: 2 critical and 44 are important
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability

Other Microsoft Products

  • Internet Explorer 11: 3 vulnerabilities: 3 critical
  • Microsoft Edge (classic): 4 vulnerabilities: 3 critical, 1 important
    • CVE 2020 17048 — Chakra Scripting Engine Memory Corruption Vulnerability
    • CVE 2020 17052 — Scripting Engine Memory Corruption Vulnerability
    • CVE 2020 17058 — Microsoft Browser Memory Corruption Vulnerability
  • Microsoft Edge (Chromium)
    • see here (latest security patches from the Chromium project)

Windows Security Updates

Windows 7 SP1 and Windows Server 2008 R2

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Security updates

Windows 8.1 and Windows Server 2012 R2

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Security updates
  • Administrators may enable “Save Target As” in Group Policy for Microsoft Edge IE Mode (Monthly Rollup only).
  • Fixes an issue with LDAP session authentication (Monthly Rollup only).

Windows 10 version 1809

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Security updates

Windows 10 version 1903 and 1909

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Fixed an issue with the package frame launcher.
  • Security updates

Windows 10 version 2004 and 20H2

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Security updates

Other security updates

KB4586768 — 2020-11 Cumulative Security Update for Internet Explorer

KB4586807 — 2020-11 Security Monthly Quality Rollup for Windows Server 2008

KB4586817 — 2020-11 Security Only Quality Update for Windows Server 200

KB4586808 — 2020-11 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012

KB4586834 — 2020-11 Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012

KB4586787 — 2020-11 Cumulative Update for Windows 10 Version 1507

KB4586782 — 2020-11 Cumulative Update for Windows 10 Version 1703

KB4586785 — 2020-11 Cumulative Update for Windows 10 Version 1803

KB4586830 — 2020-11 Cumulative Update for Windows Server 2016 and Windows 10 Version 1607

Known Issues

Windows 7 SP1 and Server 2008 R2

  • Updates will uninstall if the system is not subscribed to ESU (Extended Security Updates).
  • Certain rename operations may fail on Cluster Shared Volumes. Workarounds available.

Windows 8.1 and Server 2012 R2

  • Certain rename operations may fail on Cluster Shared Volumes. Workarounds available.

Windows 10 version 1809

  • Some Asian language packs may throw the error “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND”. Microsoft suggest to remove the language packs and reinstall them, update Windows to the latest version, or Reset the PC.

Windows 10 version 1903, 1909, 2004, 20H2

  • System and user certificates may be lost when updating from Windows 10 version 1809 or later to a newer version of Windows 10. This happens mainly when managed devices are updated using outdated bundles or media according to Microsoft. Devices that use Windows Update or Windows Update for Business are not impacted. Microsoft suggests to go back to the previous version of Windows to fix the issue.

Security advisories and updates

ADV 990001 — Latest Servicing Stack Updates

Non-security related updates

KB4497165 — 2020-09 Update for Windows Server, version 1909, Windows 10 Version 1909, Windows Server 2019 (1903), and Windows 10 Version 1903

KB4558130 — 2020-09 Update for Windows Server, version 2004 and Windows 10 Version 2004

KB4580419 — 2020-11 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows Server, version 20H2, Windows 10 Version 20H2, Windows Server, version 2004, and Windows 10 Version 2004

KB4580980 — 2020-11 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows Server, version 1909, Windows 10 Version 1909, Windows Server 2019 (1903), and Windows 10 Version 1903

KB4585207 — 2020-11 Cumulative Update for .NET Framework 4.8 for Windows Server 2016 and Windows 10 Version 1607

KB4585208 — 2020-11 Cumulative Update for .NET Framework 4.8 for Windows 10 Version 1703

KB4585210 — 2020-11 Cumulative Update for .NET Framework 4.8 for Windows 10 Version 1803 and Windows Server 2016

KB4586082 — 2020-11 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows Server 2019 and Windows 10 Version 1809

KB4589198 — 2020-11 Update for Windows 10 Version 1507

KB4589206 — 2020-11 Update for Windows 10 Version 1803

KB4589208 — 2020-11 Update for Windows Server 2019 and Windows 10 Version 1809

KB4589210 — 2020-11 Update for Windows Server 2016 and Windows 10 Version 1607

KB4589211 — 2020-11 Update for Windows Server, version 1909, Windows 10 Version 1909, Windows Server 2019 (1903), and Windows 10 Version 1903

KB4589212 — 2020-11 Update for Windows Server, version 20H2, Windows 10 Version 20H2, Windows Server, version 2004, and Windows 10 Version 2004

KB890830 — Windows Malicious Software Removal Tool

KB4585204 — 2020-11 Security and Quality Rollup for .NET Framework 4.6 for Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008

KB4585205 — 2020-11 Security and Quality Rollup for .NET Framework 4.8 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4585211 — 2020-11 Security and Quality Rollup for .NET Framework 4.8 for Windows Embedded 8 Standard and Windows Server 2012

KB4585212 — 2020-11 Security and Quality Rollup for .NET Framework 4.8 for Windows 8.1 and Windows Server 2012 R2

KB4585213 — 2020-11 Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012

KB4585214 — 2020-11 Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Windows Server 2012 R2

KB4586083 — 2020-11 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4586084 — 2020-11 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded 8 Standard and Windows Server 2012

KB4586085 — 2020-11 Security and Quality Rollup for .NET Framework 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Windows Server 2012 R2

KB4586086 — 2020-11 Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008

Microsoft Office Updates

You find Office update information here.

How to download and install the November 2020 security updates

microsoft windows november 2020 security updates

The November 2020 security patches are already available for all supported versions of Windows and other Microsoft products. Home users get these via Windows Updates or direct downloads, business customers and Enterprises get these via update management systems such as WSUS predominantly.

Updates are installed automatically by default on Home systems, but you can run a manual check for updates to download and install these earlier.

Note: we recommend that you create a backup of important data, better the entire system, before you install updates.

Do this to manually check for updates:

  1. Open the Start Menu of the Windows operating system, type Windows Update and select the result.
  2. Select check for updates in the application that opens. Updates may be installed automatically when they are found or offered by Windows; this depends on the operating system and version that is used, and update settings.

Direct update downloads

Below are resource pages with direct download links, if you prefer to download the updates to install them manually.

Windows 7 and Server 2008 R2

  • KB4586827 — 2020-11 Security Monthly Quality Rollup for Windows 7
  • KB4586805 — 2020-11 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

  • KB4586845 — 2020-11 Security Monthly Quality Rollup for Windows 8.1
  • KB4586823 — 2020-11 Security Only Quality Update for Windows 8.1

Windows 10 (version 1809)

  • KB4586793 — 2020-11 Cumulative Update for Windows 10 Version 1809

Windows 10 (version 1903)

  • KB4586786 — 2020-11 Cumulative Update for Windows 10 Version 1903

Windows 10 (version 1909)

  • KB4586786 — 2020-11 Cumulative Update for Windows 10 Version 1909

Windows 10 (version 2004)

  • KB4586781 — 2020-11 Cumulative Update for Windows 10 Version 2004

Windows 10 (version 20H2)

  • KB4586781 — 2020-11 Cumulative Update for Windows 10 Version 20H2

Additional resources

Summary
Microsoft Windows Security Updates November 2020 overview
Article Name
Microsoft Windows Security Updates November 2020 overview
Description
Microsoft released security updates and non-security updates for all supported versions of the company’s Windows operating system, client and server, as well as other company products such as Microsoft Office on the November 2020 Patch Day.
Author
Martin Brinkmann
Publisher
Ghacks Technology News
Logo
Ghacks Technology News
Advertisement

Related:

  • No Related Posts

Windows 10 20H2 (Insider Preview Builds) – Citrix Known Issues

Microsoft releases regular builds of the next version of Windows 10 through their Insider Preview Program. Citrix does not support Insider Preview builds as stated on CTX224843 – Windows 10 Compatibility with Citrix XenDesktop.


This article is intended to capture known issues with Windows 10 20H2 that have been identified so far through Citrix internal testing and customer reports for the benefit of customers who are conducting early testing in preparation for when the Semi-Annual Channel release of 20H2 becomes available.


Note:

  • This is a live article and is updated as and when new information is available.
  • All the issues mentioned in this article have been noticed with 20H1 builds up to 20140

Known Issues

The following are the known issues:

Issue 1

Issue Description

Citrix User Profile Manager (UPM) may stop working after Windows 10 with VDA installed is upgraded to 20H2 OR it may break the native Windows applications like notepad, calculator etc when UPM is configured on fresh install of 20H2.

[TPV-2706]


Problem Cause

Changes in Windows 10 v2004 or later is causing this issue.

Solution

This issue is fixed in Citrix Virtual Apps and Desktops 7 2003 and later versions.

Issue 2

Issue Description

Printers part of Citrix Universal Print Server (UPS) are not mapped within ICA session of Windows 10 20H2 VDA.

Problem Cause

Changes in Windows 10 v2004 or later is causing the printer mapping failure.


Solution

There is no solution. Citrix is working with Microsoft to resolve this issue.

Issue 3

Issue Description

On Windows 10 20H2 end point with Receiver/Workspace App, when a network interruption is caused by disabling the Network Interface from Control Panel, Session Reliability feature fails to work.

[RFWIN-15116]

Problem Cause

Changes in Windows 10 v2004 or later is making the Session Reliability to fall back to Auto Client Reconnect when the network is disrupted.

Solution

This issue has been fixed in Citrix Workspace App.

  • Users on Current Release of Workspace App are advised to upgrade to version 2002 or its replacement that contains the fix.
  • Users on the LTSR version of Workspace App are advised to upgrade to version 1912 or its replacement that contains the fix.

Issue 4

Issue Description

On Windows 10 20H2 end point with Receiver/Workspace App, when a network interruption is caused using Firewall, Session Reliability feature fails to work.

[RFWIN-15263]

Problem Cause

Changes in Windows 10 v2004 or later is making the Session Reliability to fall back to Auto Client Reconnect as soon as the the network is disrupted.


Solution

There is no solution. Citrix is working with Microsoft to resolve this issue.


Issue 5

Issue Description

ICA launch of Citrix VDA installed on Windows 10 Virtual Desktop 20H2 fails.

[TPV-3025]

Problem Cause

Changes in Windows 10 v2004 or newer is causing this issue.


Solution

There is no solution. Citrix is working with Microsoft to resolve this issue.

Issue 6

Issue Description

Following upgrade to Windows 10 20H2, user personalization layer (UPL) services will no longer be able to start during logon. This prevents user layer disks from attaching or being created when users log into their desktops. Note, this issue does not impact App Layering User Layers, it only affects user personalization layer for Virtual Apps and Desktops

Problem Cause

During upgrade to Windows 10 v2004 or newer, OS is removing the UPL service key and service from the Winlogon chain.


Solution

There is no solution. Citrix is working with Microsoft to resolve this issue. A workaround for this issue is to uninstall and reinstall the VDA as this will re-register the UPL login services correctly.

Related:

Windows 10 20H1 (Insider Preview Builds) – Citrix Known Issues

Microsoft releases regular builds of the next version of Windows 10 through their Insider Preview Program. Citrix does not support Insider Preview builds as stated on CTX224843 – Windows 10 Compatibility with Citrix XenDesktop.

This article is intended to capture known issues with Windows 10 20H1 that have been identified so far through Citrix internal testing and customer reports for the benefit of customers who are conducting early testing in preparation for when the Semi-Annual Channel release of 20H1 becomes available.

Note:

  • This is a live article and is updated as and when new information is available.
  • All the issues mentioned in this article have been noticed with 20H1 builds up to 19041.208

Known Issues

The following are the known issues:

Issue 1

Issue Description

Citrix User Profile Manager (UPM) may stop working after Windows 10 with VDA installed is upgraded to 20H1 OR it may break the native Windows applications like notepad, calculator etc when UPM is configured on fresh install of 20H1.

[TPV-2706]

Problem Cause

Changes in 20H1 is causing this issue.

Solution

This issue is fixed in Citrix Virtual Apps and Desktops 7 2003.


Issue 2

Issue Description

Users are unable to uninstall Desktop Lock if Windows 10 was upgraded to 20H1 with Desktop Lock and Workspace App installed.

[TPV-744]

Problem Cause

During the upgrade,the key CtxBackupShell is getting removed under [HKLM -> SOFTWARE -> Microsoft -> Windows NT -> CurrentVersion -> Winlogon] . As a result, an error message “1: Read failed HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonCtxBackupShell=(32bit on 32bit)” is displayed.

Solution

This issue is resolved with 20H1 builds 18999 and newer.


Issue 3

Issue Description

Printers part of Universal Print Server are no longer mapped after Windows 10 is upgraded to Windows 10 20H1. This issue is not seen with fresh install of Windows 10 20H1.

[LCM-5677]

Solution

There is no solution. Support for custom print drivers have been deprecated by Microsoft.


Issue 4

Issue Description

Unable to print using client mapped printers if Universal Print Driver is used with a Windows 10 20H1 VDA.

[LCM-5691]

Solution

This issue is resolved with 20H1 builds 18990 and newer.


Issue 5

Issue Description

On Virtual Machine’s (hosted on vSphere) with VM version 14 and boot option EFI, a failure may be seen when you upgrade Windows 10 machine to 20H1 with an error “We can’t tell if your PC is ready to continue installing Windows 10. Try restating the setup”

[TPV-2703]

Solution

Installing the latest VMWare tools 11.0.0.x before attempting to upgrade to 20H1 resolves this issue.

Issue 6

Issue Description

When Windows 10 machine with Citrix Workspace Environment Management (WEM) Agent 1803 or newer is upgraded to 20H1, WEM fails to work. This issue is not seen with WEM versions up to 4.7

[TPV-1184]

Problem Cause

The ‘Norskale’ key under [HKLM -> System -> CurrentControlSet -> Control] is getting removed during the upgrade to 20H1.

Solution

This issue is resolved with builds 19018 and later.


Issue 7

Issue Description

When Windows 10 machine with VDA installed is upgraded to 20H1 build 19025, users may experience a failure with VDA registration.

[TPV-2772]

Solution

This issue is resolved with 20H1 builds 19030 and newer.

Issue 8

Issue Description

On Windows 10 20H1 end point with Receiver/Workspace App, when a network interruption is caused by disabling the Network Interface from Control Panel, Session Reliability feature fails to work.

[RFWIN-15116]

Problem Cause

Changes in Windows 10 20H1 Operating System is making the Session Reliability to fall back to Auto Client Reconnect when the network is disrupted.

Solution

This issue has been fixed in Citrix Workspace App.

  • Users on Current Release of Worspace App are advised to upgrade to version 2002 or its replacement that contains the fix.
  • Users on the LTSR version of Workspace App are advised to upgrade to version 1912 or its replacement that contains the fix.

Issue 9

Issue Description

On Windows 10 20H1 end point with Receiver/Workspace App, when a network interruption is caused using Firewall, Session Reliability feature fails to work.

[RFWIN-15263]

Problem Cause

Changes in Windows 10 20H1 Operating System is making the Session Reliability to fall back to Auto Client Reconnect as soon as the the network is disrupted.

Solution

There is no solution. Citrix is working with Microsoft to resolve this issue.

Issue 9

Issue Description

ICA launch of Citrix VDA installed on Windows 10 Virtual Desktop v20H1 fails.

[TPV-3025]

Problem Cause

Changes in Windows 10 20H1 Operating System is causing this issue.

Solution

There is no solution. Citrix is working with Microsoft to resolve this issue.

Issue 10

Issue Description

Following upgrade to Windows 10 v20H1, user personalization layer (UPL) services will no longer be able to start during logon. This prevents user layer disks from attaching or being created when users log into their desktops. Note, this issue does not impact App Layering User Layers, it only affects user personalization layer for Virtual Apps and Desktops

Problem Cause

During upgrade to Windows 10 20H1 Microsoft is removing the UPL service key and service from the Winlogon chain.

Solution

There is no solution. Citrix is working with Microsoft to resolve this issue. A workaround for this issue is to uninstall and reinstall the VDA as this will re-register the UPL login services correctly.

Related:

Microsoft releases Windows 10 builds 18363.815, 18362.815 with a ton of fixes

Patch Tuesday was only a week ago, but it’s now time for this month’s round of optional updates. Typically, Microsoft does this in several installments, offering updates to different versions at different times. But today, Windows 10 version 1909, 1903, 1809, 1803, and 1607 are all getting updates.

The reason that they’re all getting patched today is likely because this is going to be one of the last times to do it. Starting in May, Microsoft won’t be releasing optional cumulative updates anymore, only Patch Tuesday updates. This is to focus on stability for those working from home during the COVID-19 pandemic.

For those on Windows 10 versions 1909 and 1903, you’ll get KB4550945, bringing the build number to 18363.815 and 18362.815, respectively. You can manually download it here, and these are the highlights:

  • Updates an issue that prevents certain apps from opening after you upgrade from a previous version of Windows, and a Bad Image error message appears.
  • Updates in an issue that turns off notifications for devices that use a virtual private network (VPN) on a cellular network.
  • Updates an issue that prevents you from resuming a Microsoft Xbox game on a Windows device after upgrading from a previous version of Windows.
  • Updates an issue that causes a text box that contains multiple lines of text to stop responding in certain scenarios.
  • Updates an issue that generates unexpected notifications when you change the default application settings.
  • Updates an issue that causes Windows Update to stop responding when you check for updates.
  • Updates an issue that fails to print content that is outside of the margins of a document.

Here’s the full list of fixes:

  • Addresses an issue that prevents certain apps from opening after you upgrade from a previous version of Windows, and a Bad Image exception dialog box appears.
  • Addresses in an issue that turns off notifications for devices that use a virtual private network (VPN) on a cellular network.
  • Addresses an issue that prevents you from resuming a Microsoft Xbox game on a Windows device after upgrading from a previous version of Windows.
  • Addresses an issue that causes a box that contains multiple lines of text to stop responding in certain scenarios.
  • Addresses an issue that prevents the touch keyboard from appearing during sign in when the user is prompted for the password.
  • Addresses an issue that prevents the touch keyboard from opening in Universal Windows Platform (UWP) apps when USB devices are connected.
  • Addresses an issue that displays incorrect folder properties in File Explorer when the path is longer than MAX_PATH.
  • Addresses an issue that prevents the correct lock screen from appearing when all of the following are true:
    • The Group Policy Object (GPO) policy “Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive Logon: Do not require Ctrl+Alt+Del Computer” is disabled.
    • The GPO policy “Computer ConfigurationAdministrative TemplatesSystemLogonTurn off app notifications on the lock screen” is enabled.
    • The registry key HKLMSOFTWAREPoliciesMicrosoftWindowsSystemDisableLogonBackgroundImage is set to 1.
  • Addresses an issue that generates unexpected notifications related to changing the default application settings.
  • Addresses an issue that causes the sign in screen to be blurry.
  • Addresses an issue that causes Windows Update to stop responding when you check for updates.
  • Addresses an issue that prevents the Sign in options page from opening using the ms-settings:signinoptions-launchfingerprintenrollment Uniform Resource Identifier (URI).
  • Addresses an issue with Bluetooth group policy settings on Microsoft Surface Pro X devices.
  • Addresses an issue that causes a KERNEL_SECURITY_CHECK_FAILURE (139) stop error when Windows resumes from Sleep and turns on certain Bluetooth headsets.
  • Addresses a reliability issue in WDF01000.sys.
  • Addresses an issue that causes an error in logman.exe. The error is, “A user account is required in order to commit the current Data collector Set properties.”
  • Addresses an issue that prevents users from setting the REG_EXPAND_SZ keys in some automated scenarios.
  • Addresses an issue that causes a memory leak in the LsaIso.exe process when the server is under a heavy authentication load and Credential Guard is enabled.
  • Addresses an issue that causes the Trusted Platform Module (TPM) initialization to fail with system event error 14 and prevents Windows from accessing the TPM.
  • Addresses an issue that causes communication with the TPM to time out and fail.
  • Addresses an issue that prevents hash signing using the Microsoft Platform Crypto Provider for TPMs from working correctly. This issue might also affect networking software, such as VPN applications.
  • Addresses an issue that prevents applications running in an Azure Active Directory environment from receiving account change notifications. This occurs when using the Web Account Manager (WAM) and the WebAccountMonitor API.
  • Addresses an issue that causes systems to stop working with a 0x3B stop code when running a binary that is signed by a revoked certificate.
  • Addresses an issue with merging Windows Defender Application Control policies that sometimes generates a duplicate rule ID error and causes the Merge-CIPolicy PowerShell command to fail.
  • Addresses an issue that prevents a user’s PIN from being changed after connecting the device to Microsoft Workplace Join.
  • Addresses an issue that fails to print content that is outside of the margins of a document.
  • Addresses an issue that prevents Microsoft Internet Information Services (IIS) management tools, such as IIS Manager, from managing an ASP.NET application that has configured SameSite cookie settings in web.config.
  • Addresses an issue that causes Microsoft Edge to stop working if you attempt to use paste functionality on webpages when cut-and-paste functionality has been disabled using a policy and Windows Defender Application Guard is active.
  • Addresses an issue that causes the Clipboard service to unexpectedly stop working.

Windows 10 version 1809 just had its support extended, and those users will get KB4550969, bringing the build number to 17763.1192. You can manually download it here, and these are the highlights:

  • Updates an issue with pasting mixed content of images and text from Microsoft Word into Internet Explorer.
  • Updates an issue that causes a text box that contains multiple lines of text to stop responding in certain scenarios.
  • Updates an issue that fails to print content that is outside of the margins of a document.

Here’s the full list of fixes:

  • Addresses an issue that occurs when a third-party application loads hidden tabs into Internet Options.
  • Addresses an issue with pasting mixed content of images and text from Microsoft Word into Internet Explorer.
  • Addresses an issue that causes a box that contains multiple lines of text to stop responding in certain scenarios.
  • Addresses an issue that prevents the first key stroke from being recognized correctly in the DataGridView cell.
  • Addresses an issue that causes an application that uses msctf.dll to stop working, and the 0xc0000005 (Access violation) exception appears.
  • Addresses an issue that prevents the correct lock screen from appearing when all of the following are true:
    • The Group Policy Object (GPO) policy “Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive Logon: Do not require Ctrl+Alt+Del Computer” is disabled.
    • The GPO policy “Computer ConfigurationAdministrative TemplatesSystemLogonTurn off app notifications on the lock screen” is enabled.
    • The registry key HKLMSOFTWAREPoliciesMicrosoftWindowsSystemDisableLogonBackgroundImage is set to 1.
  • Addresses a reliability issue in WDF01000.sys.
  • Addresses an issue that causes a KERNEL_SECURITY_CHECK_FAILURE (139) stop error when Windows resumes from Sleep and turns on certain Bluetooth headsets.
  • Addresses an issue that causes the Event Viewer Microsoft Management Console (MMC) to stop working when the secondary monitor is above the primary monitor. An out of bounds exception appears.
  • Addresses an issue that causes an error in logman.exe. The error is, “A user account is required in order to commit the current Data collector Set properties.”
  • Addresses an issue that prevents users from setting the REG_EXPAND_SZ keys in some automated scenarios.
  • Addresses an issue that causes a memory leak in the LsaIso.exe process when the server is under a heavy authentication load and Credential Guard is enabled.
  • Addresses an issue that prevents hash signing using the Microsoft Platform Crypto Provider for TPMs from working correctly. This issue might also affect networking software, such as VPN applications.
  • Addresses an issue with merging Windows Defender Application Control policies that sometimes generates a duplicate rule ID error and causes the Merge-CIPolicy PowerShell command to fail.
  • Addresses an issue that prevents a user’s PIN from being changed after connecting the device to Microsoft Workplace Join.
  • Addresses an issue that prevents applications running in an Azure Active Directory environment from receiving account change notifications. This occurs when using the Web Account Manager (WAM) and the WebAccountMonitor API.
  • Addresses an issue that fails to print content that is outside of the margins of a document.
  • Addresses an issue that prevents Microsoft Internet Information Services (IIS) management tools, such as IIS Manager, from managing an ASP.NET application that has configured SameSite cookie settings in web.config.
  • Addresses an issue that causes high CPU usage on Active Directory (AD) domain controllers when migrating to Windows Server 2019. This increases latency in Microsoft Exchange operations, causes Managed Store contention, and severely impacts index creation in Active Directory and the Global Catalog’s performance.
  • Addresses an issue that logs incorrect Internet Protocol (IP) addresses in the audit logs because of missing or old data for active requests coming from “windowstransport/usernamemixed/certificatemixed” endpoints.
  • Addresses an issue that causes devices that are provisioned for Windows Hello for Business (WHfB) to fail. Registration occasionally fails, which leads to a delay in WHfB enrollment and, in some instances, creates Conflicting Objects (CNF) in the Active Directory “Registered Device” container.
  • Addresses an issue that might cause a deadlock in the Remote Desktop Gateway service.
  • Addresses an issue that might cause the Remote Desktop Gateway service to stop working.
  • Addresses an issue that causes systems to stop working with a 0x3B stop code when running a binary that is signed by a revoked certificate.
  • Addresses an issue that prevents the Notification State registries from being deleted for certain apps even after the user profile is deleted.
  • Addresses an issue that causes stop error 0x18 (REFERENCE_BY_POINTER) when Remote Desktop sessions redirect devices that are not input devices.

This one does have one known issue to be aware of:

Symptom Workaround
After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_ COMPONENT_NOT_FOUND.”
  1. Uninstall and reinstall any recently added language packs. For instructions, see Manage the input and display language settings in Windows 10.
  2. Select Check for Updates and install the April 2019 Cumulative Update. For instructions, see Update Windows 10.

Note If reinstalling the language pack does not mitigate the issue, reset your PC as follows:

  1. Go to the Settings app > Recovery.
  2. Select Get Started under the Reset this PC recovery option.
  3. Select Keep my Files.

Microsoft is working on a resolution and will provide an update in an upcoming release.


For those running Windows 10 version 1803, which is only supported for Enterprise and Education SKUs, you’ll get KB4550944, bringing the build number to 17134.1456. You can manually download it here, and there’s one highlight:

  • Updates an issue with pasting mixed content of images and text from Microsoft Word into Internet Explorer.

Here’s the full list of fixes:

  • Addresses an issue that occurs when a third-party application loads hidden tabs into Internet Options.
  • Addresses an issue with pasting mixed content of images and text from Microsoft Word into Internet Explorer.
  • Addresses an issue that prevents the first key stroke from being recognized correctly in the DataGridView cell.
  • Addresses an issue that causes an error in logman.exe. The error is, “A user account is required in order to commit the current Data collector Set properties.”
  • Addresses an issue that prevents users from setting the REG_EXPAND_SZ keys in some automated scenarios.
  • Addresses an issue that causes a memory leak in the LsaIso.exe process when the server is under a heavy authentication load and Credential Guard is enabled.
  • Addresses an issue with running klist.exe that causes lsass.exe to stop working and generates an access violation error (0xC0000005).
  • Addresses an issue with merging Windows Defender Application Control policies that sometimes generates a duplicate rule ID error and causes the Merge-CIPolicy PowerShell command to fail.
  • Addresses an issue that prevents applications running in an Azure Active Directory environment from receiving account change notifications. This occurs when using the Web Account Manager (WAM) and the WebAccountMonitor API.
  • Addresses a Task Manager CPU frequency display issue that locks to the base frequency on devices equipped with certain CPUs.
  • Addresses an issue that prevents Microsoft Internet Information Services (IIS) management tools, such as IIS Manager, from managing an ASP.NET application that has configured SameSite cookie settings in web.config.
  • Addresses an issue that occurs when you try to sign in to Windows during recovery mode. The error, “No administrator accounts are available on this machine”, appears.
  • Addresses an issue that prevents you from removing some local users from local built-in groups. For example, you cannot remove “Guest” from the “Guests” local group.
  • Addresses an issue that prevents certain apps from installing if they are published using a Group Policy Object.
  • Addresses an issue that causes Microsoft Edge to stop working if you attempt to use paste functionality on webpages when cut-and-paste functionality has been disabled using a policy and Windows Defender Application Guard is active.

Finally, Windows 10 version 1607 is still supported for LTSB and Windows Server 2016 customers, and they’ll get KB4550947, bringing the build number to 14393.3659. You can manually download it here, and it has the same one highlight:

  • Updates an issue with pasting mixed content of images and text from Microsoft Word into Internet Explorer.

Here’s the full list of fixes:

  • Addresses an issue with pasting mixed content of images and text from Microsoft Word into Internet Explorer.
  • Addresses an issue with Dynamic Data Exchange (DDE) that causes a memory leak when multiple clients connect to the same server.
  • Addresses an issue that causes new child windows to flicker and appear as white squares on server devices that are configured for stark visual contrast.
  • Addresses an issue that causes an error in logman.exe. The error is, “A user account is required in order to commit the current Data collector Set properties.”
  • Addresses an issue that causes a memory leak in the LsaIso.exe process when the server is under a heavy authentication load and Credential Guard is enabled.
  • Addresses an issue that might cause a delay of up to two minutes when signing in or unlocking a session on Hybrid Azure Active Directory-joined machines.
  • Addresses an issue with running klist.exe that causes lsass.exe to stop working and generates an access violation error (0xC0000005).
  • Addresses an issue with merging Windows Defender Application Control policies that sometimes generates a duplicate rule ID error and causes the Merge-CIPolicy PowerShell command to fail.
  • Addresses an issue that might prevent Dynamic Host Configuration Protocol (DHCP) servers from providing the right options to clients when a reservation exists.
  • Addresses an issue that prevents Microsoft Internet Information Services (IIS) management tools, such as IIS Manager, from managing an ASP.NET application that has configured SameSite cookie settings in web.config.
  • Addresses an issue that causes devices that are provisioned for Windows Hello for Business (WHfB) to fail. Registration occasionally fails, which leads to a delay in WHfB enrollment and, in some instances, creates Conflicting Objects (CNF) in the Active Directory “Registered Device” container.
  • Addresses an issue that occurs when you try to sign in to Windows during recovery mode. The error, “No administrator accounts are available on this machine”, appears.
  • Addresses an issue that prevents you from removing some local users from local built-in groups. For example, you cannot remove “Guest” from the “Guests” local group.
  • Addresses an issue that logs incorrect Internet Protocol (IP) addresses in the audit logs because of missing or old data for active requests coming from “windowstransport/usernamemixed/certificatemixed” endpoints.
  • Addresses an issue that might cause a deadlock in the Remote Desktop Gateway service.
  • Addresses an issue in Srv2.sys that might cause 0x18, 0xC2, and 0x19 errors.
  • Addresses an issue that prevents the Notification State registries from being deleted for certain apps even after the user profile is deleted.

This one also has one known issue:

Symptom Workaround
After installing KB4467684, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the group policy “Minimum Password Length” is configured with greater than 14 characters.

Set the domain default “Minimum Password Length” policy to less than or equal to 14 characters.

Microsoft is working on a resolution and will provide an update in an upcoming release.


As mentioned earlier, these updates are optional. That means that you can get it through Windows Update if you opt into it, or you can install it manually. If you choose to not take the update, these fixes will be bundled into next month’s Patch Tuesday updates.

Related:

Debugging Layer Integrity Problems in Citrix App Layering 4.x and later

In V4, when you’re ready to shutdown and finalize a layer, you run the Shutdown for Finalize icon on the desktop (As Administrator). It makes a call to uniservice.exe to get the current Layer Integrity state. Uniservice is tracking all the same things it always has for Layer Integrity: NGEN or MSCORLIB is still running, a reboot is pending, a domain operation is still pending, or a RunOnce script is still waiting.

Shutdown for Finalize is checking to see if anything is still pending that should happen in the layer rather than happen in the image later. If something is, it does not shut down, and instead puts up a statement about the pending issue. Fix the issue (for instance, reboot) and try again. It also writes this information into two log files:

C:Program FilesUnideskUniserviceLogLayerIntegrity.txt

C:Program FilesUnideskUniserviceLogUniBilcLogs_X.txt

You can’t know exactly which UniBilcLogs file it’s using, so look for the one with the latest timestamp. That will be for the current boot. Search for “Integrity”.

You might think you could bypass the Layer Integrity check by just shutting down the machine normally and finalizing that. But if you try, you will find the ELM will stop the task and return you to the Packaging Machine, because it knows that the Layer Integrity Checks either failed or never ran. You must successfully run that Shutdown for Finalize script to finalize a layer.

The registry key, noted at the end of this article, to bypass or ignore integrity problems still works, and you should be just as reluctant to use it as ever. But it’s still a valid way to give up and bypass it.

There are 7 Layer Integrity warnings you can see:

“a RunOnce script is outstanding – please check and reboot the Packaging Machine”

“a post-installation reboot is pending – please check and reboot the Packaging Machine”

“a Microsoft NGen operation is in progress in the background {0}”

“an MSI install operation is in progress – please check the Packaging Machine”

“a reboot is pending to update drivers on the boot disk – please check and reboot the Packaging Machine”

“a Microsoft NGen operation is needed”

“Software Center Client is configured to run, but the SMSCFG.INI is still present. See https://social.technet.microsoft.com/wiki/contents/articles/23923.implementing-sccm-in-a-xendesktop-vdi-environment.aspx”

“A RunOnce script is outstanding” is telling you that there is a key in either of these two locations:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce

HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftWindowsCurrentVersionRunOnce

Windows normally deletes those keys on reboot, but we have seen circumstances (especially with our own script, envsetup.cmd) where that doesn’t happen. You can manually run the referenced script and delete the key, or just delete the key if the script file no longer exists.

“A post-installation reboot is pending” is looking at six different registry keys. Your first course of action should be to reboot, more than once(in some cases it has taken 3+ reboots), just to make sure that it isn’t a real reboot being requested by some software. It may also be helpful, if the problem is NetLogon, to restart the Unidesk Service for Message Management.

First we check for the existence of any of these three:

HKLMSystemCurrentControlSetControlSession ManagerPendingFileRenameOperations

HKLMSOFTWAREMicrosoftWindowsCurrentVersionComponent Based ServicingRebootPending

HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateRebootRequired

You can manually modify any of these to suit your needs, including just deleting them.

Then we look for changes in the NetLogon key (if the current value is now different from what it was at bootup), and to see if the computer name doesn’t match the active computer name. This is how we determine that a domain-join operation is still waiting for a reboot.

HKLMSYSTEMCURRENTCONTROLSETSERVICESNETLOGONStart

HKLMSYSTEMCURRENTCONTROLSETCONTROLCOMPUTERNAMEACTIVECOMPUTERNAME

HKLMSYSTEMCURRENTCONTROLSETCONTROLCOMPUTERNAMECOMPUTERNAME

Generally you cannot modify these. I’ve seen some software modify the NETLOGONStart key on every reboot, so maybe that’s happening. If, after cleaning out the top three, you still get the prompt on reboot, you will need to use the flag to ignore layer integrity checks.

“A Microsoft NGen operation is in progress in the background” is telling you that a foreground or background NGEN operation (where .Net assemblies are compiled into native images) is still in progress. Generally this is simply true: the ngen rebuild is still running. To watch it in the foreground, run “ngen update /force”. Or you can wait it out, and run “ngen queue status” periodically to see how it’s doing, but that will slow it down because the background process pauses every time you check its status in the foreground. Don’t reboot or you might cause it to have to start over.

It’s important to let NGEN finish. If you kill the process or reboot in the middle, you might wind up with partially written .Net assemblies that crash programs when they show up in an image. You should be patient. However, sometimes we have seen background MSCORSVW.EXE processes, clearly doing nothing, that just don’t finish even after hours. A reboot might help those.

We are looking for the following services in the running process: ngen.exe, ngentask.exe, mscorsvw.exe.

“An MSI install operation is in progress” is very specific: it is saying that a system mutex (mutual exclusion object) named precisely Global_MSIExecute exists. The MSI installer uses that to ensure that only one installer can run at a time. I don’t know of anything you can do about this manually, if you are certain that no MSI installations are happening.

(Note, there was in App Layering 4.2 a bug with upgrading an existing Windows 10 layer from 1611 to 1703 where this flag could be set and not cleared.)

“A reboot is pending to update drivers on the boot disk” is telling you that a service or driver that is set to start at system boot time (the START= value in the registry is 0) was modified or installed, and App Layering wants to make sure the modified driver can boot successfully. Normally you just need to reboot once, and the driver will work fine. We have on some occasions seen software (like Microsoft Defender) attempt to modify its driver file on every single boot, triggering this integrity check every time, so no number of reboots is sufficient to clear it.

“a Microsoft NGen operation is needed” is telling you that an application was installed on the packaging machine and that it scheduled items to be updated at a priority level of 3. That means that the ngen will run when idle and that it is simply waiting until there is no more activity. We are blocking because the ngen needs to create the binaries now instead of on every machine that the application will be deployed to in order to ensure that the application will run in the most optimal way. You should run an ngen eqi 3 in both the c:windowsmicrosoft.netframeworkv4.0.30319 directory and the c:windowsmicrosoft.netframework64v4.0.30319 dirctory to have the ngen complete the operations that are needed. You can also wait, as the ngen will typically pick up and run on its own after 15 minutes of idle time.

The values that is being examined are HKLMSOFTWAREMicrosoft.NETFrameworkv2.0.50727NGenServiceRootsWorkPending and HKLMSOFTWAREWOW6432NodeMicrosoft.NETFrameworkv2.0.50727NGenServiceRootsWorkPending. A value of 1 means that there are work items queued up to be processed.

“Software Center Client is configured to run, but the SMSCFG.INI is still present….” is telling you that we have seen that this machine has ccmexec.exe configured as a service and that it is not configured as disabled. Since we know that any layers created on a packaging machine need to be sealed properly in order to deploy correctly in a VDI environment, we are checking to make sure the SMSCFG.ini is not present. See the web page indicated to get an understanding of why the software center client needs to be sealed. We have provided the commands to run in a batch command file that you can use to seal the layer (run c:windowssetupscriptsSEALSCCMCLIENT.cmd for an administrator command window).

If you have a layer that simply won’t ever get to finalize, for whatever reason (like it always thinks it still has a reboot pending, or you don’t care about corrupted .NET assemblies and don’t want to wait for NGEN to finish), you can tell that single layer to ignore its layer integrity checks and allow you tin shutdown to finalize, using a registry key.

Run regedit.exe and create this key

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUniservice:]

“BypassLayerCheck”=DWORD 1

The value doesn’t matter, all that matters is that the value exists. This will block all layer integrity checks and allow a layer to be finalized regardless as to how bad we think it might be.

Please do not use this key except as a last resort. We block you from finalizing in these 4 circumstances specifically because we believe allowing you to finalize will irreparably harm the layer and/or the image you publish with it. Always try to solve the problem within Windows first.

Related: