How to Configure SSL on XenDesktop Controllers to Secure XML Traffic

From XenDesktop Controller

IIS Installed on XenDesktop Controller

In this scenario, the XenDesktop controller has IIS installed and functioning to serve Web Interface or other web services. To complete this setup, you must request a Server Certificate and install it on IIS.

There are two ways to generate Server Certificates on IIS 7.x:

  • Create Certificate Request: This generates a CSR file to be submitted to a third party Certification Authority (CA) or to your internal Microsoft CA. For more information, refer to Microsoft TechNet article – Request an Internet Server Certificate (IIS 7)

  • Create Domain Certificate: This generates a CSR file and submits it to your domain registered Microsoft CA server. For more information, refer to the Microsoft TechNet article – Create a Domain Server Certificate on IIS 7.

    User-added image

After the Server Certificate is installed on IIS, ensure to set the Bindings to enable HTTPS on IIS by completing the following procedure:

  1. Select the IIS site that you want to enable HTTPS and select Bindings under Edit Site.

    User-added image

  1. Click Add, select Type as https, port number as 443, select the SSL Certificate that you installed and click OK.

    User-added image

  1. Open Registry Editor on XenDesktop Controller and look for the following key name.

    HKEY_LOCAL_MACHINESOFTWARECitrixDesktopServer.

    Caution! Refer to the Disclaimer at the end of this article before using Registry Editor.

  1. Verify that XmlServicesSslPort registry key exists with the correct value for SSL port. By default, it is set to 443.

    User-added image

  1. Change the XML service port.

    You can do this using PowerShell by running the following command:

    BrokerService –WiSslPort <port number>

    Note
    : If you decide to change the XML service port number on XenDesktop Controller, ensure to update the IIS port number as well under Bindings to match the new value.

IIS is not Installed on XenDesktop Controller

In this scenario, the XenDesktop Controller does not have IIS installed. As a result, there are a few ways to obtain a Server Certificate for the Controller:

  • Export an existing Server Certificate from another server in PFX format. When exporting the Server Certificate, ensure to select the private key as well.

  • You can use the Certreq utility from Microsoft to generate a Certificate Signing Request and submit it to a third party CA or your internal Microsoft CA server. For more information, refer to the Microsoft TechNet article – Certreq.exe Syntax.

    Note: Ensure to always import the PFX server certificates under the XenDesktop controller Local Computer certificate store and not My user account.

    User-added image

After the Server Certificate is installed on XenDesktop Controller, register the SSL certificate for HTTPS on the server. To accomplish this, Windows 2008 has a built-in utility called netsh that allows you to bind SSL certificates to a port configuration. For more information, refer to the Microsoft MSDN article – How to: Configure a Port with an SSL Certificate

The following is the command that you must use:

netsh http add sslcert ipport=0.0.0.0:<port Number> certhash=<hash number> appid={XenDesktop Broker Service GUID}

To obtain the certificate hash of a Server Certificate, open the Registry Editor, and open the following key name location and search for the Server Certificate that you want to use:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesMYCertificates

User-added image

An alternative to obtain this certificate hash

  1. Open the Server Certificate and under the Details tab, select Thumprint:

    User-added image

  1. Obtain the GUID of the XenDesktop controller Citrix Broker Service.

  2. Open Registry Editor and select Find.

  3. Search for Broker Service words. By default, the location is in HKEY_CLASSES_ROOTInstallerProducts (see the following example):

    User-added image

  1. Now that you have the certificate hash and Citrix Broker Service GUID, you can run the netsh command to bind the SSL certificate to port 443 and Citrix Broker Service. The following example is based on the GUID and certificate hash values taken from the preceding screenshots:

    Here is command to get the GUID

    Run the below command in Elevated command prompt on the DDC

    wmic product where “Name like ‘Citrix Broker Service'” get Name,identifyingnumber

    IdentifyingNumber

    ​C: >netsh http add sslcert ipport=10.12.37.231:443 certhash=298B8AB50322A5A601A57D4976875191D85A2949 appid={13C9D851-5D94-7C44-4A2B-218F89A28DC7}

    Note
    : For GUID, ensure to include dashes (-). Otherwise, the command cannot run successfully.

A successful bind looks as displayed in the following screen shot:

User-added image

From the Web Interface server

Configure the XenApp Web Site or XenApp Services Site to use HTTPS and 443 as Transport Type and XML Service port respectively under Server Farms.

User-added image

Note: To have a successful SSL connection to the XenDesktop 5 Controller, ensure that Web Interface has installed the Trusted Root certificate (under Local Computer certificate store).

Related:

  • No Related Posts

StoreFront propagation fails with “Access is denied” error / joining the server group fails

When attempting to join the secondary storefront server the server group fails,

Below events logged in the Primary storefront server

Event ID 2850, 2203

===

“An error occurred while executing the following command: ‘Remove-DSClusterMember’

The access was denied.

===

Or

When attempting to propagate changes, it fails.

In Eventviewer of StoreFront server, we observe-

Event 31, Citrix Configuration Replication service-

Related:

  • No Related Posts

Error: “The remote session was disconnected because there was no terminal server license server available to provide a license”

Windows 2003 Terminal Servers do not recognize the Windows 2000 Licensing server and the following error occurs:

“The remote session was disconnected because there was no terminal server license server available to provide a license.

User-added image

The following event ids are logged:

Event ID 1004: No Terminal Server licenses available.

Event ID 1011: There are no Terminal Server licenses available.

Users cannot log on to a session using either ICA or RDP.

Background

Microsoft stated that Windows 2003 Server serves the Windows 2003 Terminal Server licensing. In the old licensing scheme, the licensing was on an Active Directory controller but in Windows 2003 this is no longer a requirement.

Refer to Q279561 Microsoft technote to install a Windows 2003 Server and point all Terminal Server users to the installed license.

Note: Windows XP and pre-release client OS requires TS License of 2003. Vista, Windows 7 and later require license from 2008 Terminal Server.

Related:

  • No Related Posts

Legacy graphics mode with Windows 8, 8.1, 10, Server 2012, R2 & 2016

Legacy graphics is a host (computer) policy and its use should be treated as an always on or always off. Behavior will differ between Workstation OS VDA and Server OS VDA. You should only ever be using legacy mode for OS’s for which it was designed for: i.e. Windows 7, Windows 2008 R2 and earlier (also called Legacy OS’s). Legacy graphics is highly optimised for legacy OSs and should be regarded as the first choice for those operating systems unless other factors are involved.

Legacy graphics mode is not tested or supported with modern operating systems: Windows Desktop OS: 8, 8.1, 10 or Windows Server 2012, 2012 R2 & Windows Server 2016.

Thinwire plus (aka: TW+ or compatibility mode) should be used instead and is the replacement for legacy mode.

The above doesn’t necessarily mean it will not work with modern operating systems. However, issues like: grey, frozen and black screens have been observed and reported.

Before calling your support representative please test the issue against Thinwire, the modern graphics delivery method.

Related:

  • No Related Posts

Recommended Hotfixes for XenApp 7.x

The following Citrix and Microsoft hotfixes are found to resolve the most common issues with XenApp/XenDesktop 7.6, and XenApp/XenDesktop 7.5 running on a Windows Server 2008 R2 or a Windows Server 2012 R2 platform. These hotfixes focus on basic functionality and stability.

Note :

1. Fixes for Current Releases will likely be released in the next Current Release; therefore, it is less likely that an individual fix would be released for a Current Release version. You may be asked to upgrade to the next version of a Current Release that includes the requested fix and new functionality.

2. This article aims to describe the recommended hotfixes before Citrix LTSR(7.6.300) and Citrix CR(7.7~7.14). Please go to docs.citrix.com for more hotfixes regarding LTSR and CR.

Issue: Attempts to restart the Citrix Device Redirector Service from within a VDA or RDP session can cause the service to remain in an unresponsive state rather than actually restarting.

Available Software Updates:

ICAWS760WX64047 – For VDA Core Services 7.6 for Windows Desktop OS (64-bit) – English
ICAWS760WX86047 – For VDA Core Services 7.6 for Windows Desktop OS (32-bit) – English
ICATS760WX64053 – For VDA Core Services 7.6 for Windows Server OS (64-bit) – English

Issue:

  • The operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x20.
  • A deadlock on picadm.sys can cause published applications to become unresponsive.
  • The operating system experiences an error on picadm.sys and a blue screen appears with stop code 0x50.
  • The VDA might become unresponsive at the “Welcome” screen due to a deadlock on picadm.sys.
  • Remote Desktop (RDP) connections to the server fail.

Available Software Update:

ICATS760WX64048 – For VDA Core Services 7.6 for Windows Server OS (64-bit) – English

_______________________________________________________

Issue: Certain third-party published applications might fail to start on XenApp servers. As a result, the wfshell.exe process might close unexpectedly. When this error occurs, no indication that the session is starting or error messages appear on the user device.

Available Software Updates:

ICAWS760WX64042 – For VDA Core Services 7.6 for Windows Desktop OS (64-bit)-English
ICAWS760WX86042 – For VDA Core Services 7.6 for Windows Desktop OS (32-bit) – English
ICATS760WX64040 – For VDA Core Services 7.6 for Windows Server OS (64-bit) – English

_______________________________________________________

Issue: Citrix XenApp 7.6 and XenDesktop 7.6 VDA Core Services running on Windows Server 2008 R2 (Server OS) might become unresponsive at the “Welcome” screen. If this occurs, new Receiver and Remote Desktop (RDP) connections to the server fail.

Available Software Updates:

ICAWS760WX64026 – For VDA Core Services 7.6 for Windows Desktop OS (64-bit) – English
ICAWS760WX86026 – For VDA Core Services 7.6 for Windows Desktop OS (32-bit) – English
ICATS760WX64032 – For VDA Core Services 7.6 for Windows Server OS (64-bit) – English

_______________________________________________________

Issue: The Citrix Stack Control service quits unexpectedly if there is an invalid session key.

Available Software Update:

ICATS760WX64006 – For VDA Core Services 7.6 for Windows Server OS (64-bit) – English

XenApp 7.5/ 7.1

Issue:

  • The memory consumption of the Monitoring Service can grow steadily until the service stops responding to requests from Director, eventually rendering Director unresponsive as well.
  • If the resource name (display name) changes on the Delivery Controller, users who previously subscribed to the applications cannot start the applications.
  • If you create virtual machines (VM) with Desktop Studio that uses Machine Creation Services and the VMs are hosted on a VMware hypervisor, attempts to update VMs that are part of the machine catalog fail.

Available Software Updates:

Update 3 – For Citrix XenDesktop 7.1 Delivery Controller x64 – English
Update 3 – For Citrix XenDesktop 7.1 Delivery Controller x86 – English

_______________________________________________________

Issue:

  • VDAs can becomes stuck in the “initializing” state of registration process. The issue occurs after the Citrix Desktop Service is running for several days without being restarted.
  • When the function “CName” is enabled, VDA registration can take excessively long.

Available Software Updates:

BrokerAgent750WX64003 – For Broker Agent 7.1/7.5 for Windows OS (64-bit) – English
BrokerAgent750WX86003 – For Broker Agent 7.1/7.5 for Windows OS (32-bit) – English

_______________________________________________________

Issue: Installing hotfixes for XenApp 7.5, and XenDesktop 7.1 and 7.5 VDA Core Services for Windows Desktop and Server OS released before September 2014 causes the ICA Session performance monitor counter to be removed. This can have an adverse effect on the operation of tools and processes that rely on these counters.

Available Software Updates:

ICAWS750WX64011 – For VDA Core Services 7.1/7.5 for Windows Desktop OS (64-bit) – English
ICAWS750WX86011 – For VDA Core Services 7.1/7.5 for Windows Desktop OS (32-bit) – English
ICATS750WX64011 – For VDA Core Services 7.1/7.5 for Windows Server OS (64-bit) – English

_______________________________________________________

Issue:The Citrix Print Manager Service (CpSvc.exe) process might exit unexpectedly.

Available Software Updates:

ICAWS750WX64019 – For VDA Core Services 7.1/7.5 for Windows Desktop OS (64-bit) – English
ICAWS750WX86019 – For VDA Core Services 7.1/7.5 for Windows Desktop OS (32-bit) – English
ICATS750WX64019 – For VDA Core Services 7.1/7.5 for Windows Server OS (64-bit) – English

_______________________________________________________

Issue:

  • This fix addresses an intermittent high memory utilization issue of the Broker Service on the Controller.
  • This fix addresses a memory consumption issue of the Monitoring Service.

Available Software Updates:

Update 3 – For Citrix XenDesktop 7.1 Delivery Controller x64 – English
Update 3 – For Citrix XenDesktop 7.1 Delivery Controller x86 – English

Note:

Refer to the complete list of all the available HotFixes for

XenApp 7.6 64-bit32-bit

XenApp 7.5 64-bit32-bit

Microsoft HotFixes (including links to Microsoft HotFix list)

Windows Server 2012 R2 contains most of the following hotfixes (exceptions noted inline). Microsoft has published the following KB article specific to Remote Desktop Services: Available Updates for Remote Desktop Services (Terminal Services) in Windows Server 2012 R2. For Microsoft Hotfixes applicable to the Windows Server 2008 R2 and the Windows 7 platforms, see the “Microsoft Hotfixes” section in the following article: CTX129229 – Recommended Hotfixes for XenApp 6.x on Windows Server 2008 R2.

Note: The descriptions of the Microsoft fixes listed in this article (CTX142357) might not match the descriptions in the Microsoft articles for the following Microsoft fixes. This is not an error. The issue description listed by Citrix in the following matrix was resolved by an earlier version of that file however it has been superseded by the article/fix currently listed.

KB Number Issue description
KB3033929
  • UPM driver load breaks if this KB is not applied.
KB3078676 – NEW
  • This article describes an issue in which even 1530 is logged, and user profile service (ProfSvc) leaks paged pool memory and handles in Windows 8.1, Windows RT 8.1, or Windows Server 2012 R2. This issue occurs if the ProfSvc service loads and then unloads a user profile. Additionally, the following event is logged in the Event viewer: Event ID 1530. Description: Windows detects your registry file is still in use by other applications or servers. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. No user action is required.
KB3127673 – NEW
  • The Stop error 0x000000C2 might be caused by an error handling issue in the win32k.sys file.
  • The Stop error 0x0000003B might be caused by a synchronization issue in the dcgkrnl.sys file.
  • The parameters in Stop error messages may vary, depending on the configuration of the computer.
  • Not all “Stop 0x000000C2” errors or “Stop 0x0000003B” errors are caused by one of these issues.
KB3055615 – NEW
  • A windows Server 2012 R2 Server becomes slow and unresponsive if update 2927901 is installed.
  • You have update 2927901 installed on a Windows Server 2012 R2 server.
  • You have users who frequently log in and log off the server through Remote Desktop.
KB3013769
  • Memory leak occurs when you create or delete CSV snapshots by using a VSS hardware provider
  • IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2
  • You receive Stop error 0xD1 in Windows Server 2012 R2 or Windows 8
  • Device does not exist error after you reinsert a USB COM port device
KB2978367
  • Remote Desktop session freezes when you run an application in the session in Windows 8.1 or Windows Server 2012 R2.
KB2967077
  • A network printer is deleted unexpectedly in Windows
KB2895698
  • Users who have the remote audio setting enabled cause the RD Session Host servers to freeze intermittently in Windows Server 2012 R2 or Windows Server 2008 R2 SP1
KB2896328
  • You are logged on with a temporary profile to a remote desktop session after an unexpected restart of Windows Server 2012
KB2852483
  • Memory leak occurs in the Dwm.exe process on a Remote Desktop computer that is running Windows 8 or Windows Server 2012
KB2995388
  • Memory leak occurs when you play mp4 files in Windows 8.1 or Windows Server 2012 R2
  • Computer freezes when you switch to another account in Windows 8.1 or Windows Server 2012 R2
  • An NTFS volume is flagged as dirty after each restart, and CHKDSK can find no issues
  • Print jobs are intermittently processed slowly through Windows 8.1-based or Windows Server 2012 R2-based printer servers
  • Network printers that use TCP/IP port cannot print after first document has printed in Windows

Related:

  • No Related Posts

Microsoft Windows Security Updates December 2020

Today is the last Microsoft Patch Day of the year 2020. Microsoft released security updates and non-security updates for all supported client and server versions of the company’s Windows operating system, and updates for other company products such as Microsoft Office, Microsoft Edge, Internet Explorer, or the .NET Framework.

Our Patch Day overview provides you with detailed information on released patches, security issues, and related information. You can download an Excel spreadsheet of the released security updates, check out the operating system distribution, find links to all support pages, and the list of known issues here in this guide.

Check out the November 2020 Security Updates overview here in case you missed it.

Microsoft Windows Security Updates December 2020

Download the following Excel spreadsheet that contains the released security updates to your system. Note that Microsoft’s new platform is quite slow and that it may be possible that updates are missing. Let us know in the comments if you notice anything missing: Security Updates 2020 12 Microsoft Windows

Executive Summary

Operating System Distribution

  • Windows 7(extended support only): 9 vulnerabilities: 0 critical and 9 important
  • Windows 8.1: 5 vulnerabilities: 0 rated critical and 5 rated important
  • Windows 10 version 1809: 19 vulnerabilities: 1 critical and 18 important
  • Windows 10 version 1903 and 1909: 18 vulnerabilities: 1 critical and 17 important
  • Windows 10 version 2004 and 20H2: 19 vulnerabilities, 1 critical, 18 important

Windows Server products

  • Windows Server 2008 R2 (extended support only): 9 vulnerabilities: 0 critical and 9 important
  • Windows Server 2012 R2: 6 vulnerabilities: 0 critical and 6 important.
  • Windows Server 2016: 16 vulnerabilities: 1 critical and 15 important.
  • Windows Server 2019: 20 vulnerabilities: 1 critical and 19 are important

Other Microsoft Products

  • Internet Explorer 11: 0 vulnerabilities:
  • Microsoft Edge (classic): 1 vulnerabilities: 1 critical
    • CVE 2020 17131 — Chakra Scripting Engine Memory Corruption Vulnerability
  • Microsoft Edge (Chromium)
    • see here (latest security patches from the Chromium project)

Windows Security Updates

Windows 7 SP1 and Windows Server 2008 R2

Updates and improvements:

  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Windows 8.1 and Windows Server 2012 R2

Updates and improvements:

  • Fixed an issue that prevented PDF24 Creator version 9.1.1 from opening .txt files. (Monthly Rollup only)
  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Windows 10 version 1809

Updates and improvements:

  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Windows 10 version 1903 and 1909

Updates and improvements:

  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Windows 10 version 2004 and 20H2

Updates and improvements:

  • Fixed a security vulnerability by preventing programs that runs as System from printing to FILE ports.
  • Security updates

Other security updates

KB4592468 — 2020-12 Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012 (KB4592468)

KB4592497 — 2020-12 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012 (KB4592497)

KB4592498 — 2020-12 Security Monthly Quality Rollup for Windows Server 2008 (KB4592498)

KB4592504 — 2020-12 Security Only Quality Update for Windows Server 2008 (KB4592504)

KB4592464 — 2020-12 Cumulative Update for Windows 10 Version 1507 (KB4592464)

KB4593226 — 2020-12 Cumulative Update for Windows Server 2016 and Windows 10 Version 1607 (KB4593226)

KB4592473 — 2020-12 Cumulative Update for Windows 10 Version 1703 (KB4592473)

KB4592446 — 2020-12 Cumulative Update for Windows 10 Version 1803 (KB4592446)

Servicing Stack Updates:

2020-12 Servicing Stack Update for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB4592510)

2020-12 Servicing Stack Update for Windows Server, version 20H2, Windows 10 Version 20H2, Windows Server, version 2004, and Windows 10 Version 2004 (KB4593175)

Known Issues

Windows 7 SP1 and Windows Server 2008 R2

  • Updates will fail to install with the error ““Failure to configure Windows updates. Reverting Changes. Do not turn off your computer” if ESU is not supported or activated.
  • Certain operations may fail on cluster shared volumes. Workarounds available.

Windows 8.1 and Server 2012 R2

  • Certain operations may fail on cluster shared volumes. Workarounds available.

Windows 10 version 1809

  • Devices with “some” Asian language packs may throw the error “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”. Microsoft suggests to either try and uninstall the language packs and make sure that a recent version of Windows 10 is installed, or to reset the PC.

Windows 10 version 1903 and 1909

  • System and user certificates may be lost when updating a device from Windows 10 version 1809 or later, to a later version of Windows 10. Does not affect Windows Update devices or Windows Update for business devices. Workaround available.

Windows 10 version 2004 and 20H2

  • System and user certificates may be lost when updating a device from Windows 10 version 1809 or later, to a later version of Windows 10. Does not affect Windows Update devices or Windows Update for business devices. Workaround available.
  • The correct Furigana characters may not be displayed when using the Microsoft Japanese Input Method Editor. Microsoft is working on a resolution.

Security advisories and updates

ADV 200013 — Microsoft Guidance for Addressing Spoofing Vulnerability in DNS Resolver

ADV 990001 — Latest Servicing Stack Updates

Non-security related updates

Microsoft Office Updates

You find Office update information here.

How to download and install the December 2020 security updates

windows updates december 2020

Updates are already available via Windows Updates and other update management systems. Default Windows installations are configured to find and install updates automatically, but it is also possible to download updates manually to install them.

Tip: it is essential that you create a backup of the system before you install Windows updates as things may go wrong and backups help you restore the previous status quo.

You can check manually for updates in the following way:

  1. Open the Start Menu of the Windows operating system, type Windows Update and select the result.
  2. Select check for updates in the application that opens. Updates may be installed automatically when they are found or offered by Windows; this depends on the operating system and version that is used, and update settings.

Direct update downloads

Below are resource pages with direct download links, if you prefer to download the updates to install them manually.

Windows 7 and Server 2008 R2

  • KB4592471 — 2020-12 Security Monthly Quality Rollup for Windows 7
  • KB4592503 — 2020-12 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

  • KB4592484 — 2020-12 Security Monthly Quality Rollup for Windows 8.1
  • KB4592495 — 2020-12 Security Only Quality Update for Windows 8.1

Windows 10 (version 1809)

  • KB4592440 — 2020-12 Cumulative Update for Windows 10 Version 1809

Windows 10 (version 1903)

  • KB4592449 — 2020-12 Cumulative Update for Windows 10 Version 1903

Windows 10 (version 1909)

  • KB4592449 — 2020-12 Cumulative Update for Windows 10 Version 1909

Windows 10 (version 2004)

  • KB4592438 — 2020-12 Cumulative Update for Windows 10 Version 2004

Windows 10 (version 20H2)

  • KB4592438 — 2020-12 Cumulative Update for Windows 10 Version 20H2

Additional resources

Summary
Microsoft Windows Security Updates December 2020 overview
Article Name
Microsoft Windows Security Updates December 2020 overview
Description
Microsoft released security updates and non-security updates for all supported versions of the company’s Windows operating system, client and server, as well as other company products such as Microsoft Office on the December 2020 Patch Day.
Author
Martin Brinkmann
Publisher
Ghacks Technology News
Logo
Ghacks Technology News
Advertisement

Related:

  • No Related Posts

Microsoft Windows Security Updates November 2020

Microsoft has released security updates for all support client and server versions of Windows as well as other company products such as Microsoft Office, Microsoft Edge, and Internet Explorer.

Our November 2020 Patch Day overview provides you with details on the released patches. It begins with an executive summary listing the most important bits of information; this is followed by the operating system distribution, details about cumulative updates for Windows, other released security updates, download links, and lots of links to Microsoft support pages.

Check out the October 2020 Security Updates overview here in case you missed it.

Microsoft Windows Security Updates November 2020

You can download the following Excel spreadsheet that includes information about the released security updates in November 2020. It is provided as an archive that you need to extract on the local system. A viewer such as Microsoft Excel or LibreOffice Cacl is needed to open the spreadsheet.

Click on the following link to download the spreadsheet to your system: Security Updates 2020-11-10-070727pm

Executive Summary

  • Microsoft released security updates for all supported client and server versions of Windows.
  • All server and client versions of Windows are affected by the same two critical vulnerabilities.
  • Security updates are also released for Microsoft Office, Internet Explorer, Microsoft Edge, Microsoft Exchange Server, Microsoft Dynamics, Microsoft Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Teams, Azure SDK, Azure DevOps and Visual Studio.
  • Products with known issues: SharePoint Server 2016 and 2019, Windows 10 versions 2004, 1903, 1809, Windows 7, Windows 8.1, Windows Server products and Microsoft Exchange Server

Operating System Distribution

  • Windows 7(extended support only): 20 vulnerabilities: 2 critical and 18 important
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows 8.1: 33 vulnerabilities: 2 rated critical and 31 rated important
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows 10 version 1809: 48 vulnerabilities: 2 critical and 45 important, 1 low
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows 10 version 1903 and 1909: 53 vulnerabilities: 2 critical and 54 important, 1 low
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows 10 version 2004 and 20H2: 52 vulnerabilities, 2 critical, 49 important, 1 low
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability

Windows Server products

  • Windows Server 2008 R2 (extended support only): 20 vulnerabilities: 2 critical and 18 important
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows Server 2012 R2: 34 vulnerabilities: 2 critical and 22 important.
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows Server 2016: 40 vulnerabilities: 2 critical and 38 important.
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability
  • Windows Server 2019: 46 vulnerabilities: 2 critical and 44 are important
    • CVE 2020 17042 — Windows Print Spooler Remote Code Execution Vulnerability
    • CVE 2020 17051 — Windows Network File System Remote Code Execution Vulnerability

Other Microsoft Products

  • Internet Explorer 11: 3 vulnerabilities: 3 critical
  • Microsoft Edge (classic): 4 vulnerabilities: 3 critical, 1 important
    • CVE 2020 17048 — Chakra Scripting Engine Memory Corruption Vulnerability
    • CVE 2020 17052 — Scripting Engine Memory Corruption Vulnerability
    • CVE 2020 17058 — Microsoft Browser Memory Corruption Vulnerability
  • Microsoft Edge (Chromium)
    • see here (latest security patches from the Chromium project)

Windows Security Updates

Windows 7 SP1 and Windows Server 2008 R2

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Security updates

Windows 8.1 and Windows Server 2012 R2

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Security updates
  • Administrators may enable “Save Target As” in Group Policy for Microsoft Edge IE Mode (Monthly Rollup only).
  • Fixes an issue with LDAP session authentication (Monthly Rollup only).

Windows 10 version 1809

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Security updates

Windows 10 version 1903 and 1909

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Fixed an issue with the package frame launcher.
  • Security updates

Windows 10 version 2004 and 20H2

Updates and improvements:

  • Corrects DST start date for Fiji Islands to December 20, 2020
  • Security updates

Other security updates

KB4586768 — 2020-11 Cumulative Security Update for Internet Explorer

KB4586807 — 2020-11 Security Monthly Quality Rollup for Windows Server 2008

KB4586817 — 2020-11 Security Only Quality Update for Windows Server 200

KB4586808 — 2020-11 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012

KB4586834 — 2020-11 Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012

KB4586787 — 2020-11 Cumulative Update for Windows 10 Version 1507

KB4586782 — 2020-11 Cumulative Update for Windows 10 Version 1703

KB4586785 — 2020-11 Cumulative Update for Windows 10 Version 1803

KB4586830 — 2020-11 Cumulative Update for Windows Server 2016 and Windows 10 Version 1607

Known Issues

Windows 7 SP1 and Server 2008 R2

  • Updates will uninstall if the system is not subscribed to ESU (Extended Security Updates).
  • Certain rename operations may fail on Cluster Shared Volumes. Workarounds available.

Windows 8.1 and Server 2012 R2

  • Certain rename operations may fail on Cluster Shared Volumes. Workarounds available.

Windows 10 version 1809

  • Some Asian language packs may throw the error “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND”. Microsoft suggest to remove the language packs and reinstall them, update Windows to the latest version, or Reset the PC.

Windows 10 version 1903, 1909, 2004, 20H2

  • System and user certificates may be lost when updating from Windows 10 version 1809 or later to a newer version of Windows 10. This happens mainly when managed devices are updated using outdated bundles or media according to Microsoft. Devices that use Windows Update or Windows Update for Business are not impacted. Microsoft suggests to go back to the previous version of Windows to fix the issue.

Security advisories and updates

ADV 990001 — Latest Servicing Stack Updates

Non-security related updates

KB4497165 — 2020-09 Update for Windows Server, version 1909, Windows 10 Version 1909, Windows Server 2019 (1903), and Windows 10 Version 1903

KB4558130 — 2020-09 Update for Windows Server, version 2004 and Windows 10 Version 2004

KB4580419 — 2020-11 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows Server, version 20H2, Windows 10 Version 20H2, Windows Server, version 2004, and Windows 10 Version 2004

KB4580980 — 2020-11 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows Server, version 1909, Windows 10 Version 1909, Windows Server 2019 (1903), and Windows 10 Version 1903

KB4585207 — 2020-11 Cumulative Update for .NET Framework 4.8 for Windows Server 2016 and Windows 10 Version 1607

KB4585208 — 2020-11 Cumulative Update for .NET Framework 4.8 for Windows 10 Version 1703

KB4585210 — 2020-11 Cumulative Update for .NET Framework 4.8 for Windows 10 Version 1803 and Windows Server 2016

KB4586082 — 2020-11 Cumulative Update for .NET Framework 3.5, 4.7.2 and 4.8 for Windows Server 2019 and Windows 10 Version 1809

KB4589198 — 2020-11 Update for Windows 10 Version 1507

KB4589206 — 2020-11 Update for Windows 10 Version 1803

KB4589208 — 2020-11 Update for Windows Server 2019 and Windows 10 Version 1809

KB4589210 — 2020-11 Update for Windows Server 2016 and Windows 10 Version 1607

KB4589211 — 2020-11 Update for Windows Server, version 1909, Windows 10 Version 1909, Windows Server 2019 (1903), and Windows 10 Version 1903

KB4589212 — 2020-11 Update for Windows Server, version 20H2, Windows 10 Version 20H2, Windows Server, version 2004, and Windows 10 Version 2004

KB890830 — Windows Malicious Software Removal Tool

KB4585204 — 2020-11 Security and Quality Rollup for .NET Framework 4.6 for Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, and Windows Server 2008

KB4585205 — 2020-11 Security and Quality Rollup for .NET Framework 4.8 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4585211 — 2020-11 Security and Quality Rollup for .NET Framework 4.8 for Windows Embedded 8 Standard and Windows Server 2012

KB4585212 — 2020-11 Security and Quality Rollup for .NET Framework 4.8 for Windows 8.1 and Windows Server 2012 R2

KB4585213 — 2020-11 Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows Embedded 8 Standard and Windows Server 2012

KB4585214 — 2020-11 Security and Quality Rollup for .NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Windows Server 2012 R2

KB4586083 — 2020-11 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2

KB4586084 — 2020-11 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows Embedded 8 Standard and Windows Server 2012

KB4586085 — 2020-11 Security and Quality Rollup for .NET Framework 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 and Windows Server 2012 R2

KB4586086 — 2020-11 Security and Quality Rollup for .NET Framework 2.0, 3.0, 4.5.2, 4.6 for Windows Server 2008

Microsoft Office Updates

You find Office update information here.

How to download and install the November 2020 security updates

microsoft windows november 2020 security updates

The November 2020 security patches are already available for all supported versions of Windows and other Microsoft products. Home users get these via Windows Updates or direct downloads, business customers and Enterprises get these via update management systems such as WSUS predominantly.

Updates are installed automatically by default on Home systems, but you can run a manual check for updates to download and install these earlier.

Note: we recommend that you create a backup of important data, better the entire system, before you install updates.

Do this to manually check for updates:

  1. Open the Start Menu of the Windows operating system, type Windows Update and select the result.
  2. Select check for updates in the application that opens. Updates may be installed automatically when they are found or offered by Windows; this depends on the operating system and version that is used, and update settings.

Direct update downloads

Below are resource pages with direct download links, if you prefer to download the updates to install them manually.

Windows 7 and Server 2008 R2

  • KB4586827 — 2020-11 Security Monthly Quality Rollup for Windows 7
  • KB4586805 — 2020-11 Security Only Quality Update for Windows 7

Windows 8.1 and Windows Server 2012 R2

  • KB4586845 — 2020-11 Security Monthly Quality Rollup for Windows 8.1
  • KB4586823 — 2020-11 Security Only Quality Update for Windows 8.1

Windows 10 (version 1809)

  • KB4586793 — 2020-11 Cumulative Update for Windows 10 Version 1809

Windows 10 (version 1903)

  • KB4586786 — 2020-11 Cumulative Update for Windows 10 Version 1903

Windows 10 (version 1909)

  • KB4586786 — 2020-11 Cumulative Update for Windows 10 Version 1909

Windows 10 (version 2004)

  • KB4586781 — 2020-11 Cumulative Update for Windows 10 Version 2004

Windows 10 (version 20H2)

  • KB4586781 — 2020-11 Cumulative Update for Windows 10 Version 20H2

Additional resources

Summary
Microsoft Windows Security Updates November 2020 overview
Article Name
Microsoft Windows Security Updates November 2020 overview
Description
Microsoft released security updates and non-security updates for all supported versions of the company’s Windows operating system, client and server, as well as other company products such as Microsoft Office on the November 2020 Patch Day.
Author
Martin Brinkmann
Publisher
Ghacks Technology News
Logo
Ghacks Technology News
Advertisement

Related:

  • No Related Posts

Error:”Operation Not Permitted” on NetScaler VPX on Hyper-V while modifying interface

In ns.logs it was observed that other parameters are also getting set while making changes to the inteface Alias from GUI.The parameter which was failing was the set ha monitor ON parameter.

Logs:

——

ns.log.0:Sep 15 15:59:04 <local0.info> 127.0.0.2 09/15/2015:20:59:04 GMT NLR-A-NS01 0-PPE-0 : default GUI CMD_EXECUTED 139 0 : User nsroot – Remote_ip 10.1.1.6 – Command “set interface 0/1 -speed AUTO -duplex AUTO -flowControl OFF -autoneg ENABLED -haMonitor ON -mtu 1500 -tagall OFF -state ENABLED -lacpMode DISABLED -lagtype NODE -ifAlias MANAGEMENT -throughput 0 -linkRedundancy OFF -bandwidthHigh 0 -bandwidthNormal 0 -intftype “Hyper v” -ifnum 0/1 -lldpmode NONE -lrsetPriority 1024″ – Status “ERROR: Operation not permitted”

This an expected behaviour as per Issue Id: TSK0312538

When VPX is installed on top of a hypervisor – the interfaces are registered based on what the hypervisors expose.

There will be several parameter given back to VPX when it tries to register – physical link state being one of them.

The way the drivers are written specific to each hypervisor is different – and in case of Hyper-V the physical link state information is not passed through the virtual interface, unlike Xenserver which passes on this information.

As a result since VPX does not have link state information in case of Hyper-V it will flag this information and on execution of the HAMON set command rejects as it does not apply in this scenario.

User-added image

Related:

  • No Related Posts

XenApp/Xendesktop 7.X Exception “Cannot Connect To Database Server” Of Type “Citrix.Fma.Sdk.Dal.DALConnectionFailedException”. Ensure that the database is correctly configured and accessible.

  • Collect Wireshark logs from Delivery Controller and SQL server to check if the issue is due to intermittent network issues.
  • Collect PSSDIAG logs from SQL Database Server to check if there are any SQL Performance issue.
  • As a workaround you can increase the Connection Pool size of Monitor Service.

1. Take a backup of Delivery controller and the Database Server.

2. On the Delivery Controller, launch Powershell as an admin.

3. Run asnp citrix*

4. Run Get-MonitorDataStore and copy the ConnectionString value.


5. Then run the below powershell cmdlets to Nullify the Monitor DB Connection:

Set-MonitorDBConnection -DataStore Monitor -DBConnection $null

Set-MonitorDBConnection -DBConnection $null

6. Then run the below powershell cmdlets to reset the ConnectionString value with Max Pool Size parameter added and value set to 200.

Example:

Set-MonitorDBConnection -DataStore Monitor -DBConnection “Server=SQL;Initial Catalog=xxxxx;Integrated Security=True;Max Pool Size=200”

Set-MonitorDBConnection -DBConnection “Server=SQL;Initial Catalog=xxxxx;Integrated Security=True;Max Pool Size=200”

7. Modify the String value as per the ConnectionString output you get from Step No. 4 and then restart the Citrix Monitor service.

Related:

XenApp Server Is Not Listening On Port 1494 Preventing Connections

There are two solutions.

Solution 1

Complete the following steps to resolve the issue:

Caution!Refer to the Disclaimer at the end of this article before using Registry Editor.

  1. Run Regedit.

  2. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices.

  3. Create a key named WDICA.

  4. Manually add the following values:

    ErrorControl: REG_DWORD : 0

    Start: REG_DWORD : 0x3

    Type: REG_DWORD : 0x1

  5. Reboot the server.

  6. After the reboot, a subkey named Enum will be created with the following values:

    0 : REG_SZ : RootLEGACY_WDICA000

    Count : REG_DWORD : 0x1

    NextInstance : REG_DWORD : 0x1

  7. Make a Custom ICA Connection to the server IP address. The connection should now connect successfully.

    Complete the following steps if the preceding resolution does not resolve the issue:

    1. Check if HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WDICA and its subkeys exist.

    2. Add permissions to the key in order to save and restore the key from a working server. When this key is manually deleted and the server is rebooted, the key should regenerate automatically.

    3. If the key does not automatically regenerate, restore a copy of this key from a known good server or manually create the entries. When replacing this key with a copy of the key from another server, navigate to the following location:

      HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_WDICA000Control

    4. Delete the data of the following value located within the key referenced in step 1 and reboot the server:

      “DeviceReference”=dword:8188fd10

    5. Data should repopulate after the reboot.

      Note: The cause for the disappearance or corruption of these registry keys is currently unknown. Reboot the XenApp server after making the preceding registry changes.

      Solution 2

      Because Windows 2008 removing and re-adding the ica-tcp port creates problems due to a Microsoft change to sfi the port is not listening we would need to repair the install of XenApp to repair the ica-tcp port that is not working as follows:

      Add/Remove programs > Change > repair > XenApp 6.5.

      Related:

      • No Related Posts