We're now two weeks deep into 2021, and since it's the second Tuesday of January, that means it's also time for the first Patch Tuesday of the year. Microsoft is rolling out cumulative updates for all supported versions of Windows, and that includes Windows 8.1 and Windows 7, assuming you're paying for extended security updates for the latter.
As usual, there are two sets of updates for the operating systems, one monthly rollup and one security-only update. The former rolls out to most users automatically, while the latter has to be downloaded manually. For Windows 8.1, this month's rollup is KB4598285 and it can be downloaded manually here. Here's what's new in this release:
- Addresses a security bypass vulnerability that exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface. For more information, see KB4599464.
- Addresses a security vulnerability issue with HTTPS-based intranet servers. After you install this update, HTTPS-based intranet servers cannot leverage a user proxy to detect updates by default. Scans that use these servers will fail if the clients do not have a configured system proxy.
If you must leverage a user proxy, you must configure the behavior by using the Windows Update policy Allow user proxy to be used as a fallback if detection using system proxy fails. To make sure that the highest levels of security, additionally leverage Windows Server Update Services (WSUS) Transport Layer Security (TLS) certificate pinning on all devices. For more information, see Changes to scans, improved security for Windows devices.
Note This change does not affect customers who use HTTP WSUS servers.- Security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Fundamentals, Windows Cryptography, and Windows Virtualization.
The update includes a single known issue that we're familiar with by now:
Symptom | Workaround |
---|---|
Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the operation on a CSV owner node from a process that doesn’t have administrator privilege. |
Do one of the following:
Microsoft is working on a resolution and will provide an update in an upcoming release. |
As for the security-only update, it's KB4598275, and you can download it manually here. It only includes the following changes:
- Security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Fundamentals, Windows Cryptography, and Windows Virtualization.
It has the same known issue as the monthly rollup.
Turning over to Windows 7, again, you'll need to be paying for extended security updates for your organization to get these updates. It's also possible that the cost of these updates is doubling soon, since it's been one year since support was ended for the OS. Either way, if you're paying for them, the monthly rollup update is KB4598279 and you can download it manually here. It includes the following changes:
- Addresses a security bypass vulnerability that exists in the way the Printer Remote Procedure Call (RPC) binding handles authentication for the remote Winspool interface. For more information, see KB4599464.
- Addresses a security vulnerability issue with HTTPS-based intranet servers. After you install this update, HTTPS-based intranet servers cannot leverage a user proxy to detect updates by default. Scans that use these servers will fail if the clients do not have a configured system proxy.
If you must leverage a user proxy, you must configure the behavior by using the Windows Update policy Allow user proxy to be used as a fallback if detection using system proxy fails. To make sure that the highest levels of security, additionally leverage Windows Server Update Services (WSUS) Transport Layer Security (TLS) certificate pinning on all devices. For more information, see Changes to scans, improved security for Windows devices.
Note This change does not affect customers who use HTTP WSUS servers.- Security updates to Windows App Platform and Frameworks, Windows Graphics, Windows Media, Windows Fundamentals, Windows Cryptography, Windows Virtualization, and Windows Hybrid Storage Services.
The only known issue is the same as for the Windows 8.1 updates above. Finally, the security-only update is KB4598289, and you can download it manually here. You'll only be getting the security updates mentioned in the last bullet point above, and the known issue is also the same as for the rest of the updates.
As mentioned above, the monthly rollup updates are usually installed automatically, but you may prefer downloading and installing them manually. With the security-only updates, you have no choice but to do it manually.