Patch Tuesday: Here's what's new for Windows 7 and Windows 8.1

Today is Patch Tuesday, and while that means that all supported versions of Windows 10 get updates, older versions of Windows get patches as well. The includes Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2.

If you're on Windows 7 SP1 or Windows Server 2008 R2 SP1, you'll get KB4493472 as the monthly rollup. You can manually download it here, and it contains the following fixes:

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers. These protections are enabled by default for the Windows Client, but disabled by default for Windows Server. For Windows Client (IT Pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable or disable these mitigations for VIA-based computers.

  • Addresses an issue that causes the error "0x3B_c0000005_win32k!vSetPointer" when the kernel mode driver, win32k.sys, accesses an invalid memory location.

  • Addresses an issue in which netdom.exe fails to run, and the error, “The command failed to complete successfully” appears.

  • Addresses an issue that may prevent Custom URI Schemes for Application Protocol handlers from starting the corresponding application for local intranet and trusted sites on Internet Explorer.

  • Addresses an issue that may cause authentication issues for Internet Explorer 11 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.

  • Security updates to Windows Kernel, Windows Server, Graphics Component, Windows Input and Composition, Windows Datacenter Networking, Windows MSXML, and the Microsoft JET Database Engine.

There's also one known issue to be aware of:

Symptom Workaround
After installing this update, some customers report that authentication fails for services that require unconstrained delegation after the Kerberos ticket expires (the default is 10 hours). For example, the SQL server service fails.

To mitigate this issue, use one of the following options:

Option 1: Purge the Kerberos tickets on the application server. After the Kerberos ticket expires, the issue will occur again, and you must purge the tickets again.

Option 2: If purging does not mitigate the issue, restart the application; for example, restart the Internet Information Services (IIS) app pool associated with the SQL server.

Option 3: Use constrained delegation.

Microsoft is working on a resolution and will provide an update in an upcoming release.


There's also a security-only update, KB4493448, which has the same known issue. You can manually download it here, and it contains the following fixes:

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers. These protections are enabled by default for the Windows Client, but disabled by default for Windows Server. For Windows Client (IT Pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable or disable these mitigations for VIA-based computers.

  • Addresses an issue in which netdom.exe fails to run, and the error, “The command failed to complete successfully” appears.

  • Addresses an issue that may cause authentication issues for Internet Explorer 11 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.

  • Security updates to Windows Kernel, Windows Server, Graphics Component, Windows Input and Composition, Windows Datacenter Networking, Windows MSXML, and the Microsoft JET Database Engine.

For Windows 8.1 and Windows Server 2012 R2, you'll get KB4493446 as the monthly rollup. You can manually download it here and it contains the following fixes:

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers. These protections are enabled by default for the Windows Client, but disabled by default for Windows Server. For Windows Client (IT Pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable or disable these mitigations for VIA-based computers.

  • Addresses an issue that may cause applications that use MSXML6 to stop responding if an exception was thrown during node operations.

  • Addresses an issue that causes the Group Policy editor to stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 Internet settings.

  • Addresses an issue with Custom URI Schemes for Application Protocol handlers, which may not start the corresponding application for local intranet and trusted sites on Internet Explorer.

  • Addresses an issue that may cause authentication issues for Internet Explorer 11 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.

  • Security updates to Windows Storage and Filesystems, Windows Server, Microsoft Graphics Component, Windows Input and Composition, Windows Datacenter Networking, Windows Kernel, Windows MSXML, Windows SQL components, and the Microsoft JET Database Engine.

This update also has one known issue:

Symptom Workaround
After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options:

Option 1:
Open an Administrator Command prompt and type the following:

Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No

Option 2:

Use the Windows Deployment Services UI.

  1. Open Windows Deployment Services from Windows Administrative Tools.
  2. Expand Servers and right-click a WDS server.
  3. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab.

Option 3:
Set the following registry value to 0:

“HKLM\System\CurrentControlSet\Services\WDSServer\ Providers\WDSTFTP\EnableVariableWindowExtension”.

Restart the WDSServer service after disabling the Variable Window Extension.

Microsoft is working on a resolution and will provide an update in an upcoming release.


The security-only update, KB4493467, has the same known issue. You can manually download it here, and it contains the following fixes:

  • Provides protections against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) for VIA-based computers. These protections are enabled by default for the Windows Client, but disabled by default for Windows Server. For Windows Client (IT Pro) guidance, follow the instructions in KB4073119. For Windows Server guidance, follow the instructions in KB4072698. Use these guidance documents to enable or disable these mitigations for VIA-based computers.

  • Addresses an issue that may cause applications that use MSXML6 to stop responding if an exception was thrown during node operations.

  • Addresses an issue that causes the Group Policy editor to stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 Internet settings.

  • Addresses an issue that may cause authentication issues for Internet Explorer 11 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.

  • Security updates to Windows Storage and Filesystems, Windows Server, Microsoft Graphics Component, Windows Input and Composition, Windows Datacenter Networking, Windows Kernel, Windows MSXML, Windows SQL components, and the Microsoft JET Database Engine.

Finally, those on Windows Server 2012 will get KB4493451 as the monthly rollup. You can manually download it here, and it contains the following fixes:

  • Addresses an issue that causes the error "0x3B_c0000005_win32k!vSetPointer" when the kernel mode driver, win32k.sys, accesses an invalid memory location.

  • Addresses an issue that may cause applications that use MSXML6 to stop responding if an exception was thrown during node operations.

  • Addresses an issue that causes the Group Policy editor to stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 Internet settings.

  • Addresses an issue that may cause authentication issues for Internet Explorer 10 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.

  • Addresses an issue that may prevent Custom URI Schemes for Application Protocol handlers from starting the corresponding application for local intranet and trusted sites on Internet Explorer.

  • Security updates to Windows Storage and Filesystems, Windows Server, Microsoft Graphics Component, Windows Input and Composition, Windows Datacenter Networking, Windows Kernel, Windows MSXML, and the Microsoft JET Database Engine.

The security-only update is KB4493450. You can manually download it here, and it contains the following fixes:

  • Addresses an issue that may cause applications that use MSXML6 to stop responding if an exception was thrown during node operations.

  • Addresses an issue that causes the Group Policy editor to stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 Internet settings.

  • Addresses an issue that may cause authentication issues for Internet Explorer 10 and other applications that use WININET.DLL. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons.

  • Security updates to Windows Storage and Filesystems, Windows Server, Microsoft Graphics Component, Windows Input and Composition, Windows Datacenter Networking, Windows Kernel, Windows MSXML, and the Microsoft JET Database Engine.

Both of the Windows Server 2012 updates contain the same known issue as the Windows 8.1 updates.

Report a problem with article
1492116269_macbook-pro-2016-touch-bar-logo
Next Article

Apple will no longer charge you $99 for transferring files to your new Mac

1519844247_qualcommsnapdragon
Previous Article

Qualcomm unveils new mid-tier chipsets, the 730, 730G and 665

6 Comments - Add comment

Advertisement