Recent Known Issue Summary RRS feed

  • General discussion

  • Hi  Everyone,

    The following is a summary of recent known issue for your reference.

    Known issue





    SHA-2 requirements for Win7 / W2K8 R2 (1B.) WU holds on WIn7 / W2K8 R2 if Symantec AV installed

    Required: Updates for legacy Windows versions will require that SHA-2 code signing support be installed. The support released in March (KB4474419 and KB4490628) will be required in order to continue to receive updates on these versions of Windows.

    Legacy Windows updates signatures changed from dual signed (SHA-1/SHA-2) to SHA-2 only at this time.

    Microsoft has temporarily placed a compatibility hold on devices from receiving this update if an affected Symantec Antivirus is installed, until a solution is available.

    Guidance for Symantec customers can be found in the Symantec support article.




    IA-64 boot failures in "8b"

    IA64 devices fail to boot unless August 13th release of SHA2 update KB 4474419 fully installed 1st on IA Win7, W2K8 R2 + W2K8 devices


    This issue should affect a small number of devices but there is an issue where installing 2019 "8B" (August 13th, 2019) updates and 2019 "8C" (August 20th, 2019) and later updates on devices running IA64 based versions of the following operating systems will cause the machine to not boot.

    This issue has been resolved in the latest version ofKB4474419(released on or after Aug 13, 2019).  Please verify that it is installed before installing this update.




    Bluetooth hardening

    This is an issue where an attacker can use a hardware device to interfere with then downgrade the encryption level that is negotiated between a blue tooth controller and a paired or connected device.

    Exploit risks include listening in on BT conversations or recording / interjecting keystrokes on BT keyboards.

    The negotiation process in question occurs @ the hardware level, completely independent of Windows 

    The 2019 8B fix (August 13th, 2019) allows the OS to intervene for customers that believe they are vulnerable and want to protect user/corporate data.




    Test LDAP signing / sealing now!

    A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let clients communicate with them without enforcing LDAP channel binding and LDAP signing.

    This can open Active directory domain controllers to elevation of privilege vulnerabilities. This advisory address the issue by recommending a new set of safe default configurations for LDAP channel binding and LDAP signing on Active Directory Domain Controllers that supersedes the original unsafe configuration.​


    Microsoft recommends enabling LDAP channel binding and LDAP signing on Active Directory Domain Controllers as described in following articles: LDAP channel binding and LDAP signing.​




    Kerberos authentication failures

    As announced in March 2019 in KB 4494025, Windows Updates released July 9<sup>th</sup>, 2019 intentionally disabled unconstrained delegation on the

    inbound/account domain side of forest and external trusts. Specifically, after installing May and July 2019 updates, theTRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION / (0x200h / 512 decimal flag is ignored.


    KB 4490425: Updates to TGT delegation across incoming trusts in Windows Server.




    3rd party driver exploit

    40+ third party drivers have been identified vulnerabilities.

    No in-box drivers were implicated Seven of the drivers are distributed on WU. The majority of drivers are installed directly by hardware OEMs or are distributed by IHV web sites. 

    Several IHVs have already updated their drivers. Microsoft remains in contact to track updates and intent for the remaining drivers.

    Best Regards
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact

    Friday, August 16, 2019 10:51 AM