Microsoft has released the cumulative updates KB4038801 for Windows Server 2016. This is the second cumulative update in the month of September. This update has been released on 28th September 2017. The first cumulative update was KB4038782.
A few days back, Microsoft has released cumulative updates KB4038801 for Windows 10 version 1607, which didn’t have any update for Microsoft Server, that’s why a separate update has been released for Windows Server 2016.
The key changes made in this update are with Managed Service Account, RemoteApp display, the certificate associated with the CA management console, LSASS, and a few others.
Let’s go through the changes made in KB4038801 (Windows Server 2016) and then you may have the downloaded link for this update at the end of the article.
Changelog of Cumulative Update KB4038801
The issue is addressed where a computer loses access to its domain each time a Managed Service Account (MSA) automatically renews its password. This fix eliminates the need to restart the OS or the NETLOGON service once NETLOGON Event 3210 is logged with 0xc000022. It has been fixed.
This update fixes the RemoteApp display issues that occur when you minimize and restore a RemoteApp to full-screen mode.
The issue has been fixed with delays when accessing Office documents from a remote network drive. Files open, but file access and file saves are affected. Access delays increase dramatically with increased file size.
The issues with user logon delays was occurring. Delays occur when the Group Policy Preference client-side extensions send BroadcastSystemMessages and processes that have registered, top-level windows fail to respond. This s=is resolved now.
An issue has been fixed where the Get-AuthenticodeSignaturecmdlet does not list TimeStamperCertificate even though the file is time stamped.
The issue that may occur when you inspect a corrupted VHDX file on a Hyper-V host; the error is “Multiple Bugcheck BAD_POOL_CALLER (c2) 0000000000000007; Attempt to free pool which was already freed". However, when Special Pool is enabled, the error is “0xCC PAGE_FAULT_IN_FREED_SPECIAL_POOL". You may won’t experience this any more.
An issue has fixed with Remote Desktop’s idle timeout warning doesn’t appear after the idle time elapsed.
An issue where revoking a certificate associated with a disabled user account in the CA management console fails. The error is “The user name or password is incorrect. 0x8007052e (WIN32: 1326 ERROR_LOGON_FAILURE)". This has been resolved.
An issue causes the Multi-Factor Authentication to not work correctly with mobile devices that use custom culture definitions, fixed now.
In previous update, the cluster node stops working when using async replication on very high-speed disks. This has been removed.
An issue was addressed where ksecdd.sys causes LSASS to leak kernel memory in paged pool. This most commonly affects servers that host an HTTPS service and handle a heavy load of TLS handshakes from clients.
In LSASS, the excessive memory usage was there, when it evaluates an LDAP filter over a large record set on domain controllers. This issue has removed.
LSASS was consuming large amounts of memory on 2012 R2 domain controllers during a security descriptor propagation operation. This issue occurs when a security descriptor change is made on a root object that has many descendants. Additionally, Applies To is set to “This object and all descendant objects.”, but it is fixed now.
An issue has been fixed where console and RDP logons permanently stop responding at “Applying user profile settings" because of a deadlock between DPAPI/LSASS and RDR. Once the deadlock occurs, new logons fail until the logon computer is restarted.
Addressed issue where performing TPM-related operations using PowerShell commands on a virtual machine causes the TPM support to fail. For example, performing a Get-TPM operation produces the following error: “get-tpm : An internal error was detected. (Exception from HRESULT: 0x80290107). At line:1 char:1”.
Added support for OIDC logout using federated LDPs. This will allow kiosk scenarios where multiple users may be serially logged into a single device that has federation with an LDP.
Addressed issue with WinHello where CEP- and CES-based certificates don’t work with gMSA accounts.
RPC reliability has improved when sending large data blobs.
An issue has been resolved which occurred while using a smart card to log on to a Remote Desktop Server sometimes causes the server to stop responding.
The issue had faced where “Hibernate Once/Resume Many ” (HORM) could not be enabled on Windows Server 2016 IoT with Unified Write Filter. But after updating the KB4038801 update, you will not face this error.
An issue has been fixed where deleting an object that has many links in Active Directory causes replication to stop with Event 1084, error 8409: “A database error has occurred”.
Windows Server 2016 domain controllers (DC) may log audit events with ID 4625 and 4776. The DCs use Microsoft Windows Security information that has truncated user names and domain names for logons that come from client applications that use wldap32.dll. This issue is fixed.
An issue has addressed access violation in LSASS that occurs during the startup of the domain controller role conditions. A race condition causes the violation when account management calls occur while the database is refreshing internal metadata. A password reset or change is one of the management calls that may trigger this problem.
The Windows Server Essentials Storage Service stops working if a tiered virtual disk is created on a storage pool that has HDD and SSD. But this is fixed now.
Addressed issue where attempting to extend a Clustered Shared Volume (the source disk) beyond 2 TB using Disk Management in the Storage Replica feature of Windows Server 2016 Datacenter Edition fails. The error is “There is not enough space available on the disk to complete this operation". The same problem may occur when using the Resize-Partition PowerShell cmdlet. In this case, the error is “Not enough available capacity".
The issue where the Windows Internal Database (WID) on Windows Server 2016 AD FS servers fails to synchronize some settings because of a foreign key constraint. These settings include the ApplicationGroupId columns from IdentityServerPolicy.Scopes and IdentityServerPolicy.Clients tables. The synchronization failure can cause different claim, claim provider, and application experiences between primary and secondary AD FS servers. Also, if you move the WID primary role to a secondary node, you cannot manage application groups using the AD FS management user interface. This issue has been fixed.
KB4038801 Direct Download Links
This link is from the official website of Microsoft.