Table of contents
×

Release Date:

4/11/2017

Version:

OS Build 14393.1066 and 14393.1083

Improvements and fixes

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

  • Addressed issue that was preventing the Camera application from saving a captured image when "Show recently opened items in Jump Lists on Start or the taskbar" settings is enabled.

  • Improved the Host Network Service (HNS) to support an overlay network driver for use on Windows Server 2016 to connect containers across hosts using Docker Engine in Swarm Mode.

  • Addressed issue that was not allowing users to access online help content when clicking the help icon in various Windows applications, such as File Explorer.

  • Addressed issue where displays turn off unexpectedly even when Turn off display and Screen saver are disabled in the power profile.

  • Addressed an issue where CredentialGuard-enabled computers joined to Active Directory domains submit two bad logon attempts each time a bad password is provided during a Kerberos-based logon. Logons to Active Directory domains with arbitrarily low account lockout thresholds may be subject to unexpected account lockouts. For example, 2 logons with a bad password could result in an account being locked out if the account lockout threshold is set to 3 or 4.

  • Addressed issue that increases CPU usage when IP forwarding or weak host is enabled.

  • Addressed issue where some of the VPN drivers do not get migrated when upgrading the OS to Windows 10, version 1607.

  • Addressed issue that causes virtual machines to fail during high I/O scenarios where the user may log in multiple times.

  • Addressed issue that was causing connections (after the 1st connection request) from a Remote Desktop Client to a Remote Desktop session to fail after upgrading from Windows 10, version 1511, to Windows 10, version 1607.

  • Addressed issue that was causing the Command prompt to be not displayed properly through the serial console on headless systems.

  • Addressed issue that was causing MDM enrollment failtures on devices using Kerberos authentication.

  • Addressed issue with rendering when a webpage contains a DIV element that has the contenteditable attribute.

  • Addressed issue that causes text to disappear when you resize an Internet Explorer window when the encoding is Hebrew and any text ends with an underscore character.

  • Addressed issue that was causing headless machines to not go into S3 sleep mode sometimes.

  • Enabled warning message in Group Policy Management Console (GPMC) to alert administrators of a design change that may prevent the processing of a User Group after installing security update MS16-072 (KB3163622).

  • Addressed an issue that was causing Windows Explorer to perform an endless, rapid refresh of a network drive that is mapped to a share, preventing users from performing tasks such as rename object.

  • Addressed a memory leak in Internet Explorer when hosting a page that contains nested framesets, which load cross-domain content.

  • Addressed an issue that was causing the print spooler service to hang instead of showing a timeout error when a connection between a bluetooth printer and the machine is lost during printing.

  • Addressed an issue that was preventing installation of a new printer driver that uses v3 printer drivers.

  • Improved the reliability of Load Balancing/Failover (LBFO) whenever there is a resource rebalance, a device failure, or a surprise removal of a device.

  • Addressed additional issues with updated time zone information, Internet Explorer, and Microsoft Edge.

  • Security updates to Scripting Engine, libjpeg image-processing library, Hyper-V, Win32k, Adobe Type Manager Font Driver, Internet Explorer, Microsoft Edge, Graphics component, Active Directory Federation Services, .NET Framework, Active Directory, Lightweight Directory Access Protocol, Windows Kernel model drivers and Windows OLE.

If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.

Known issues in this update

This security update introduced an issue in which, if an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected. Microsoft is researching this problem and will post more information in this article when the information becomes available. For more information about this issue, see the following section.

 

Windows Server 2012 R2 and Server 2016 computers that experience disconnections to iSCSI attached targets may show many different symptoms. These include, but are not limited to:

  • The operating system stops responding

  • You receive Stop errors (Bugcheck errors) 0x80, 0x111, 0x1C8, 0xE2, 0x161, 0x00, 0xF4, 0xEF, 0xEA, 0x101, 0x133, or 0xDEADDEAD.

  • User log on failures occur together with a "No Logon Servers Available" error.

  • Application and service failures occur because of ephemeral port exhaustion.

  • An unusually high number of ephemeral ports are being used by the System process.

  • An unusually high number of threads are being used by the System process.

Cause

This issue is caused by a locking issue on Windows Server 2012 R2 and Windows Server 2016 RS1 computers, causing connectivity issues to the iSCSI targets. The issue can occur after installing any of the following updates:

Windows Server 2012 R2

Release date

KB

Article title

May 16, 2017

KB 4015553

April 18, 2017—KB4015553 (Preview of Monthly Rollup)

May 9, 2017

KB 4019215

May 9, 2017—KB4019215 (Monthly Rollup)

May 9, 2017

KB 4019213

May 9, 2017—KB4019213 (Security-only update)

April 18, 2017

KB 4015553

April 18, 2017—KB4015553 (Preview of Monthly Rollup)

April 11, 2017

KB 4015550

April 11, 2017—KB4015550 (Monthly Rollup)

April 11, 2017

KB 4015547

April 11, 2017—KB4015547 (Security-only update)

March 21, 2017

KB 4012219

March 2017 Preview of Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2

Windows Server 2016 RTM (RS1) 

Release date

KB

Article title

May 16, 2017

KB 4023680

May 26, 2017—KB4023680 (OS Build 14393.1230)

May 9, 2017

KB 4019472

May 9, 2017—KB4019472 (OS Build 14393.1198)

April 11, 2017

KB 4015217

April 11, 2017—KB4015217 (OS Build 14393.1066 and 14393.1083)


Verification

  • Verify the version of the following MSISCSI driver on the system:

    c:\windows\system32\drivers\msiscsi.sys

    The version that will expose this behavior is 6.3.9600.18624 for Windows Server 2012 R2 and version 10.0.14393.1066 for Windows Server 2016.

  • The following events are logged in the System log:

    Event source

    ID

    Text

    iScsiPrt

    34

    A connection to the target was lost, but the Initiator successfully reconnected to the target. Dump data contains the target name.

    iScsiPrt

    39

    The Initiator sent a task management command to reset the target. The target name is given in the dump data.

    iScsiPrt

    9

    Target did not respond in time for a SCSI request. The CDB is given in the dump data.

  • Review the number of threads that are running under the System process, and compare this to a known working baseline.

  • Review the number of handles that are currently opened by the System process, and compare this to a known working baseline.

  • Review the number of ephemeral ports that are being used by the System process.

  • From an administrative Powershell, run the following command:

    Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Sort Count

    Or, from an administrative CMD prompt, run the following NETSTAT command together with the "Q" switch. This shows "bound" ports that are no longer connected:

    NETSTAT –ANOQ

    Focus on ports that are owned by the SYSTEM process.

    For the three previous points, anything more than 12,000 should be considered suspect. If iSCSI targets are present in the computer, there is high probability that the issue will occur.

Resolution

If the event logs indicate that many reconnections are occurring, work with your iSCSI and network fabric vendor to help diagnose and correct the reason for the failure to maintain connections to iSCSI targets. Make sure that iSCSI targets can be accessed over the current network fabric. Install updated fixes when they become available. This article will be updated with the specific KB article number of the fix to install when it becomes available.

Note We do not recommend that you uninstall any of the March, April, May, or June security rollups. Doing so will expose the computers to known security exploits and other bugs that are mitigated by monthly updates. We recommend that you first work with iSCSI target and network vendors to resolve the connectivity issues that are triggering target reconnects.

How to get this update

This update will be downloaded and installed automatically from Windows Update. To get the stand-alone package for this update, go to the Microsoft Update Catalog website. After this update is installed, the build number will be either 14393.1066 (for all Windows 10 devices except HoloLens) or 14393.1083 (for HoloLens).

  • Update replacement information
    This update replaces the previously released update KB4016635.

  • File information
    For a list of the files that are provided in this update, download the file information for cumulative update 4015217. If you're installing a Windows 10 update for the first time, the package size for the X86 version is 572 MB and the package size for the x64 version is 1,094 MB.

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

What affected your experience?

Thank you for your feedback!

×