June 13, 2017—KB4022715 (OS Build 14393.1358)

Improvements and fixes

This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:

• Addressed issue where, after installing KB3164035, users cannot print enhanced metafiles (EMF) or documents containing bitmaps rendered out of bounds using the BitMapSection(DIBSection) function.
• Addressed issue where users may fail to access the Internet using a non-Microsoft proxy device after enabling Credential guard. The failure happens when NTLMv2 is used and the server does not send target information (TargetNameFields is 0) inside the NTLM CHALLENGE MESSAGE.
• Addressed issue where some Windows clients with Windows Information Protection (WIP) enabled cannot access their secured documents, such as protected documents or mail files. This may occur when the client connects to the enterprise network both directly and remotely (such as with a VPN connection).
• Addressed issue where Internet Explorer crashes when the Microsoft Active Accessibility application is running in the background.
• Addressed issue where adding a <select> element to the body of a JavaScript application crashes the application when users click the select box.
• Addressed an issue where certutil.exe could no longer generate an EPF file when attempting to recover a key for a version 1 style certificate.
• Addressed an issue where the network interface description name of a network adapter is not updated in Hyper-V after a device driver update. Management of a NIC Team or vSwitch within Hyper-V Administrator or System Center Virtual Machine Manager may be affected.
• Addressed issue where the Privacy Separator feature of a Wireless Access Point does not block communication between wireless devices on local subnets.
• Addressed issue that was causing devices to crash when hot plugging USB 3.0 Network Adapters
• Addressed an issue where users on Windows 7 SP1 clients connecting to a Windows Server 2016 based domain controller cannot run applications such as Internet Explorer for a period of approximately 10 minutes after logging on. This issue occurs after upgrading the enterprise domain controllers to Windows Server 2016.
• Addressed an issue where Cluster health service fails to report fault event to MAS HM component.
• Addressed an issue that was not allowing users to customize the Application list in their Start menu using the Remove All Programs list from the Start menu setting.
• Updated iDNA table to support resolving latest Unicode emoji characters from Punycode.
• Addressed issue where after installing KB4019472, the end-user-defined characters (EUDCs) is not displayed.
• Addressed additional issues with updated time zone information, storage file system, Windows Update logs, USB, Start menu and taskbar and Windows Shell.
• Security updates to Microsoft Uniscribe, Windows kernel, Windows kernel-mode drivers, Microsoft Graphics Component, Internet Explorer, Windows Shell, Microsoft Windows PDF, Device Guard and Microsoft Edge. For more information about the security vulnerabilities resolved, please refer to the Security Update Guide.

Known issues in this update

Symptom	Workaround
When you print a specific iframe or frame in a web page, the print output may be blank, or text is printed that resembles the following:

404 – Not Found

(A frame is a part of a web page or browser window that displays content independent of its container. A frame can load content independently.)This problem has also been observed in both Internet Explorer 11, and in applications that host the IE Web Browser Control. | There is currently no workaround for this issue. However, if you print the entire web page, it will print correctly. Microsoft is working on a resolution and will provide an update in an upcoming release.
After a SET Virtual Switch is deployed via SCVMM and the system is rebooted, the newly deployed Virtual Switch loses the underlying Physical Adapters in the SET. This affects all QLogic BCM578 series–, 45000 series–, and 41000 series–based products.
| The issue has been addressed in the QLogic Virtual Bus Driver (VBD) driver. For more information, see this QLogic knowledge base article or QLogic support.
If an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected.| Microsoft is working on a resolution and will provide an update in an upcoming release.

For more information about the iSCSI issue, see the following section.

__

More information about the iSCSI issue

Windows Server 2012 R2 and Server 2016 computers that experience disconnections to iSCSI attached targets may show many different symptoms. These include, but are not limited to:

• The operating system stops responding
• You receive Stop errors (Bugcheck errors) 0x80, 0x111, 0x1C8, 0xE2, 0x161, 0x00, 0xF4, 0xEF, 0xEA, 0x101, 0x133, or 0xDEADDEAD.
• User log on failures occur together with a “No Logon Servers Available” error.
• Application and service failures occur because of ephemeral port exhaustion.
• An unusually high number of ephemeral ports are being used by the System process.
• An unusually high number of threads are being used by the System process.
  Cause

This issue is caused by a locking issue on Windows Server 2012 R2 and Windows Server 2016 RS1 computers, causing connectivity issues to the iSCSI targets. The issue can occur after installing any of the following updates:Windows Server 2012 R2Release date	KB	Article title
May 16, 2017	KB 4015553	April 18, 2017—KB4015553 (Preview of Monthly Rollup)
May 9, 2017	KB 4019215	May 9, 2017—KB4019215 (Monthly Rollup)
May 9, 2017	KB 4019213	May 9, 2017—KB4019213 (Security-only update)
April 18, 2017	KB 4015553	April 18, 2017—KB4015553 (Preview of Monthly Rollup)
April 11, 2017	KB 4015550	April 11, 2017—KB4015550 (Monthly Rollup)
April 11, 2017	KB 4015547	April 11, 2017—KB4015547 (Security-only update)
March 21, 2017	KB 4012219	March 2017 Preview of Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2
**Windows Server 2016 RTM (RS1)**Release date	KB	Article title
—	—	—
May 16, 2017	KB 4023680	May 26, 2017—KB4023680 (OS Build 14393.1230)
May 9, 2017	KB 4019472	May 9, 2017—KB4019472 (OS Build 14393.1198)
April 11, 2017	KB 4015217	April 11, 2017—KB4015217 (OS Build 14393.1066 and 14393.1083)

Verification

• Verify the version of the following MSISCSI driver on the system:

c:\windows\system32\drivers\msiscsi.sys

The version that will expose this behavior is 6.3.9600.18624 for Windows Server 2012 R2 and version 10.0.14393.1066 for Windows Server 2016.

* The following events are logged in the System log:Event source	ID	Text
iScsiPrt	34	A connection to the target was lost, but the Initiator successfully reconnected to the target. Dump data contains the target name.
iScsiPrt	39	The Initiator sent a task management command to reset the target. The target name is given in the dump data.
iScsiPrt	9	Target did not respond in time for a SCSI request. The CDB is given in the dump data.

• Review the number of threads that are running under the System process, and compare this to a known working baseline.
• Review the number of handles that are currently opened by the System process, and compare this to a known working baseline.
• Review the number of ephemeral ports that are being used by the System process.
• From an administrative Powershell, run the following command:

Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Sort Count

Or, from an administrative CMD prompt, run the following NETSTAT command together with the “Q” switch. This shows “bound” ports that are no longer connected:

NETSTAT –ANOQ

Focus on ports that are owned by the SYSTEM process.

For the three previous points, anything more than 12,000 should be considered suspect. If iSCSI targets are present in the computer, there is high probability that the issue will occur.
Resolution

If the event logs indicate that many reconnections are occurring, work with your iSCSI and network fabric vendor to help diagnose and correct the reason for the failure to maintain connections to iSCSI targets. Make sure that iSCSI targets can be accessed over the current network fabric. Install updated fixes when they become available. This article will be updated with the specific KB article number of the fix to install when it becomes available.

Note We do not recommend that you uninstall any of the March, April, May, or June security rollups. Doing so will expose the computers to known security exploits and other bugs that are mitigated by monthly updates. We recommend that you first work with iSCSI target and network vendors to resolve the connectivity issues that are triggering target reconnects.

How to get this updateThis update will be downloaded and installed automatically from Windows Update. To get the stand-alone package for this update, go to the Microsoft Update Catalog website.

• File information
  For a list of the files that are provided in this update, download the file information for cumulative update KB4022715.