July 9, 2024—KB5040438 (OS Build 25398.1009)

For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server, version 23H2, see its update history page.

Improvements

This security update includes quality improvements. Below is a summary of the key issues that this update addresses when you install this KB. If there are new features, it lists them as well. The bold text within the brackets indicates the item or area of the change we are documenting.

• [Absent apps and features] Some apps and features are absent after you upgrade to Windows 11.
• [BCryptSignHash** API (known issue)]** Because of this issue, the API returns “STATUS_INVALID_PARAMETER.” This occurs when callers use NULL padding input parameters for RSA signatures. This issue is more likely to occur when Customer-Managed Key (CMK) are in use, like on an Azure Synapse dedicated SQL pool.
• **[Input Method Editor (IME)]**The candidate list fails to show or shows in the wrong position.
• [Windows Presentation Foundation (WPF)] A malformed Human Interface Device (HID) descriptor causes WPF to stop responding.
• [Handwriting panels and touch keyboards] They do not appear when you use the tablet pen.
• [HKLM\Software\Microsoft\Windows\DWM ForceDisableModeChangeAnimation (REG_DWORD)] This is a new registry key. When you set its value to 1 (or a non-zero number), it turns off the display mode change animation. If the value is 0 or the key does not exist, the animation is set to on.
• [Remote Desktop MultiPoint Server] A race condition causes the service to stop responding.
• [Windows Local Administrator Password Solution (LAPS)] Its Post Authentication Actions (PAA) do not occur at the end of the grace period. Instead, they occur at restart.
• [Remote Authentication Dial-In User Service (RADIUS) protocol] This issue is related to MD5 collisions. For more information, see KB5040268.
• **[BitLocker]**This update adds PCR 4 to PCR 7 and 11 for the default Secure Boot validation profile. See CVE-2024-38058 for more information.
  For more information about security vulnerabilities, please refer to the Security Update Guide and the July 2024 Security Updates.

Windows Server, version 23H2 servicing stack update (KB5040560) - 25398.1000

This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) ensure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.

Known issues in this update

How to get this update

Before you install this updateMicrosoft now combines the latest servicing stack update (SSU) for your operating system with the latest cumulative update (LCU). For general information about SSUs, see Servicing stack updates and Servicing Stack Updates (SSU): Frequently Asked Questions.Install this updateTo install this update, use one of the following Windows and Microsoft release channels.

Windows UpdateBusinessCatalogServer Update Services

If you want to remove the LCUTo remove the LCU after installing the combined SSU and LCU package, use the DISM/Remove-Package command line option with the LCU package name as the argument. You can find the package name by using this command:DISM /online /get-packages.Running Windows Update Standalone Installer (wusa.exe) with the**/uninstall **switch on the combined package will not work because the combined package contains the SSU. You cannot remove the SSU from the system after installation.

File InformationFor a list of the files that are provided in this update, download the file information for cumulative update 5040438.For a list of the files that are provided in the servicing stack update, download the file information for the SSU (KB5040560) - version 25398.1000.