KB4512486 Security Only Quality Update for Windows 7 - Aug. 13

[Brink]

August 13, 2019 - KB4512486 (Security-only update)

Applies to: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1


Improvements and fixes

This security update includes quality improvements. Key changes include:

• Security updates to Windows App Platform and Frameworks, Windows Wireless Networking, Windows Storage and Filesystems, Windows Virtualization, Windows Datacenter Networking, the Microsoft JET Database Engine, Windows Input and Composition, Windows MSXML, and Windows Server.

For more information about the resolved security vulnerabilities, please refer to the Security Update Guide.

Known issues in this update



[UPDATED 8/16] - KB4517297 Non-security Update for Windows 7 - August 16



How to get this update

Before installing this update

Microsoft strongly recommends you install the latest servicing stack update (SSU) for your operating system before installing the latest Rollup. SSUs improve the reliability of the update process to mitigate potential issues while installing the Rollup and applying Microsoft security fixes.

If you are using Windows Update, the latest SSU (KB4490628) will be offered to you automatically. To get the standalone package for the latest SSU, search for it in the Microsoft Update Catalog.

Prerequisite: The SHA-2 update (KB4474419) must be installed before installing this update. For more information on SHA-2 updates, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

Install this update

Windows Update and Microsoft Update - See the other options below.

Microsoft Update Catalog - To get the standalone package for this update, go to the Microsoft Update Catalog.

Windows Server Update Services (WSUS) - This update will automatically synchronize with WSUS if you configure Products and Classifications as follows:
Product: Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1
Classification: Security Updates[/TD]

File information

For a list of the files that are provided in this update, download the file information for update 4512486.

Source: https://support.microsoft.com/en-us/help/4512486

See also:

• CVE-2019-1181 | Remote Desktop Services Remote Code Execution Vulnerability
• CVE-2019-1182 | Remote Desktop Services Remote Code Execution Vulnerability

Direct download links for KB4512486 MSU file from Microsoft Update Catalog:

:ar: Download KB4512486 MSU for Windows 7 32-bit (x86) - 25.2 MB

:ar: Download KB4512486 MSU for Windows 7 64-bit (x64) - 42.2 MB

 

[xips]

I have 2 x64 systems fail with:

Installation Failure: Windows failed to install the following update with error 0x80092004: Security Update for Windows (KB4512486).

Another x86 system updated fine.


Update: It appears I didn't have the Servicing Stack KB4490628 installed on the x64 systems. Don't know how that happened but I'm sure it wasn't offered to me automatically. I had to discover it missing, locate and install. Once SSU installed kb4512486 updates fine.

 

[daliokas]

Warning!!!

looks like updates KB4512486 AND KB4512506 kills Windows 7 with nvme SSD drives. two out of ~100 pc's won't boot with these updates installed, and only these two has nvme SSD as boot drives.
tried to remove both and install separately - it's enough one of these patches to kill Windows 7 machine.

 

[LevelBest]

As well as the three updates listed here, I've also got:

"KB4503548

The Microsoft .NET Framework 4.8 is a highlycompatible, in-place update for all the previous versions of .NET Framework4.X.."

But is is also unchecked.

Has anyone else got this update - and why would it be unchecked?

 

[NoN]

As well as the three updates listed here, I've also got:

"KB4503548

The Microsoft .NET Framework 4.8 is a highlycompatible, in-place update for all the previous versions of .NET Framework4.X.."

But is is also unchecked.

Has anyone else got this update - and why would it be unchecked?

I got it too unchecked and i installed it afterward, thought i already had it on my PC as stand-alone package a while ago. Version number of the package didn't changed after this tuesday patch.


It might be unchecked because it is not a security/cumulative patch, but an entire install of the .Net Framework.

 

[BlueGuy]

looks like updates KB4512486 AND KB4512506 kills Windows 7 with nvme SSD drives. two out of ~100 pc's won't boot with these updates installed, and only these two has nvme SSD as boot drives.
tried to remove both and install separately - it's enough one of these patches to kill Windows 7 machine.

WHAT???@! what?@! what? Are you serious? I don't know what nvme means, so, pray tell me, I'm still running all my machines with old SLC [single] layer SSD boot drives, of 30-60 GiB in size. So I probably avoided this. Crystal Disk says my SSD boot drive on this machine still has 91% life left.
All x86, if that matters.

I had installed the security only and these without reboot problems, though was anxious at the length of time it took to create a restore point and to come back to life after the reboot.

 

[Brink]

If you’re running Windows 7 Service Pack 1 or Windows Server 2008 RS2 Service Pack 1 and having problems installing the August Windows security updates, SHA-2 support may be missing. Check our dashboard for more information:

Windows 10 message center - Windows Release Information | Microsoft Docs

Tweet

— Twitter API (@user) View on Twitter

 

[Brink]

UPDATE 8/14:

"Known issues" updated. See first post for more details.

 

[Brds7t7]

As well as the three updates listed here, I've also got:

"KB4503548

The Microsoft .NET Framework 4.8 is a highlycompatible, in-place update for all the previous versions of .NET Framework4.X.."

But is is also unchecked.

Has anyone else got this update - and why would it be unchecked?

Was yours in the optional section or important section? Mine was in optional, those updates never come checked, only updates in the important section come checked.

 

[Paul Black]

Hi Brds7t7,

Was yours in the optional section or important section? Mine was in optional, those updates never come checked, only updates in the important section come checked.

Good point!

 

[LevelBest]

Was yours in the optional section or important section?.

It was in the important section, but unchecked. Does that make a difference?

 

[Brds7t7]

Strange, I don't think I've ever had a .NET Framework version update (except for the .NET Security rollups/updates) appear in the Important section.

Is your Windows update set to "Give me recommended updates the same way I receive important"? If so, that might explain why it appeared in the important section. It would still come unchecked though.

 

[LevelBest]

Is your Windows update set to "Give me recommended updates the same way I receive important"? If so, that might explain why it appeared in the important section. It would still come unchecked though.

Yes, that is checked.

 

[Brink]

Update: KB4517297 Non-security Update for Windows 7 - August 16

 

[Brds7t7]

Yes, that is checked.

That's the reason then. The .NET version updates are actually classed as recommended and not important. If you uncheck that option it will move to the optional section. I always have that unchecked to keep a lot of unnecessary updates out of the important section.

The .NET Framework version updates will never come checked, unless it's flagged as an important update.

 

[Per Hansson]

looks like updates KB4512486 AND KB4512506 kills Windows 7 with nvme SSD drives. two out of ~100 pc's won't boot with these updates installed, and only these two has nvme SSD as boot drives.
tried to remove both and install separately - it's enough one of these patches to kill Windows 7 machine.

I have one machine too that got BSOD 0x0000007B INACCESSIBLE_BOOT_DEVICE after installing KB4512506, it uses a Samsung 960 EVO NVMe SSD.

I tried to use the latest Samsung NVMe driver instead of the Microsoft one bundled in KB2990941 but it did not help.

The fix described in KB2839011 for uninstalling a patch from the WinPE environment did work fine, as did restoring a previous recovery point.

What is strange is I have another workstation with a Samsung SM961 NVMe SSD that I held off to update until today when I could do a full backup but it went through without any issues!

 

[lehnerus2000]

Perhaps MS is trying to trick people into switching to W10 again?

 

[Brds7t7]

Surprised that hasn't been mentioned in the known issues? Although, killing someone's ability to actually boot into their PC probably isn't on MS list of priorities!
I haven't installed the last 2 Security updates (except for the SHA-2 update). I decided to cut off the security updates 6 months early and save myself further hassle. Haven't got the patience anymore to be fixing MS shi* updates.

MS bork-ups know no bounds these days! And they want everyone to upgrade to Windows 10?? I'd rather :banghead: tbh!

 

[lehnerus2000]

And they want everyone to upgrade to Windows 10?? I'd rather :banghead: tbh!

I updated my Linux Mint to 19.2 a couple of weeks ago.
It's quite nice.

I still haven't got around to installing VMware Player, so that I can run my W10 Pro 1703 VM again.
I probably won't bother.

 

[Per Hansson]

looks like updates KB4512486 AND KB4512506 kills Windows 7 with nvme SSD drives. two out of ~100 pc's won't boot with these updates installed, and only these two has nvme SSD as boot drives.
tried to remove both and install separately - it's enough one of these patches to kill Windows 7 machine.

I have one machine too that got BSOD 0x0000007B INACCESSIBLE_BOOT_DEVICE after installing KB4512506, it uses a Samsung 960 EVO NVMe SSD.

I tried to use the latest Samsung NVMe driver instead of the Microsoft one bundled in KB2990941 but it did not help.

The fix described in KB2839011 for uninstalling a patch from the WinPE environment did work fine, as did restoring a previous recovery point.

What is strange is I have another workstation with a Samsung SM961 NVMe SSD that I held off to update until today when I could do a full backup but it went through without any issues!

I have realized the problem is not with NVMe SSD drives, it is with UEFI boot mode, which is a requirement for NVMe but can be used with any other drive as well.
Now I know why the second machine accepted the patch without issues: it had the "Win7 post SP1 rollup" patch KB3125574 applied.
Contained in this rollup is the recommended update KB3133977 for Bitlocker.
That patch is what works as a workaround for the problem: if you have it installed the system can then accept this months patch Tuesday patches: KB4512486 or KB4512506.
Microsoft has updated the patch notes for the latter with that info too, however they have done nothing to stop PC's being bricked by the update still: as KB3133977 is still only listed as a recommended update!