Microsoft has released a new cumulative update for Windows 10 version 1909. Patch Tuesday was just last week, and today's update is what's called a C/D update. It's completely optional, and the changes here will be rolled into the next Patch Tuesday in July. Those updates will be mandatory, so you can just wait for them if you prefer. Windows 10 versions 21H1, 20H2, and 2004 will also get an optional update later this month.

For now, if you're running Windows 10 version 1909, you're going to get the KB5003698 update, which bumps the build number up to 18363.1645. You can download it manually here or through Windows Update, where it will show up as an optional update. Here are the highlights in this release:

  • Updates an issue that prevents certain screen reader apps from running.
  • Updates an issue that causes a loss of audio when you connect a second external monitor.
  • Updates an issue that might cause a VPN to fail. The error message is, "There are no more files".
  • Updates an issue that causes blurry text on the news and interests button on the Windows taskbar for some screen resolutions.
  • Updates an issue with Search box graphics on the Windows taskbar that occurs if you right-click the taskbar and turn off News and interests. This graphics issue is especially visible when using dark mode

Many of those are issues that could easily happen to anyone, so it's good to see them addressed. There are many more fixes in this release, however. Here's the full list, which is nothing short of huge:

  • Addresses an issue that prevents sorting from working properly when using multiple versions of National Language Support (NLS) sorting.
  • Addresses a performance issue in the MultiByteToWideChar() function that occurs when it is used in a non-English locale.
  • Addresses an issue that fails to properly manage touch input related memory before a user session ends.
  • Addresses an issue that results in outdated group membership listings. This issue occurs because the Group Policy service (GPSVC) makes infrequent updates to the Windows Management Instrumentation (WMI) session. As a result, this slows the propagation of changes the Active Directory (AD) administrator makes to user or group membership.
  • Addresses an issue that causes Windows to stop working when it uses AppLocker to validate a file that has multiple signatures. The error is 0x3B.
  • Addresses an issue with the Set-RuleOption PowerShell command that fails to provide the option for the Windows Defender Application Control (WDAC) policy to treat files signed with an expired certificate as unsigned.
  • Addresses an issue that might cause BitLocker to go into recovery mode after updating the Trusted Platform Module (TPM) firmware. This occurs when the "Interactive logon: Machine account lockout Threshold" policy is set and there were incorrect password attempts.
  • Addresses an issue that prevents certain screen reader apps from running when Hypervisor-protected code integrity (HVCI) is enabled.
  • Addresses an issue that causes Windows to generate many AppLocker or SmartLocker success events.
  • Improves the accuracy and efficiency of sensitive data analysis in the Microsoft 365 Endpoint data loss prevention (DLP) Classification Engine.
  • Addresses an issue with the Internet Key Exchange (IKE) VPN service on remote access server (RAS) servers. Periodically, users cannot connect a VPN to the server over the IKE protocol. This issue might start several hours or days after restarting the server or restarting the IKEEXT service. Some users can connect while many others cannot connect because the service is in DoS Protection mode, which limits incoming connection attempts.
  • Addresses an issue that might cause a VPN to fail after renewing a user auto-enrolled certificate. The error message is, "There are no more files".
  • Adds new glyphs to the InkFree.ttf font family for European languages.
  • Addresses an issue that causes a loss of audio when you connect a second external monitor.
  • Addresses a metadata encoding issue that causes Free Lossless Audio Codec (FLAC) music files to become unplayable if you change their title, artist, or other metadata. For more information, see FLAC encoded music file is corrupted when metadata is edited in Windows Explorer.
  • Adds support for the .hif file extension for High Efficiency Image File (HEIF) images.
  • Addresses an issue that causes Remote Desktop sessions to stop responding while the User Datagram Protocol (UDP) is enabled.
  • Adds support for the USBTest and MeasurementClass.
  • Addresses an issue in Adamsync.exe that affects the syncing of large Active Directory subtrees.
  • Addresses an error that occurs when the Lightweight Directory Access Protocol (LDAP) bind cache is full, and the LDAP client library receives a referral.
  • Addresses a redirector stop error that is caused by a race condition that occurs when the system deletes binding objects when connections close.
  • Addresses an issue that might cause a stop error when you run SmbConnectStress for a prolonged duration.
  • Addresses an issue that prevents users from setting or querying disk quotas on the C drive.
  • Addresses an issue that causes blurry text on the news and interests button on the Windows taskbar for some display configurations.
  • Addresses an issue with Search box graphics on the Windows taskbar that occurs if you use the taskbar’s context menu to turn off News and interests. This graphics issue is especially visible when using dark mode.

The good news is there's only one known issue in this release. Here's what you need to look out for before updating:

Symptom

Workaround

System and user certificates might be lost when updating a device from Windows 10, version 1809 or later to a later version of Windows 10. Devices will only be impacted if they have already installed any Latest cumulative update (LCU) released September 16, 2020 or later and then proceed to update to a later version of Windows 10 from media or an installation source which does not have an LCU released October 13, 2020 or later integrated. This primarily happens when managed devices are updated using outdated bundles or media through an update management tool such as Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager. This might also happen when using outdated physical media or ISO images that do not have the latest updates integrated.Note: Devices using Windows Update for Business or that connect directly to Windows Update are not impacted. Any device connecting to Windows Update should always receive the latest versions of the feature update, including the latest LCU, without any extra steps.

If you have already encountered this issue on your device, you can mitigate it within the uninstall window by going back to your previous version of Windows using the instructions here. The uninstall window might be 10 or 30 days depending on the configuration of your environment and the version you’re updating to. You will then need to update to the later version of Windows 10 after the issue is resolved in your environment. Note Within the uninstall window, you can increase the number of days you have to go back to your previous version of Windows 10 by using the DISM command /Set-OSUninstallWindow. You must make this change before the default uninstall window has lapsed. For more information, see DISM operating system uninstall command-line options.We are working on a resolution and will provide updated bundles and refreshed media in the coming weeks.

As we mentioned at the top, there's also an optional cumulative update available for Windows 10 version 1809. This version is only supported in the Long-Term Servicing Channel, meaning it will get support for ten years after its original release. That update is KB5003703, and it bumps the build number up to 17763.2028. You can download it manually here.