Virtual Administrator’s January 2024 Patch Recommendations


This month Microsoft released patches for 48 vulnerabilities with 2 rated “Critical” in severity.


Deferring KB5034440/KB5034441 for Windows 10/11 and KB5034439 for Windows Server 2022. All other patches will be approved in our patch policy.


In the latest update from Microsoft, we are presented with a notably light batch of patches, encompassing 48 vulnerabilities, of which only 2 are classified as “Critical”. This month’s patch release stands out for its absence of zero-day threats, and none of these vulnerabilities are currently being exploited in the wild or have been publicly disclosed, indicating a relatively stable security landscape.

The critical vulnerabilities addressed this month include CVE-2024-20674 and CVE-2024-20700. CVE-2024-20674 is a security bypass vulnerability in Windows Kerberos, posing a risk of “man-in-the-middle” attacks. Meanwhile, CVE-2024-20700, a remote code execution bug in Windows Hyper-V hypervisor, necessitates network access for exploitation, somewhat mitigating its threat level.

Important patches to note are CVE-2024-0056, affecting System.Data.SqlClient and Microsoft.Data.SqlClient, and CVE-2024-21318, targeting Microsoft SharePoint Server. A new SSU (Servicing Stack Update) for Windows Server 2012/2012R2 is also part of this release.

This month, we’re deferring KB5034440/KB5034441 for Windows 10/11 and KB5034439 for Windows Server 2022, due to numerous reports of installation failures. These updates address CVE-2024-20666, a BitLocker Security Feature Bypass Vulnerability, with a medium CVSS score of 6.6. It’s important to note that this vulnerability requires physical access to the targeted machine, posing less of a threat for those not utilizing BitLocker encryption. For BitLocker users, the issue primarily involves an insufficiently sized recovery partition for the update. Microsoft has provided guidance and a PowerShell script for resizing partitions as a workaround.

For further information, you can refer to:


Disclosed: None

Exploited: None


Security Update Guide


Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:1/9/2024)

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.


ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing (Published:8/13/2018 | Last Updated:1/9/2024)

Reason for revision: With the release of the January 9, 2024 security updates, the auditing changes added in August 2023 are now available on Windows Server 2019. You do not need to install MSIs or create policies as mentioned in Step 3 of Recommended Actions.


Known Issues

Minor problems with Copilot on Windows 10 and a color font format issue on Windows 11. Significant problems with WinRE update (See Deferring KB5034440/KB5034441 above)


Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.


A good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health


Windows Recovery Environment servicing failed (KB5034441/KB5034440/KB5034439)

Affected platforms: Windows 10/11/Server 2022

Symptom: Some computers might not have a recovery partition that is large enough to complete this update. Because of this, the update for WinRE might fail.

Workaround: Resize your partition to install the WinRE update.


Copilot in Windows (in preview) is not currently supported (KB5034122)

Affected platforms: Windows 10, version 21H2/22H2

Symptom: Copilot in Windows (in preview) is not currently supported when your taskbar is located vertically on the right or left of your screen.

Workaround: To access Copilot in Windows, make sure your taskbar is positioned horizontally on the top or bottom of your screen.

Status:  We are working on a resolution and will provide an update in an upcoming release.


Color font format for COLRv1 does not render properly (KB5034123)

Affected platforms: Windows 11, version 22H2/23H2

Symptom: The color font format for COLRv1 does not render properly. This format enables Windows to display emoji with a 3D-like appearance.

Status:  We are working on a resolution and will provide an update in an upcoming release.


Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are with the KB number only.


Security and Quality Rollup

  • KB5034169 – Windows Server 2008 R2 (ESU)
  • KB5034171 – Windows Server 2012 R2 (ESU)
  • KB5034184 – Windows Server 2012 (ESU)
  • KB5034173 – Windows Server 2008 (ESU)


Security Only Update

  • KB5034167 – Windows Server 2008 R2 (ESU)
  • None – Windows Server 2012 R2 (ESU)
  • None – Windows Server 2012 (ESU)
  • KB5034176 – Windows Server 2008 (ESU)


Cumulative Updates

Windows 10

  • KB5034134 – Original release version 1507 (OS Build 10240)
  • KB5034119 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB5034127 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB5034122 – Version 21H2 “November 2021 Update” (OS Build 19044)
  • KB5034122 – Version 22H2 “November 2022 Update” (OS Build 19045)
  • (Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)


Windows 11

  • KB5034121 – 21H2 (OS Build 22000) Original release
  • KB5034123 – 22H2 (OS Build 22621)
  • KB5034123 – 23H2 (OS Build 22631)


Windows Server

  • KB5034119 – Server 2016 (same KB as Windows 10 Version 1607)
  • KB5034127 – Server 2019 (same KB as Windows 10 Version 1809)
  • KB5034129 – Server 2022 (OS Build 20348)


January 2024 updates for Microsoft Office


Notable CVEs


CVE-2024-0056 | Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability (Cumulative Update/Monthly Rollup for .NET Framework)

The attacker must inject themselves into the logical network path between the target and the resource requested by the victim to read or modify network communications. This is called a machine-in-the-middle (MITM) attack.  An attacker who successfully exploited this vulnerability could carry out a machine-in-the-middle (MITM) attack and could decrypt and read or modify TLS traffic between the client and server. There is no impact to the availability of the attacked machine (A:N).


CVE-2024-20674 | Windows Kerberos Security Feature Bypass Vulnerability  (Cumulative Update/Monthly Rollup)

The authentication feature could be bypassed as this vulnerability allows impersonation.  An authenticated attacker could exploit this vulnerability by establishing a machine-in-the-middle (MITM) attack or other local network spoofing technique, then sending a malicious Kerberos message to the client victim machine to spoof itself as the Kerberos authentication server.


CVE-2024-20677 | Microsoft Office Remote Code Execution Vulnerability

A security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365.


CVE-2024-20698 | Windows Kernel Elevation of Privilege Vulnerability   (Cumulative Update)

An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.


CVE-2024-20700 | Windows Hyper-V Remote Code Execution Vulnerability   (Cumulative Update)

Successful exploitation of this vulnerability requires an attacker to win a race condition.  Successful exploitation of this vulnerability requires that an attacker will need to first gain access to the restricted network before running an attack.


CVE-2024-21318 | Microsoft SharePoint Server Remote Code Execution Vulnerability (KB5002539,KB5002540,KB5002541)

An authenticated attacker with Site Owner permission can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.  In a network-based attack, an authenticated attacker, as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server.