Release Date:
December 13, 2022
Notes:Â
-
This article was revised on May 19, 2023, to update alternative workaround registry keys.
-
This article was revised on February 17, 2023, to update resolution.
-
This article was revised on January 31, 2023, to add a resolution.
-
This article was revised on January 9, 2023, to expand the symptom and add FAQ section.
-
This article was revised on December 15, 2022, to add an additional workaround.
Summary
This article provides help to mitigate an issue when after installing the December 13, 2022, or February 14, 2023, security updates or January 19th, 2023 updates for .NET Framework and .NET, users may experience issues with how WPF-based applications render XPS documents.
Symptom
XPS documents which utilize structural or semantic elements like table structure, storyboards, or hyperlinks may not display correctly in WPF-based readers. Additionally, some inline images may not display correctly, or Null reference exceptions might happen when XPS documents are loaded into WPF-based readers.
Workaround
Microsoft identified a compatibility workaround for this issue and made a PowerShell script to resolve this.
To install the compatibility workaround, follow the steps below.
-
Download the PowerShell script
-
Open a PowerShell prompt as an administrator
-
Within the prompt, navigate to the directory where the script was downloaded
-
Run the command within the prompt: .\kb5022083-compat.ps1 -Install
If the command succeeds, it will print "Installation completed." to the console window. If the command fails, it will display the reason for failure. To remove the compatibility workaround, follow the same steps as above, but replace step (4) above with: .\kb5022083-compat.ps1 -Uninstall
Once the compatibility workaround is installed, WPF-based applications which display XPS documents should continue working as they did before the December 13, 2022, security updates.
Alternate Workaround
If the first workaround does not resolve the issue you can use a registry entry to disable the enhanced security behavior. This should only be done if you know for certain that all XPS documents your system processes are trustable, for example they are generated by your system, rather than uploaded to your system, and they cannot be changed by anyone. Do not turn off the functionality if you accept XPS documents from the internet, emails from external entities or other untrustable sources.
To disable the enhanced security behavior run this command from an elevated command prompt:
- reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /v "DisableDec2022Patch" /t REG_SZ /d "*" /reg:64
- reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /v "DisableDec2022Patch" /t REG_SZ /d "*" /reg:64
Alternatively, you can use Group Policy to create a REG_SZ entry with a key name of HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes, a value name of DisableDec2022Patch, and a value of *
To remove either of these workarounds and return the enhanced security behavior run these command(s) from an elevated command prompt(s):Â
- reg delete "HKLM\SOFTWARE\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /reg:64 /f
- reg delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Windows Presentation Foundation\XPSAllowedTypes" /reg:64 /f
This disables the enhanced functionality machine wide and should only be used when you can fully trust all XPS input into your systems.
Resolution
This issue was addressed in out-of-band updates released January 31, 2023, for Windows 10, version 1607 and Windows Server 2016 versions and newer operating systems and out-of-band updates released February 17, 2023 for earlier Windows and Windows Server versions. To get the standalone package for these out-of-band updates, search for the KB number in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog.
If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them. To remove workaround review the workaround or alternative workaround which was applied for instructions.
|
Product Version |
Update |
|
|---|---|---|
|
Windows 11, version 22H2 |
||
|
.NET Framework 4.8.1 |
||
|
Windows 11, version 21H2 |
||
|
.NET Framework 4.8 |
||
|
.NET Framework 4.8.1 |
||
|
Windows Server 2022 |
||
|
.NET Framework 4.8 |
||
|
.NET Framework 4.8.1 |
||
|
Azure Stack HCI, version 22H2 |
||
|
.NET Framework 4.8 |
||
|
Azure Stack HCI, version 21H2 |
||
|
.NET Framework 4.8 |
||
|
Windows 10 Version 22H2 |
||
|
.NET Framework 4.8 |
||
|
.NET Framework 4.8.1 |
||
|
Windows 10 Version 21H2 |
||
|
.NET Framework 4.8 |
||
|
.NET Framework 4.8.1 |
||
|
Windows 10 Version 20H2 |
||
|
.NET Framework 4.8 |
||
|
.NET Framework 4.8.1 |
||
|
Windows 10 1809 (October 2018 Update) and Windows Server 2019 |
||
|
.NET Framework 4.7.2 |
||
|
.NET Framework 4.8 |
||
|
Windows 10 1607 (Anniversary Update) and Windows Server 2016 |
||
|
.NET Framework 4.7.2 |
||
|
.NET Framework 4.8 |
||
|
Windows Embedded 8.1 and Windows Server 2012 R2 |
||
|
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 |
||
|
.NET Framework 4.8 |
||
|
Windows Embedded 8 and Windows Server 2012 |
||
|
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 |
||
|
.NET Framework 4.8 |
||
|
Windows Embedded 7 Standard and Windows Server 2008 R2 SP1 |
||
|
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 |
||
|
.NET Framework 4.8 |
||
|
Windows Server 2008 SP2 |
||
|
.NET Framework 4.6.2 |
Affected updates
The following .NET versions are affected:
-
.NET Framework 2.0, 3.0, 3.5, 3.5.1, when the December 13, 2022, security update is installed.
-
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2, when the December 13, 2022, security update is installed.
-
.NET Framework 4.8, when the December 13, 2022, security update is installed.
-
.NET Framework 4.8.1, when the December 13, 2022, security update is installed.
-
.NET Core 3.1, with the Windows Desktop runtime version 3.1.32.
-
.NET 6, with the Windows Desktop runtime version 6.0.12 or later.
-
.NET 7, with the Windows Desktop runtime version 7.0.1 or later.
The Windows XPS Viewer application provided within the Windows operating system is not affected by this issue.
Frequently Asked Questions (FAQs)
When was this regression introduced?
This regression was introduced in the December 13, 2022, cumulative security updates for .NET and .NET Framework.
If an administrator installs the PowerShell script provided in this article, will it leave the machine vulnerable?
No. The PowerShell script only addresses compatibility. It does not disable the December 13, 2022, security update or otherwise reduce its efficacy.
If an administrator utilizes the registry-based alternative workaround, will it leave the machine vulnerable?
Yes. The alternative workaround listed above disables the WPF portion of the December 13, 2022, security fix. If an administrator utilizes the alternative workaround, they should direct their users not to open XPS documents from untrusted sources on those workstations.
This guidance applies only to WPF-based applications which load XPS documents. Users can continue to use Windows's built-in XPS viewer application to view untrusted XPS documents safely, even on machines which utilize the alternative registry-based workaround.
What is Microsoft doing to address the compatibility issue?
This issue was addressed for some versions of .NET Framework in out-of-band updates released January 31, 2023. For versions of .NET Framework which are not addressed Microsoft is actively investigating an additional update which restores compatibility while also resolving the underlying security issue.
Information about protection and security
-
Protect yourself online: Windows Security support
-
Learn how we guard against cyber threats: Microsoft Security
