Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • New Win10 beta Fast Ring build 17134

    Posted on April 16th, 2018 at 17:38 woody Comment on the AskWoody Lounge

    It’s out and I’m downloading it now.

    I must say it was very kind of Microsoft to wait until I got my taxes done!

    UPDATE: For those of you who were waiting anxiously…

    I’m still pulling for “Win10 Terry Myerson Swansong version 1803.”

    Can hardly wait for the April, 2020 version – the one that hits right after Win7 bites the dust. According to current naming conventions, that’ll be Win10 2003.

  • The unholy mess that has emerged from Win10 WSUS Dual Scan

    Posted on April 16th, 2018 at 07:42 woody Comment on the AskWoody Lounge

    Those of you who just go about your business with Windows don’t need to worry. But the folks who are in charge of Windows Update servers should be conversant with the, uh, nuances of a feature called Dual Scan.

    Dual Scan first came to my attention back in July last year when Win10 1607 machines with “Defer feature updates” set were suddenly getting pushed onto 1703. As I said back then:

    one of the warnings I found surprising goes like this: If you have “Defer feature updates” checked on your machines, that setting triggers a dual-scan mode, where those machines will look for updates both through WSUS and directly through Windows Update — even if they are behind WSUS.

    which, to me, was a bit of dirty pool. Dirty almost-undocumented pool.

    Last Friday, we got a whole bunch of documentation in a Technet article called Windows 10 Updates and Store GPO behavior with DualScan disabled and SCCM SUP/WSUS managed. If you think that’s a mouthful, take a look at the chart that clarifies what’s up with the GPOs surrounding updates on machines that are attached to an update server.

    Do you think they could make this a bit more complicated?

    Just asking for a friend….

  • Patch lady – Scanners and SMBv1

    Posted on April 16th, 2018 at 01:35 Susan Bradley Comment on the AskWoody Lounge

    So if your older scanner suddenly doesn’t work consider this:  In 1709 if you did an in place upgrade, you retain the SMBv1 in your networking configuration.  However because this is deemed very unsafe (and it is a risk to keep it enabled), Microsoft does a check to see if you are still using it.  “In-place upgrades and Insider flights of Windows 10 Home and Windows 10 Professional do not automatically remove SMB1 initially. If the SMBv1 client or server is not used for 15 days in total (excluding the time during which the computer is off), they each automatically uninstall themselves.”

    So 15 days after SMBv1 on the client is not used, the system will send a dism command to disable SMBv1

    If suddenly your clients (if you are a consultant), or you (if it’s your computer) won’t scan to computer or scan to share, and you are using an older multi function device, go into your Windows 10 1709 and see if you can spot this in your event log in the setup section:

    Event 8

    Initiating changes to turn off update SMB1Protocol-Client of package SMB1-Package. Client id: DISM Package Manager Provider.

    If so, see if your printer/scanner manufacturer has a firmware update to support SMBv2 or SMBv3.  If not, you may need to either purchase a new device, or decide to lower your defenses.  Remember SMBv1 is often used in attacks to gain more rights and more toe-holds into a system and thus distribute ransomware.

    Bottom line if suddenly you can’t scan to a folder, check to see if that device only supports SMBv1 and then decide if you want to risk enabling it.

  • Patch Lady – Business view of updates

    Posted on April 16th, 2018 at 01:26 Susan Bradley Comment on the AskWoody Lounge

    While Woody has yet to declare the all clear, I’m listing the updates and giving the “business report” for consultants, admins or anyone who has to handle updates for key machines.  I’ve updated my Master patch list with the known issues I’m tracking at this time.

    The big issue was the Windows 7 loss of static IP addresses after the install of March and April updates on some machines.  Microsoft re-packaged and released the April 10 update of 4093118 to include the networking fix on Thursday April 12th.  If you installed the prior version and had no issues, you do not need to install this revised version.

    As noted in the notes on the master patch list, the side effects that are still being tracked for Windows 7/Server 2008 R2 fortunately appear to not be as bad as once first thought.  The memory leak is limited to server situations where symbolic links are used.  If you rolled back the Spectre/Meltdown updates and felt your machine was peppier, remember that these updates will have a performance impact to older systems.

    We still have no eta for the next feature update at this time.

    I have determined that whether you use WSUS or WU, the 1709 Servicing stack updates install silently and before the main Windows 10 cumulative update installs.  I say silently because I can see evidence that they are being installed when I use dism commands to list the updates, but they are not listed in the settings when I go to view my update history.  If you manually install updates by going to the Windows catalog and download updates make sure you install 4099989 first.  If you install updates via Microsoft update or WSUS, this update will be installed as part of the updating process, you do not need to install this.

    I’ve seen comments that more and more consultants are taking the drastic steps of turning off windows update and in fact scripting a task to turn off the update services each day.  I wince when I see these comments and urge consultants and those concerned about update quality to push off updates for a week but not to turn off the updating process completely.  Remember for Windows 10 you can push off updates easily in Windows pro by going to the advanced section in updates and defer quality updates.  Pushing them off for 7 days means that you can make sure there are no major issues.  In my personal opinion it strikes the right balance between the risk of non updating and the risk of update side effects.