Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Ho-hum. Win10 version 1809 = Redstone 5 = Windows 10 October 2018 Update

    Posted on August 31st, 2018 at 16:30 woody Comment on the AskWoody Lounge

    No, it won’t appear on 10 October.

    Anybody’s guess when it’ll actually start rolling out. Version 1803 = Windows 10 April 2018 Update didn’t hit the fan until the last day of April.

    With this update, we’ll be bringing new features and enhancements to the nearly 700 million devices running Windows 10 that help people make the most of their time. We’ll share more details about the update over the coming weeks.

    Looks like the Win10 “devices” needle is stuck at 700 million. It’s been that way for six months.

    Yes, there are a couple of worthwhile features in 1809. Let’s see what appears in the final version before we get all misty-eyed over them.

    Gregg Keizer has details.

  • “Fourth Tuesday” patches finally arrive

    Posted on August 30th, 2018 at 21:20 woody Comment on the AskWoody Lounge

    Microsoft just released the “D Week” patches that we’ve been expecting since Tuesday.

    The short list:

    Win10 1803 KB 4346783

    Addresses an issue that causes computer certificate enrollment or renewal to fail with an “Access denied” error after installing the April 2018 update.

    Launching Microsoft Edge using the New Application Guard Window may fail;

    Win10 1709 KB 4343893

    Win10 1703 KB 4343889

    Win 8.1 KB 4343891 Preview of Monthly Rollup

    Win 7 KB 4343894 Preview of Monthly Rollup

    There is an issue with Windows and third-party software related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.

    For details (and a bit of kvetching), see Computerworld Woody on Windows.

  • Everything about Windows 10 privacy

    Posted on August 30th, 2018 at 08:00 woody Comment on the AskWoody Lounge

    I mean ev-er-y-thing.

    Martin Brinkmann, of ghacks.net fame, has published the ultimate reference to Windows 10 privacy settings, on a site called Privacyamp.com.

    If you have a question about a Win10 privacy setting, that’s your reference of first resort.

  • Mind boggled: The Meltdown/Spectre microcode patches

    Posted on August 30th, 2018 at 07:11 woody Comment on the AskWoody Lounge

    I just read a tweetstorm from @Karl_F1_Fan to @Crysta that has my head swimming. Here’s what he says:

    Hi Crysta,

    Your quotes to Microsoft articles are right but things have developed over time. First they asked to set the bitmask for meltdown and Spectre 2 to

    FeatureSettingsOverride 1
    FeatureSettingsOverrideMask 3

    for intel clients and servers + the QualityCompat flag

    The qualitycompatflag was removed with a patch in March for both clients and servers. Then Microsoft advised the same registry mask for Intel but for AMD it was

    FeatureSettingsOverride 64
    FeatureSettingsOverrideMask 3

    (I won’t handle disable flags here for easiness.)

    With the appearance of Spectre NG the flags changed again for both AMD and Intel to

    FeatureSettingsOverride 8
    FeatureSettingsOverrideMask 3

    which Microsoft is falsely or incompletely advising now in the L1TF article. If a user is setting 1/3 it will DISABLE protection CVE-2018-3639 [speculative store bypass] also it will disable AMD protections.

    Meltdown, Spectre 2 / 3, 3a / 4 / L1TF need microcode updates or the seperate updates deployed for Windows 10 in August 2018 + 2018-08 CUs. In addition Microsoft choose that only servers need the registry keys to enable protection. I would advise all customers to apply them.

    The current situation is unbearable for average sys admins and there is too much confusion.

    IMHO Microsoft should roll out all microcode updates for any OS and enable protection by default without any registry keys it is much easier to understand how to disable it.

    The current situation is that only @Dell really cares to bring out BIOS updates for ANY systems back to 2009 whilst other OEMs don’t give a ****.. no matter if we are talking about enterprise or home.

    @ASUS there are no microcodes for all systems, as Intel provided. @HP is not updating their site accordingly so the theme sites indicate updates are missing or pending, while being partially available on the product site. We better don’t talk about lack of support from @Acer Lenovo or Medion etc. Without Win10 we would have no protection at all

    Based on a variety of 70 client pcs and servers of various OEMS / vendors only 18 received all BIOS microcode updates. 6 had too old Intel / AMD CPUs, more than 21 are only patches because Microsoft rolled out (optional) Microcode Updates. Others unprotected due to old Windows Client / Server version.

    How’s that for the very definition of falling into the briar patch?

    UPDATE: I just followed a link from @teroalhonen to a discussion on Anandtech of the new Intel processors and how they fare with Meltdown and Spectre. Clearly, whoever put together this slide didn’t have a clue.

    I sympathize. If Anandtech can’t get it right, what chance do we mortals have? Whotta mess.

    ANOTHER UPDATE: ‘Softie Jorge Lopez (@J0RGEL0P3Z) posted a few hours ago:

     

  • Tuesday’s officially over, and still no updates

    Posted on August 29th, 2018 at 04:29 woody Comment on the AskWoody Lounge

    Our usual 4th Tuesday (“D Week”) updates didn’t arrive.

    Given the manifest problems, especially with the Intel microcode patches dated “2018-07” you have to wonder if there are more problems in Windows paradise.

    Like many of you, I’m waiting with bated breath. I was hoping to give the all-clear for installing patches this month.

    Ah well. Sit tight. We’ll get the dump sooner or later.

  • Patch Lady – what’s up with the Microcode updates?

    Posted on August 28th, 2018 at 09:09 Susan Bradley Comment on the AskWoody Lounge

    Yesterday we’ve been seeing potential issues with the microcode updates and they were expired off of  WSUS servers last night…

    https://www.reddit.com/r/sysadmin/comments/9apooi/kb4100347_rendering_systems_unbootable/?st=jlckzbjr&sh=94b0f954

    https://www.reddit.com/r/Windows10/comments/995k2s/got_the_kb4100347_update_july_cumulative_update/e4m9ffn

    https://www.bleepingcomputer.com/news/microsoft/windows-10-kb4100347-intel-cpu-update-causing-boot-issues-and-pushed-to-amd-users/

    Unsure what’s up, but Microsoft appears to be pulling these updates back.

    I think there is/was metadata detection issues and they were offered up and installed on machines they shouldn’t have been installed.

    UPDATE: Günter Born has a compelling history posted on his Born City site.

  • Details on the Task Scheduler ALPC zero-day

    Posted on August 28th, 2018 at 07:59 woody Comment on the AskWoody Lounge

    Kevin Beaumont (@GossiTheDog) just published an excellent overview of the newly touted ALPC zero-day in Task Scheduler. Complete with working exploit code.

    The flaw is that the Task Scheduler API function SchRpcSetSecurity fails to check permissions. So anybody — even a guest — can call it and set file permissions on anything locally.

    It’s a privilege escalation bug, allowing an offending program to leapfrog itself from running in user mode to take over the machine.

    Catalin Cimpanu on Bleeping Computer posted the initial revelation from @SandboxEscaper, who posted original exploit code on GitHub, then deleted their Twitter account.

    Nothing to worry about yet, but expect to see a fix for all versions of Windows before too long.

  • How to upgrade from Win10 Pro 1703 to 1709 — and not 1803

    Posted on August 28th, 2018 at 07:37 woody Comment on the AskWoody Lounge

    There are some interesting discussions in the forum, kicked off by CyGuy, about the precise nature of the “feature update deferral” setting in Win10’s Updates Advanced Options.

    If you’re on 1703 (my production machines are all on 1703) and you want to move to 1803, it’s easy – just set the feature update deferral to 0 days, and run through Windows Update once. As long as you do that before 1809 is released, you’ll end up on 1803.

    But zero2dash has conducted some experiments with VMs that make me wonder if it’s possible to move from 1703 to 1709 by setting the “feature update deferral” to a number larger than 48 but less than 221 (give or take a day or two, as time marches on).

    Can any of you confirm?

    I have a copy of 1709 stuck on a USB stick and can upgrade from 1703 to 1709 that way, if worse comes to worst. But it’d be a whole lot easier to just set “feature update deferral” to 200 days and let Windows have its way.