Newsletter Archives

• Patch Lady – the tea leaves say a Feature update is coming

  Posted on March 28, 2018 at 01:09 CDT by Susan Bradley • Comment in the Forums

  I’m an Earl Grey tea drinker, and lately the tea leaves … and well every tech site on the planet … is starting to give me vibes that the release of the Spring feature update for Windows 10 is right around the corner.  Now if you aren’t keen like me to update on day one, nor do you exactly want a feature update right before the United States Tax deadline of April 17th possibly impacting your Quickbooks or Turbo Tax, here’s some advice to push off that feature update to a point in time that you want it.

  Now keep in mind that at some point in time I will strongly recommend that you upgrade to it…but just NOT on the first day, or week or even month it’s released.  There are new features in controlling telemetry, as well as more security goodness, but I’m just a cautious patcher and don’t install things on the day they come out.

  The first step to push off this update is to evaluate if you are on the Home version or the Pro version. If you are on the Home version, unfortunately I’m going to urge you to click start, settings, system, scroll down to About, and check your version.  If Home, go grab your credit card as I’ll urge you to upgrade to Pro.  You can easily do this in the “About” section by clicking on the Change product key or upgrade your edition.  You should be able to click there and upgrade to pro.

  Once you’ve done that you can then click on start, settings, update and security and then click on advanced.  Choose to be on the Current branch for business (if you are on an older Windows 10) or if you are on 1709 the wording will say Semi-Annual Channel.  Then choose to push off feature updates to 365 days.

  

  I know what you are thinking.. “But Susan, we did this and they installed a feature update the last time I deferred it, so this setting didn’t work”.  I’m going to give Microsoft one last time to get this right.  This setting is *supposed* to work, and quite honestly should work, and believe me, I will be watching like a hawk to make sure they don’t have any mess ups this time.  For some people, breaking the trust of patching is making them do extreme things like changing permissions on folders to ensure this update doesn’t get installed.  Note that you can also set this deferral via group policy and registry if you need that in a network setting.

  If you are stuck on Home, one trick Woody wrote about before that you can still do that we did before was to trick your Ethernet connection to think it was “metered”.  I’ll also keep an eye on Andre’s post about which computers are compatible with Windows 10 and those that might have issues.  I’ll be watching the forums to see if there are any trending issues.

  And last, but certainly not least, I’d recommend that if you want 1709 and you haven’t upgraded to it at this time, take the time to download the iso and hang on to it.

  If I see we need more draconian measures to push off the Spring update I’ll let you know but right now, I’m at “push off” level 1, ready to give the settings inside the operating system the chance to get it right this time.

  I will however start blogging about some of the new features I am excited about.  More about that in upcoming blog posts.

  Windows Patches/Security Patch Lady Posts

• Patch Lady – KB4088875 more questions

  Posted on March 27, 2018 at 15:23 CDT by Susan Bradley • Comment in the Forums

  The following update has had a revision: KB4088875  But in doing so I’m scratching my head a bit more.

  Remember our original side effects relate to networking issues and loss of a static IP upon reboot:

  A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.	Microsoft is working on a resolution and will provide an update in an upcoming release.
  Static IP address settings are lost after you apply this update.	Microsoft is working on a resolution and will provide an update in an upcoming release.

   

  On the page on KB4088875  a script is now linked and the following wording has been added:

  Prerequisites

  ---

  Follow these steps before you apply this update to a physical computer or a virtual machine:

  1. Back up the following registry key and subkey:

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI

  2. Copy the following VBScript (VBS) code, paste it into Notepad, save the file with a “.vbs” extension, and then run the .vbs file.Note The script also includes binary version checks around PCI.SYS file.

  (note the KB has the script in detail)

  Okay so here are my questions:

  1.  Is this needed for all deployments or only where a static IP has been used?  As I’ve seen the loss of networking side effect more where a static IP was assigned to the network adapter.
  2. Can an admin run this script before the install of the update?  (based on admins testing this it appears the answer is yes)
  3. In a consumer setting, where we only go to Windows update, do we need this? (I don’t think so but it would be nice to know for sure)
  4. If we’ve already installed the update, should we run this script? (again, I don’t think so but it would be nice to know for sure)

  Right now I only have questions, not answers but here’s my mode of attack:

  1. If it’s a workstation where I have physical access and can easily fix any networking stack issue I’ve installed the update as is and honestly have had no issues.  I am mostly deploying this in settings where my router is handing out the DHCP and I’ve seen no issues.
  2. If it’s a server, I’m deploying this based on how comfortable I am with alternative ways to reach that server and deal with patching issues.  If I can walk over to the server, I’ve gone ahead and patched.  If I’m remote to the server, it depends on if there is a remote network management tool like an iLO or Drac (HP or Dell) and/or how responsive the support team is in the datacenter.

  The side effect of losing networking still feels like there is some other trigger at play in non VMware shops.  I’ve seen people report the issue mostly where a static IP has been assigned.

  One concern as Woody has already pointed out, next month’s preview of non security updates already has the same side effect.

  So bottom line, determine your zeal for updating, throw a bit of salt over a shoulder, squint your eyes real tight, and keep your fingers crossed while you update.  Hey, wouldn’t hurt would it?

  Windows Patches/Security KB 4088875, Patch Lady Posts

• Friday night patch dump: KB 4088881, a flawed Win7 Monthly Rollup preview and KB 4089187, an IE fix

  Posted on March 26, 2018 at 07:30 CDT by woody • Comment in the Forums

  UPDATE: See Computerworld Woody on Windows.

  Microsoft continues its any-day-of-the-month patching policy with a highly anticipated preview of the April Win7 Monthly Rollup and a rushed patch for IE on Win7 that resolves a bug introduced two weeks ago

  When Microsoft released its gang of patches last Thursday, one patch was remarkably absent: We didn’t get a preview of next month’s Win7 Monthly Rollup. Win8.1, Server 2012 and Server 2012R2 all got previews, but not Win7 (or Server 2008R2).

  I hypothesized at the time that Microsoft didn’t release a new Win7 April Monthly Rollup preview because they were still trying to fix the bugs they introduced in this month’s Monthly Rollup for Windows 7 and Server 2008 R2, KB 4088875, and  the download-and-manually-install Security-only patch for March, KB 4088878.

  Microsoft now acknowledges all of these bugs in March’s Win7 Patch Tuesday release:

  • After you install this update, SMB servers may leak memory.
  • A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.
  • A Stop error occurs on computers that don’t support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).
  • A new Ethernet virtual Network Interface Card (vNIC) that has default settings may replace the previously existing vNIC, causing network issues after you apply this update. Any custom settings on the previous vNIC persist in the registry but are unused.
  • IP address settings are lost after you apply this update.

  All of those bugs are new in March, except the memory leak, which first appeared in January.

  With the new, delayed preview of April’s Win7 Monthly Rollup, you might expect that at least some of those bugs would be fixed. Not so. They’re all still around, per the official write-up.

  Microsoft is working on a resolution and will provide an update in an upcoming release.

  Sooner or later.

  In addition to the Friday night Monthly Rollup preview that doesn’t fix the major bugs, Microsoft rolled out a patch for a bug introduced in IE by its Patch Tuesday patch. Another patch of a patch. The article for the original Patch Tuesday patch, KB 4089187, has been modified to state:

  After you install this update, security settings in some organizations that are running Windows 7 SP1 or Windows Server 2008 R2 may prevent Internet Explorer 11 from starting because of an invalid SHA1 certificate.

  To resolve this issue, use one of the following methods:

  •    Whitelist the SHA1 certificate to allow Internet Explorer 11 to start.
  •    Install Cumulative update for Internet Explorer: March 23, 2018.

  If you’re a bit rusty on manually whitelisting an SHA1 certificate, you can run the patch released on Friday night, KB 4089187. Note that this is only for IE 11 running on Windows 7 (and Server 2008R2).

  I think of it as Mother Microsoft’s way of telling you that you really shouldn’t be using IE. Excuse my snark.

  Of course, you’ve been following along here and know that we’re still at MS-DEFCON 2, which means you didn’t install the original buggy patches, anyway. Right?

  By the by… for those of you who are manually installing the cumulative updates for Win10 1703 or 1607, there’s now an explicit warning in the associated KB article:

  Important When installing both the SSU (KB4088825) and the LCU updates from the Microsoft Update Catalog, install the SSU before installing the LCU.

  Which is an obtuse way of saying that, if you’re going to install the Cumulative Update manually, you better get the Servicing Stack Update installed first.

  MrBrian speculates that the root problem is the race condition on installation that Susan Bradley talked about last week.

  The Servicing Stack updates for 1703 and 1607 were part of the Thursday blast.

  Thx, @MrBrian, @gborn

  Windows Patches/Security KB 4088881, KB 4089187, March 2018 Black Tuesday

• Is Win10 1803 ready for prime time? Edge doesn’t think so

  Posted on March 25, 2018 at 07:48 CDT by woody • Comment in the Forums

  I just saw this tweet from Zac Bowden:

  Alright, so the world's most annoying bug has popped up on Edge in build 17128. Clicking on addresses in the drop down menu no longer does anything. It's, well, infuriating. I use Edge as my daily browser lol. @kylealden pic.twitter.com/vkVzQ7A7s7

  — Zac Bowden (@zacbowden) March 25, 2018

  Sure enough, on all of my 1803 test machines, in Edge, if you click the drop-down URL box and choose a different URL, absolutely nothing happens.

  Caveat emptor.

  Windows Patches/Security Win10 1803

• More Windows patches — and warnings about the Win10 1709 update KB 4089848

  Posted on March 23, 2018 at 08:24 CDT by woody • Comment in the Forums

  In yet another out-of-out-of-band flurry, on Thursday Microsoft released new cumulative updates for all Win10 versions, a couple of Servicing Stack updates, two previews of Monthly rollups… and absolutely nothing that fixes the flaws in this month’s botched Win7 patch.

  And the Windows Update bypassing routine blamed for the forced push from Win10 1703 to 1709? It’s baaaaaaaaaack.

  Computerworld Woody on Windows.

  UPDATE: @PKCano found a patch for Win10 1709 that “This update makes improvements to ease the upgrade experience to Windows 10 Version 1709.”

  Go figger. KB 4094276. It’s listed on the KBNew page, but the link there (which was provided by Microsoft) doesn’t work.

  Windows Patches/Security KB 4023057, KB 4089848

• Surprise! A new version of the Windows Update block-buster KB 4023057

  Posted on March 23, 2018 at 07:42 CDT by woody • Comment in the Forums

  While scanning through the KBNew list, I bumped into an old f(r)iend, KB 4023057. Looks like it was re-issued on March 22 — along with about half a gazillion patches for Windows.

  KB 4023057, if you don’t recall, is the patch that’s credited with busting through sites that have Windows Update blocked. There’s a discussion here, with this description from abbodi86:

  it evolved from just fixing registry to restore tasks and fix drivers DB, and compatibilty for UAC management..

  the main purpose or function did not change: re-allow blocked or disabled WU

  Of course, Microsoft’s official description is the usual “Nothing to see here, folks” drivel:

  This update includes reliability improvements that affect the update service components in Windows 10 Versions 1507, 1511, 1607, and 1703.

  This update includes files and resources that address issues that affect the update processes in Windows 10. These improvements ensure that quality updates are installed seamlessly on your device and help to improve the reliability and security of devices running Windows 10.  When Windows update is available for your device, devices that do not have enough disk…

  Only certain builds of Windows 10 Versions 1507, 1511, 1607, and 1703 require this update. Devices that are running those builds will automatically get the update downloaded and installed through Windows Update.

  This update is also offered directly to Windows Update Client for some devices that have not installed the most recent updates. This update is not offered from the Microsoft Update Catalog.

  I just wish Microsoft could speak plainly. In this case, some Win10 users (not sure which ones) are getting a patch that (apparently?) breaks their wuauserv settings. I assume that its entire reason for existence is to push more people onto the next version of Win10.

  Does anybody out there have any better info?

  Windows Patches/Security KB 4023057

• OUt-of out-of band patches for Win10 1709, 1703 and 1607

  Posted on March 22, 2018 at 15:18 CDT by woody • Comment in the Forums

  Just a heads-up. We’ll have more later.

  KB 4089848 brings 1709 up to Build 16299.334 – seems to have fixed the problem with the January Delta update

  KB 4088891 brings 1703 up to build 15063.994

  KB 4088889 brings 1607 up to build 14393.2155 – this one’s a bit surprising because 1607 is due to go off life support in a couple of weeks.

  Also, a Servicing Stack update for 1703, KB 4088825, and a Servicing Stack update for 1607, KB 4089510.

  Two previews of Monthly rollups, KB 4088882 for Win 8.1 and Server 2012 R2, and KB 4088883 for Server 2012.

  Martin Brinkmann has some notes on his ghacks.net site.

  I’ve updated the list of revised KB articles, KBNew.

  Windows Patches/Security KB 4088889, KB 4088891, KB 4089848

• Patch Lady – a reminder that 1607 drops out of support

  Posted on March 21, 2018 at 14:49 CDT by Susan Bradley • Comment in the Forums

  For those that are still running Windows 10 (including one HP envy tablet with a 32 gig flash drive that I’m still fighting to get it up to anything beyond what it was shipped with[*]), be aware that in April the 1607 release of Windows 10 drops out of support unless you are running Education or Enterprise version.

  Thus if you are still on 1607 please be aware that you will not get security updates after that date.

  If you’ve not be able to install past 1607 you might try this trick of determining what the blocker is.  To do so you need to download the ISO, extract it out, and then run setup as noted in this post to determine what the blocking is.

  Basically you run this script:  SETUP.EXE /Auto Upgrade /Quiet /NoReboot /DynamicUpdate Disable /Compat ScanOnly

  Or better yet do it like this:  SETUP.EXE /Auto Upgrade /Quiet /NoReboot  /Compat ScanOnly

  and leave it the bit about grabbing the latest dynamic update so we can see what the issue is.

  Post in the forums and let’s see if we can get everyone past 1607 and up to a serviced platform.

  [*]  I’m getting a usbC adapter to hang off a Western digital external hard drive as that did the trick for my Asus with the 32 gig flash drive.  An external flash drive didn’t cut it, nor did a Micro SD card.

  Windows Patches/Security Patch Lady Posts

• Windows 10 Enterprise: Does setting telemetry to zero disable cumulative updates?

  Posted on March 20, 2018 at 06:17 CDT by woody • Comment in the Forums

  A very interesting post this morning from Günter Born. In a nutshell:

  • If you’re running Win10 Enterprise
  • And you aren’t connected to an update server
  • And you set the level of telemetry to “Security data only” (HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection\AllowTelemetry set to 0)

  You don’t get any cumulative updates.

  Sounds like a bug to me. Can anyone out there confirm?

  UPDATE: @teroalhonen pointed me to the Microsoft documentation for the AllowTelemetry setting:

  Security level

  The Security level gathers only the diagnostic data info that is required to keep Windows devices, Windows Server, and guests protected with the latest security updates. This level is only available on Windows Server 2016, Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, and Windows IoT Core editions.

  Note

  If your organization relies on Windows Update for updates, you shouldn’t use the Security level. Because no Windows Update information is gathered at this level, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of our updates.

  Windows Server Update Services (WSUS) and System Center Configuration Manager functionality is not affected at this level, nor is diagnostic data data about Windows Server features or System Center gathered.

  Sure enough — it’s not a bug, it’s a feature!

  Windows Patches/Security Cumulative Updates, telemetry, Win10 Enterprise

• We’re still at MS-DEFCON 2

  Posted on March 20, 2018 at 06:03 CDT by woody • Comment in the Forums

  If you’re worried about all of the patches, manual installation sequences, and other mind-boggling things, don’t be.

  We’re still at MS-DEFCON 2 — don’t patch unless you have an overwhelming need to install a specific patch.

  The MS-DEFCON system is designed for folks who don’t want to sweat the details. If you aren’t particularly interested in sorting through the offal, wait for the MS-DEFCON number to change.

  Each time I raise the MS-DEFCON level, I have detailed instructions on what you need to do to keep your ship afloat. Unlike Susan (see below), I recommend that you defer “quality updates” (read “cumulative updates”) for the full 35 days, then set the spinner down to 0 when you’re ready to install a specific cumulative update. I also recommend that you set Win7 and 8.1 to “check but don’t download.” I include full instructions for both of those settings in every month’s Computerworld “go ahead” article.

  For now, unless you need to sort through the patching details, just hold tight.

  Windows Patches/Security March 2018 Black Tuesday

• Patch Lady – some comments about the master listing

  Posted on March 20, 2018 at 01:23 CDT by Susan Bradley • Comment in the Forums

  So let me explain a bit about my patch chart this month and some of the optional items.

  First off let’s draw a line in the sand between Windows 10 and Windows 7, as they are two different patching beasts.

  Next let’s draw a line in the sand between Office 2010 and Office 2013, 2016 and the upcoming office.

  Let’s take Windows 10 first.  You can control it’s updates and not have it control you as long as you understand one basic concept:  You must have Pro version in order to give you the ability to easily hook into the Windows update for business patching policies to defer updates.  I am NOT a fan of deferring updates forever.  I do recommend that you try not to be part of the beta testing team of updates and unfortunately, and too often, if you install updates on the day they are released, often you end up as part of the unofficial beta testing team.

  With the pro version of windows 10 you can put in place an option to defer updates for at least a week.  That is the normal time that we see issues shake out after Patch Tuesday. To do this on Pro, click on start, settings, update and security, advanced and then put your settings as follows:

  

   

  Note:  You can also pause updates for up to 35 days if you hear of major issues.

  

  For Windows 7, the recommendation I give is to set updates to “download but do not install”.  This stages them ready to go but does not install them until you are ready to.

  I honestly would think carefully about why you want the security only updates. Not every non security update is a telemetry one.  Often there are fixes in the non security updates that fix issues introduced by the security ones.  Not every optional patch is a bad thing.

  Now let’s talk about Office updating.  Office has “old way” and “new way”.  Old way means that you get offered up individual updates for Office if your version supports that.  This “old way” is default for Office 2010 and for those that purchase Office 2016 via volume license.  If you have purchased Office via Office 365 you are on the “new way” called click to run.  Click to run does its updating automatically and in the background.  It starts to trickle out during the second week of the month. 

  For those on the “old way”, you often decide to install only the security updates and not the non security updates.  But doing so, means that you got nailed this month by a dependency.  The security update for Word depended on the non security update to properly let the application open up files.  If you failed to install the earlier non security update from the week before, you saw the side effect.  If you installed it, you didn’t see the side effect.

  Because Click to Run installs both security and non security updates at the same time, you get both at the same time, thus ensuring that you won’t see the issue that nailed all of us folks who want to only get the security updates. 

  For click to run installs I’ve noticed that many of the side effects come if you are on the “monthly” release and not the semi-annual channel.  As you can see in the master Office issue listing located here, there’s a known issue for the monthly click to run that’s been addressed:

  Outlook known issues in the March 2018 updates

  Meeting location updates are not reflected in recipient calendar [FIXED]

  Last updated: March 14, 2018

  ISSUE

  After updating to Version 1803 (Build 9126.2072), you may find that when you open an existing meeting in the calendar and send an update with updated location, the recipient still sees the old location. If you review the item in the Sent Items folder it shows the old location and was not updated.

  Note: This issue only affects Semi-Annual Channel (Targeted) and Monthly Channel (Targeted) versions using builds 9126.2072 and higher.

  STATUS: FIXED

  This issue is fixed by a change in the service. Restarting Outlook should fix the issue but you may have to restart Outlook up to three times to pick up the change.

  Information for this issue is also provided in this article: Meeting location updates are not reflected in recipient calendar in Outlook 2016.

   

   

  There is a way to opt out of the monthly channel and move to the semi-annual.  I’ll post on that tomorrow, just know that click to run has a monthly update cycle, a semi-annual targeted and then a semi-annual channel.  It’s a little bit confusing, I know, but all of this is about offering up feature releases.

  For my specific March master patch listing, I listed several Windows 10 updates as “optional” just because of the unusual release of updates in March.  We had several out of band fixes to Windows 10 1709 and 1703 due to various issues including fixes for inaccessible boot device and loss of usb devices.  If you didn’t happen to catch those extra updates that were released for 1709 there was no harm, no foul as they didn’t include any new security updates, and if you waited until the normal March second week releases, you’d get the same code plus the new security fixes for the month.

  One other thought to ponder, I know many here install updates manually from the catalog, but there is risk in manually patching and not letting Microsoft update or Windows update do it’s thing.   Take for example the Windows 10 servicing stack update of KB4090914 that has a warning that you should install it in a certain order:

  When installing both the servicing stack update and the latest cumulative update from the Microsoft Update Catalog, install the servicing stack update before you install the cumulative update.

  When you manually install updates you may end up with patches in an order that Microsoft didn’t intend.  So if you manually install updates make sure you read the KB articles for any patch dependencies and order directions in the information.  I’ll also recommend that anyone on the Windows 7 platform every now and then do a manual scan for updates just to see what is offered to you.  Remember that often you will get Office updates offered up for platforms you don’t think you have only because when you do inplace upgrades, there is often dlls and files left over from the prior version.  Also if you install new business software, it often installs older C+ runtimes and .net files that need updates.  So often you’ll think you are up to date… and you aren’t.  Stay tuned there is even a way to do this manual scan in Windows 10 by using PowerShell. 

  Windows Patches/Security Patch Lady Posts

• Updates to Patch Lady’s Master Patch List

  Posted on March 19, 2018 at 03:27 CDT by woody • Comment in the Forums

  For those of you who haven’t been noodling around the site…

  Susan Bradley, Patch Lady, has added a massive number of patches to this month’s Master Patch List.

  The Master Patch List is a comprehensive list of every Windows and Office patch that Microsoft has made available each month, along with tips and warnings about each patch.

  For those of you who follow my MS-DEFCON system, the list of all those patches comes as quite a jolt. Don’t worry, you can continue to follow MS-DEFCON and wait until the coast is relatively clear.

  But for those of you who have to (or want to) consider each patch individually, the Master Patch List is the only resource I know that shows you what’s really happening.

  Windows Patches/Security Master Patch List
• « Older Entries

  Newer Entries »