Newsletter Archives

  • July’s Patch Tuesday is here

    For those of you in business, Microsoft decided that today – of all days – was the day to announce that “Microsoft rebrands Azure Active Directory to Microsoft Entra ID”  Azure AD is the cloud version of Microsoft active directory, which is what I’m probably going to call it for the rest of my life and not “Entra ID”.

    Meanwhile back in the real world of day to day workstations of Windows and Apple, those rapid release patches of yesterday have been pulled due to a bug in Safari (showcasing that testing is hard for everyone).

    On the Windows platform, I want you to be in deferral mode as we watch for the testing results.  I’ll add more details as the patches come out.

    Highlights for Windows 11, version 22H2:
    -Expands the roll out of notification badging for Microsoft accounts on the Start menu (aka annoy you to not use a local account)
    -Improves the sharing of a local file in File Explorer with Microsoft Outlook contacts
    -Adds live captions for several languages

    If you kept Edge as default and Chrome would launch app controls, this update should fix that. If you kept Chrome as default you probably didn’t notice it.

    Dustin Child’s Zero day blog.

    Ghacks link

    Remember Windows 10 22H2 is only receiving security updates now so it’s the stable/boring version of Windows.

    If you are a WSUS patcher, detection looks to be borked – as in it’s not seeing your machines as needing updates. Microsoft will have to fix the detection.

  • Master Patch List as of June 13, 2023

    I’ve updated the Master Patch list for the May releases.

    Remember to always review the known issues we are tracking on the Master Patch List. I will keep the latest info there.

    So far trending issues are:

    Consumers:

    Chrome may have some issues after the June updates – Triggered by malwarebytes – see their KB

    Business side effects:

    Users of Windows Hello may get an extra OOBE prompt.

    Manual registry keys have to be deployed to be fully patched. Testing the impact and will report back. I do not see this as a concern for consumers just potentially targeted businesses.

    June turns on Enforcement by Default comes with the June updates regarding CVE-2022-38023 ( KB5021130: How to manage the Netlogon protocol changes related to CVE-2022-38023 – Microsoft Support ).

    I am recommending at this time that you install Apple updates, I’m not recommending Windows updates at this time. I’ll have more details in the newsletter on Monday.

    • Windows 11 22H2: Not recommended
    • Windows 11 21H2: If you have a Windows 11 PC, recommended
    • Windows 10 22H2: Recommended
    • Windows 10 21H2: Drops out of support this month
    • Apple Ventura – Recommended for newer hardware – as always check with the applications you rely on if they recommend this release.

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level

  • Ready for June updates?

    Remember this is the final month that Windows 10 22H1 will receive updates. This is the final time that version will receive a security update. So for Windows 10 I want you to be on 22H2.

    But for Windows 11, unless you’ve recently purchased a Windows 11 machine and are already ON Windows 11 22H2 I still recommend staying on 21H2.

    Remember you can use the SAME tools to control updates on Windows 11 as you can on 10. So InControl, works to keep that 11 on 21H2. The www.blockapatch.com tools all work.

    So now, buckle our seatbelts, here comes June updates!

    (As you can tell I STILL cannot name the dang versions worth a darn)

    Random thoughts and notes for the upcoming newsletter:

    There is a vulnerability that in order to fully enable the fix you have to enable a registry key that is different on each OS – see here. Say what?

    Side effects being seen:  If you use the Windows hello for authentication – you’ll get a Windows hello “pop” after the installation of the patch.  Ignore it – appears to be a bug.

  • Master Patch List as of May 9, 2023

    I’ve updated the Master Patch list for the May releases.

    Remember to always review the known issues we are tracking on the Master Patch List. I will keep the latest info there.

    So far trending issues are:

    Business patchers – In order to fully patch systems for potential UEFI/Secure Boot there are a series of manual steps. I am NOT convinced that this is needed for anyone other than targeted nation state organizations. I’ll have exact instructions and a video should you want more information.

    I am recommending at this time that you install Apple updates, I’m not recommending Windows updates at this time. I’ll have more details in the newsletter on Monday.

    • Windows 11 22H2: Not recommended
    • Windows 11 21H2: If you have a Windows 11 PC, recommended
    • Windows 10 22H2: Recommended
    • Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
    • Apple Ventura – Recommended for newer hardware – as always check with the applications you rely on if they recommend this release.

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level

  • It’s May updating time!

    It’s that time of the month that I’ll urge you to pause your updates on your Windows platforms, but review any pending updates on your Apple platforms.  Recently Apple’s “Rapid response” patches weren’t quite as “rapid” as we would all like.  In fact on my iPhone iOS 16.4.1 is still pending even though I have auto updates enabled.

    I’ll be discussing what SHOULD have occurred in Sunday’s newsletter.  In the meantime, let’s keep an eye out for this month’s Windows releases:

    49 vulnerabilities if the count here is correct

    Windows 11 22H2 has a new toggle button

    • New! This update adds a new toggle control on the Settings > Windows Update page. When you turn it on, we will prioritize your device to get the latest non-security updates and enhancements when they are available for your device. For managed devices, the toggle is disabled by default. For more information, see Get Windows updates as soon as they’re available for your device.

    As well as fixing issues in both Windows 11 22H2 and 21H2 as well as Windows 10  in the newly released Windows Local Administrator Password Solution

    • This update addresses a race condition in Windows Local Administrator Password Solution (LAPS). The Local Security Authority Subsystem Service (LSASS) might stop responding. This occurs when the system processes multiple local account operations at the same time. The access violation error code is 0xc0000005.

    Remember if you aren’t on Windows 10 22H2 at this time, I’ll want you to move to 22H2 as June 13, 2023 is the last time Windows 10 home and Pro 21H2 get updates. Windows 10 Enterprise and Education, Windows 10 IoT Enterprise, and Windows 10 Enterprise multi-session will still be serviced (apologies had that backwards). 20H2 is now fully out of support.

    Ugh.  There is a secure boot vulnerability that is being “fixed” with code in the May updates, but not fully implemented.  Because you need PHYSICAL access or administrative rights to install code, this is yet another of those updates that will need to be “risk” rated for additional action.  I’ll go into this more in the newsletter.

  • Master Patch List April 11, 2023

    I’ve updated the Master Patch list for the April releases.

    Remember to always review the known issues we are tracking on the Master Patch List. I will keep the latest info there.

    So far trending issues are:

    Business patchers – weird Google chrome issue after installing kb5025221 if your group policy is used to set Chrome as default

    Also I’ll update the list for the SQL updates but I wanted to get the other updates out for you

    I am recommending at this time that you install Apple updates, I’m not recommending Windows updates at this time. I’ll have more details in the newsletter on Monday.

    • Windows 11 22H2: Not recommended
    • Windows 11 21H2: If you have a Windows 11 PC, recommended
    • Windows 10 22H2: Recommended
    • Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
    • Apple Ventura – Recommended for newer hardware – as always check with the applications you rely on if they recommend this release.

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • The patching showers of April

    Apple did their patching showers yesterday – another zero day fix

    📱 iOS and iPadOS 15.7.5 – 2 bugs fixed
    💻 macOS Monterey 12.6.5 – 1 bug fixed
    💻 macOS Big Sur 11.7.6 – 1 bug fixed

    Now it’s Microsoft’s turn….

    97 vulnerabilities, 7 critical, 1 exploited

    Also out today… The AD team at Microsoft is proud to announce that with today’s Patch Tuesday updates, our new Windows Local Admin Password Solution (aka Windows LAPS) is available in all in-market builds of Windows – Win10 & Win11 clients and Server 2019 & 2022 SKUs!

    As usual, time to sit back, watch the testing occur and see what shakes out this month.

    Note that Windows 10 21H2 drops out of support in June unless you have edu or enterprise – so check what version of Windows 10 you are on. There’s no big changes for Windows 10 so I honestly don’t anticipate seeing any side effects. As always I will keep you up to date on the Master patch listing.

    This is interesting… there is only a security release for Publisher this month.

    No non security Office updates were released either. A VERY light Office release this month.

  • Are you checking your backup tonight?

    As Alex pointed out …. today is World Backup day.

    Just a reminder, issues like ransomware can be thwarted by having a backup. Specifically, something that the bad guys can’t touch. So rotate out those hard drives. Have a cloud backup with versioning that is protected from access. Make sure you are protected.

    Now while this is a marketing session that demands you sign up and register – I still enjoy Jessica Payne and her talks how how we can do better against ransomware. From the recent Microsoft Secure session.

  • Master Patch list as of March 15, 2023

    I’ve updated the Master Patch list for the March releases.

    Remember to always review the known issues we are tracking on the Master Patch List. I will keep the latest info there.  Right now the big trending issue is the issue where Windows 10 22H2 doesn’t seemingly reboot if you manually check for updates. If you use Start11, StartAllBack, and ExplorerPatcher  make sure you update to the latest on Windows 11.

    I am recommending at this time that you install Apple updates, I’m not recommending Windows updates at this time. I’ll have more details in the newsletter on Monday.

    • Windows 11 22H2: Not recommended
    • Windows 11 21H2: If you have a Windows 11 PC, recommended
    • Windows 10 22H2: Recommended
    • Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
    • Apple Ventura – Recommended for newer hardware – as always check with the applications you rely on if they recommend this release.

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • March madness here we come

    Ready or not – here comes the March updates. Remember by this time you need to have a backup and defer updates (unless you are one of the souls who like to be the beta testers for the rest of us.

    Interesting items of note:  Outlook vulnerability used in TARGETED only attacks and impacting NTLM (translation – businesses with Exchange servers not consumers/home users. If you have click to run Office this will be auto updated.

    There is also a ‘smartscreen’ vulnerability where Edge can be tricked into thinking something isn’t from the web and not scan it. This will be auto updated when Edge updates.  When we finally update Windows the smartscreen as a whole will be updated. But again, we don’t blindly download things do we?

    Both are more business only – not consumer/home targeted so I’m not changing my “hold off and wait to patch” stance in any way.

    Remember Windows 11 22H2 gets “moments” releases – I’ll be reporting if my registry key works on Windows 11 Home computers.

    More links as they come live…..

    Also business impact:

    This update implements phase three of Distributed Component Object Model (DCOM) hardening. See KB5004442. After you install this update, you cannot turn off the changes using the registry key.

    This update addresses an issue that affects a computer account and Active Directory. When you reuse an existing computer account to join an Active Directory domain, joining fails. This occurs on devices that have installed Windows updates dated October 11, 2022 or later. The error message is, “Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: ‘An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.’” For more information, see KB5020276.

    Dustin Childs’ zero day blog

  • Master patch list as of February 14, 2023

    I’ve updated the Master Patch list for the February releases. While this month doesn’t have the vulnerability count that many gage a big month by, it has .NET security releases which – on some platforms – add additional patch offerings.

    Remember to always review the known issues we are tracking on the Master Patch List. I will keep the latest info there.  Right now the big trending issue is Server 2022 and VMware.

     

    I am recommending at this time that you install Apple updates, I’m not recommending Windows updates at this time. I’ll have more details in the newsletter on Monday.

    • Windows 11 22H2: Not recommended
    • Windows 11 21H2: If you have a Windows 11 PC, recommended
    • Windows 10 22H2: Recommended
    • Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
    • Apple Ventura – Recommended for newer hardware – as always check with the applications you rely on if they recommend this release.

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Here comes February’s valentines of patches

    Here we go again with a bundle of updates.

    Remember our mantra – to pause, ponder, wait and in general see what the side effects are first.

    Windows servers are still getting Internet Explorer updates!  So IE is not quite dead.  Yet.

    Remember Windows 7 is officially out of support so if you are still using it, please do not be using it to surf, browse, etc ensure that you are using it in isolation away from the Internet. 0Patch is an option for those of you.

    Remember as well that the “disable IE” is only on Windows 10 and comes through an Edge update  NOT an Internet Explorer update.

    Links for discussion on this month’s updates:

    Dustin Childs’ blog

    Ghacks

    Incidents.org

    Trending issues:  Seeing reports that Server 2022 booting issues see https://kb.vmware.com/s/article/90947  “Also having this issue on 2 Win 2022 servers after applying KB5022842. Disabling Secure Boot on the VM “fixed” it for now. ESXi 7.0.3, 20842708″

    I can personally report that the removal of Internet Explorer in Edge is breaking remote deposit with the Bank of America website.  It doesn’t recognize the scanner driver on Edge, it does on Chrome.

    For those of you that are IT admins be aware of:

    Updates released February 14, 2023 or later might not be offered from some Windows Server Update Services (WSUS) servers to Windows 11, version 22H2. The updates will download to the WSUS server but might not propagate further to client devices. Affected WSUS servers are only those running Windows Server 2022 which have been upgraded from Windows Server 2016 or Windows Server 2019. This issue is caused by the accidental removal of required Unified Update Platform (UUP) MIME types during the upgrade to Windows Server 2022 from a previous version of Windows Server. This issue might affect security updates or feature updates for Windows 11, version 22H2. Microsoft Configuration Manager is not affected by this issue.

     

    To mitigate this issue, please see Adding file types for Unified Update Platform on premises.

    We are working on a resolution and will provide an update in an upcoming release.