December Security-Only patch breaks Active Directory Admin Center console when editing object’s properties

Topic

New Reply

This from commenter Paul: Did the security only update (KB3205394) break anyone else’s applications? In an enterprise environment, it broke AD Admin C
[See the full post at: December Security-Only patch breaks Active Directory Admin Center console when editing object’s properties]

Reply | Quote

Replies

I’m surprised that an enteprise environment would apply updates without testing them first…

Reply | Quote

jmwoods raises a question for me. I run WinX Pro on a wired computer so I have no real option, beyond policy editing, to control what happens to my box. My question is whether — and how — I could run a VM clone of my current machine to test these things before I let them loose.

Reply | Quote

I know of obscure problems starting with November updates, Monthly or Security-only, not fixed in December. I believe that they are related to Internet Explorer 11 JavaScript behaviour when running in Document Mode 8 or 9. This functionality was broken by patches in the past and fixed after few months. JS in Document Mode 10 or Edge Mode (nothing to do with the Edge browser) is fine and I think it is one of the QA issues with Windows Update, too frequently happening in recent times.
The issue is so obscure that I cannot find any references to it on the Internet and it certainly does not affect most of the users here who either don’t use any of the IE11 Enterprise Compatibility Mode and more likely rarely use IE11 at all.

Reply | Quote

Are previous security only updates installed?

Reply | Quote

Hyper-V might work for you…

https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/

Reply | Quote

Image the machine and run it in Hyper-V or better in VMWare workstation if this is what you want.

Reply | Quote

I couldn’t connect to AD Users and Computers console. As soon as KB3205394 was uninstalled I was able to connect again. It also affected me accessing SCCM Admin console.

Reply | Quote

Thanks for the confirmation!

Anybody have links to more details?

Reply | Quote

Not sure if you saw Woody, but there are a couple new Intel Drivers again. https://i.imgur.com/edyyluQ.png

Reply | Quote

@abbodi86
Is this for me or for the OP?
I have all patches installed, including KB3125774, less the forced LDR.

Reply | Quote

I suppose some of the minor Enterprise related issues, unless major and widely reported, remain under-reported for few reasons:
– Many enterprises do not patch regularly, unless there are compliance requirements and even then many managers sign off waivers invoking operational reasons (waste of time for little or no benefit, disruptions like the current one). There are mitigation methods in place in most of this cases provided by the ISP, antivirus provider or internal active monitoring, so things are not as bad as they would otherwise appear.
– Some administrators do not wish to provide details in public about their own environment for business related reasons and in particular because in such situations it may imply that their own enterprise systems are not secure until the issue is resolved, making them easy targets (like saying on Facebook that you are away from home for 2 weeks and provide the address too).

In the second situation, many of those issues, if detected, are reported to Microsoft Support.
Or in the modern times, Microsoft get the data themselves – this is the declared purpose of telemetry.

Reply | Quote

It would b interesting to re-apply that update, and then use WUSA (assuming we’re not talking about Windwows 10) to uninstall the individual KB’s inside each MS that was included…

https://support.microsoft.com/en-us/kb/3205394

WUSA individual KB uninstall…

wusa /uninstall /kb:nnnnnnn /quiet /norestart

Powershell and DISM individual KB uninstall (Windows 10)…

$SearchUpdates = dism /online /get-packages | findstr “Package_for”

$updates = $SearchUpdates.replace(“Package Identity : “, “”) | findstr “KBXXXXXXX”

#$updates

DISM.exe /Online /Remove-Package /PackageName:$updates /quiet /norestart

Reply | Quote

Does it work that way?
Can you uninstall individual packages from a rollup?

Reply | Quote

They just keep comin’…

Yep, we’ve had several additional reports. I sure wish I knew what was up with those. ch100 has already asked if anybody knows whether they solve the earlier Bluetooth problems with the KB 3172605 patch – the key July speed-up patch.

http://www.infoworld.com/article/3136677/microsoft-windows/how-to-speed-up-windows-7-update-scans-forever.html

Reply | Quote

It may also mean that those somehow newer drivers can facilitate a better upgrade experience from lower versions of Windows to Windows 10 by having dual compatibility. Just speculation, I don’t know about anything documented in that sense.

Reply | Quote

It will work…as long as the KB numbers in each Security Bulletin for version and bitness are different.

Otherwise, if the KB numbers are the same, it will not work… the entire rollup will be removed.

The new Security Guide gives a pretty good view of the KB numbering by version and bitness, as well as other info…

https://portal.msrc.microsoft.com/en-us/security-guidance

Reply | Quote

Hello Woody,

For my Win 7 Pro x64 laptop with an Intel Centrino Wireless-N 2230 adapter, the protocol outlined on this Intel support page restored my Bluetooth to operational: https://www-ssl.intel.com/content/www/us/en/support/network-and-i-o/wireless-networking/000022410.html (dated 2016.12.09); it pertains to the Intel® Wireless 8260/7265/3165/7260/3160 and Intel® Centrino® 6235/2230 families.

With warmest regards and every best wish for the New Year,

AJ

Reply | Quote

Set up a test environment, installed the 2 new Intel driver updates, and ran DISM to get the list of all drivers for the online OS…

dism /online /get-drivers /all /format:table > “%userprofile%Desktopdrivers.txt”

The output will be created in the file “drivers.txt” on your desktop.

The Intel driver INF files affected…by date –

3/13/16 –

iccwdt.inf – version 11.0.0.1010

8/19/2016 –

haswellsystem.inf – version 10.1.2.80
lynxpointsystem.inf – version 10.1.2.80

10/3/2016 –

haswellsystem.inf – version 10.1.1.38
lynxpointsystem.inf – version 10.1.1.38

(appears to be a rollback)

Reply | Quote

Could have something to do with this big list of bugs for 4th Gen Haswell chipsets…

http://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/4th-gen-core-family-desktop-specification-update.pdf

See the Errata section.

Reply | Quote

Wouldn’t this be something similar to what I said before about the microcode being updated in the operating system instead of where it is its natural place, in the BIOS if the CPU cannot be replaced which would be ideal.

Reply | Quote

@jmwoods: Don’t assume that just because someone’s asking the question means they haven’t tested.

Even when we test, if I see behavior, one of my steps is to ask if others are seeing the same behavior outside of my organization. I want to know if it’s something related to my environment, find commonalities if others are experiencing it, etc.

One of the things I constantly strive to avoid in IT is the beatdown IT folks often give their sisteren/bretheren when a question gets asked, as if we “didn’t do something”. Questions, asked intelligently, are productive, and if we don’t treat them as such, pretty soon, people stop asking questions that might give answers beneficial to all of us.

Reply | Quote

Well put. (“sisteren”? 🙂 )

Reply | Quote

Those individual KBs are articles only, the update itself installed as one and uninstalled as one

as matter of fact, those are security bulletins, they don’t necessary represent specific KB updates

Reply | Quote

OP of course 🙂

maybe other security-only updates affect each other

Reply | Quote

Security bulletins include the KB’s associated with the version and bitness they apply to.

Different than the security guide format.

Reply | Quote

I don’t see any evidence of a “beatdown”…

The OP omitted the fact that it was found during testing, less than a month after the updates were released.

The phrase “In an enterprise environment, it broke AD Admin Center console when trying to edit any object’s properties, and it also broke SCCM consoles.” seemed to (me) indicate it was rolled out.

I think he’ll get over it.

Reply | Quote

Three Vista patches gave me trouble this month (KB3196348, 3205638, and – I think – 3204724.) They patch Uniscribe and the Graphics Component. No idea if 7/8.1 are affected. The first symptom is the sound driver fails to load. From past experience this means only logging into admin. account is possible. Upon doing so I get the “classic taskbar” and the error message “failed to connect to System Event Notification Service service.” I found a simple reboot fixed my problem, though it took about 5 minutes for the machine to do so after I clicked restart.

Reply | Quote

@ jmwood ……. The link u provided …
https://support.microsoft.com/en-us/kb/3205394
…. for the December 2016 Security Only Patch Rollup only links to M$ Security Bulletin info for the various security updates found inside the Rollup. Eg the security update for IE, KB3204059, cannot be found at M$ Update Catalog = cannot be manually installed by itself.
……. I doubt very much u could uninstall KB3204059. Did u test yr solution or fix.?

Reply | Quote

Run…

dism /online /get-packages | findstr “KBnnnnnn”

replacing “nnnnnnn” with the KB number.

If it’s found, it can be removed.

Rollups, as far as I have seen, are using the same KB number for each Security Bulletin that applies to the version and bitness of the OS it was issued for.

Reply | Quote

Woody,

In her Patch Watch column for Windows Secrets last night, Susan Bradley issued the recommendation to install the December security roll-ups for Windows 7 & 8.1:

“December’s rollup updates for Win7 and Win8.1 appear to be problem free. It’s time to ensure our Windows setups are as secure as possible. Use the links below to get rollup details.

– What to do: Install rollups KB 3205401 for Win8.1 and KB 3207752 for Win7 as soon as possible.”

(Although she was specifically referring to “Group A,” can one infer that she is also including “Group B”?)

For .NET, she concludes,

“I know of no other issues with the December .NET rollups. Install KB 3210137 or KB 3210138 — or any of the other .NET updates in MS16-155; then check installed apps that rely on SQL Server, ensuring that they function properly.” (The “other issues” she refers to concern SQL Server installations, for which she cites a MS work-around contained in KB3214106, namely to disable the Shared Memory setting under Protocols for SQLEXPRESS.)

Do you feel that she’s jumping the gun?

Reply | Quote

Not at all. In fact, I was waiting for Susan’s final verdict before posting today’s change to the MS-DEFCON level.

I don’t always agree with Susan, but she’s always, always factually correct. Which is more than I can say for myself!

Reply | Quote

Thank you, Woody!

I’ll now install & test on my rigs before assaulting any others.

Again, every best wish to you & yours for a happy, healthy & safe New Year! 🙂

AJ

Reply | Quote

?

Reply | Quote

@AJ North
“Although she was specifically referring to “Group A,” can one infer that she is also including “Group B”?”

The short answer is NO!

Reply | Quote

That’s good to know. Thanks for the tip.

Reply | Quote

Hi ch100, just wondering if you (or other experienced VM-ers reading this) have any thoughts you’d care to share on use of VirtualBox? (…for users on “non-corporate PCs” looking for a possible alternative to Hyper-V(requires Pro or higher) or VMware($$))

Thanks and Happy New Year to all!!

Reply | Quote

@Anony>mouse
Happy New Year!

I think VirtualBox is a useful and free alternative to VMWare which is the gold standard by far but also Hyper-V.
However I don’t have much experience with it so I cannot give you or anyone else much information about how to use if effectively.
Check Oracle’s site and read through the documentation and try to use it.
https://www.virtualbox.org/
One thing to note though. Pro is not for Corporate users and it is a mistake to use Pro in larger businesses which qualify for the Enterprise version. Pro is suitable for Small Businesses and for most home users in fact.
I also believe that most Home Edition users do not have enough RAM to run virtual machines in addition to the main physical computer.

Reply | Quote

Hey all,

Sorry I’ve been absent from this thread-

To clarify a few things:

We immediately test updates on a small handful of IT users in our environment to see if anything stands out like a sore thumb. Our patching schedule after that slowly rolls out to a slightly larger group of 500, then a few different groups consisting of a thousand or PCs each.

This is why we found the issue so soon after patch Tuesday. Now that that’s cleared up, some can rest easy knowing we’re testing 😉

I’ve posted this in the email distribution which is why I haven’t revisited here until now, but I’ve seen a few people replying with similar issues. Yes, it breaks the ADAC console and yes, it prevents you from connecting to your sccm mgmt console. Removing the update resolves it (after a reboot, if I recall)

Re-applying the update will once again break these applications. Our windows 10 machines are fully patched, so I’m not certain it’s due to a missing dependency or anything like that. Our windows 7 machines that I was able to check were also patched and up to date.

I have not heard of any other affected applications in our environment, which is healthcare (which means only roughly 7 billion different applications…) but our users tend to not report the things we care about such as this. But you better believe they’ll speak up if they can’t check up on the Chicago cubs website 😉

I’m debating opening a ticket with our premiere MS rep to see if they can assist, but haven’t had a spare minute lately to do so. If anything big changes I’ll make my way back here to update.

Reply | Quote

Please do keep us posted!

Reply | Quote

So, has M$ done anything about this hiccup?

I have not installed the KB3205386 update on my Win10 Pro 1511 machine and do not intend to ‘until further notice’ . . .
Thanks!

Reply | Quote

They’re “aware of it.” But I have yet to get any real fix or answer out of the ticket I opened with them. Just going through the motions right now until it gets escalated most likely…

Reply | Quote

Update: MS has some workarounds for Windows 7, not so much for W10 yet (that they’ve shared with me):

1. Change the desktop color depth to 16 bit
2. Maximize the management console window
3. Disable the “enable desktop composition” performance option
4. Apply the Windows Basic theme

I was able to verify #1 works for Windows 7, but not the other so far. These options don’t apply to Windows 10.

Reply | Quote

Desktop color depth to 16-bit instead of 32-bit is usable, but has limitations.
All the other recommendations are common sense and should be done by default regardless of the current workarounds.
However Microsoft engineers should fix the patch, as those features like Aero/Desktop Composition are built-in and they have to work regardless of what I and others consider common sense settings.

Reply | Quote

A fix is in the works and scheduled to be released in February. Probably patch Tuesday would be my guess.

Reply | Quote