Ready or not – here comes the March updates. Remember by this time you need to have a backup and defer updates (unless you are one of the souls who li
[See the full post at: March madness here we come]
Susan Bradley Patch Lady/Prudent patcher
![]() |
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
Home » Forums » Newsletter and Homepage topics » March madness here we come
Ready or not – here comes the March updates. Remember by this time you need to have a backup and defer updates (unless you are one of the souls who li
[See the full post at: March madness here we come]
Susan Bradley Patch Lady/Prudent patcher
Guinea Pig Update (great moments in guinea pig history)
Version and build after update: Win11Pro 22H2.22621.1413
WuMgr downloaded and installed:
Installed without error and the system rebooted without error.
The click to run do (even though they have yet to release their release notes) and keep in mind that the vulnerability does not exist if Outlook is connecting to online email or Exchange online. So it’s Outlook connecting to an Exchange server (on premises)
Susan Bradley Patch Lady/Prudent patcher
kb5023696 CU W10 Pro x86 and x64 installed on both systems.
OBSERVATION: Post installation upon restart, the indicator seemed to pause for a while at 41% on both devices and eventually continue as normal.
Event viewer ok
SFC verifyonly ok
DISM scanhealth ok
O&O Shutup 10++ no changes (on both devices)
Preliminary checks show no issues…yet? 😛
No re-introduction of ChrEdge either, happy days!
Persistance is paying off, so far..so good
Win8.1 test project (2012 R2 patching) ongoing..
EDIT: ..now complete for this month without issue, although I’m holding off the Win Server 2012 R2 SSU kb50237990 for now. (February SSU kb50229922 is suffice)
@ECWS
My preference is to use the verifyonly switch so I can manually check the created .cbs file and see where the issue arises from, should there be one or more. I like to know, not just fix and forget YMMV
I’ve found Event Viewer a good source to find any issues regarding patch installation and what is affected. I usually have resmon (resource monitor) running during patch installation to keep an eye on things, purely out of geeky interest.
I do a complete system disk clean-up followed by a DISM winsxs redundancy cleanup after a week or so after patching, assuming all is ok to ensure a leaner OS without the excess baggage. Then I’ll do a manual SSD trim once per month.
Three out of four weeks per month running a tight ship can’t be bad over four different MSFT systems 😉
Thanks – very helpful information. I have (in the past) run SFC /Scannow then trying to figure out what it fixed – this is a better option.
What is the command for the DISM redundancy cleanup?
Also – you prefer a manual SSD trim vs waiting on automatic?
What is the command for the DISM redundancy cleanup?
rather than trying to remember, I use this 26kb portable utility for DISM commands
simple interface with commands within, works in Win8.1 onwards..
https://www.paehl.de/?GUI_for_DISM
Enjoy 😉
What is the command for the DISM redundancy cleanup?
dism /online /cleanup-image /startcomponentcleanup /resetbase
What is the command for the DISM redundancy cleanup?
dism /online /cleanup-image /startcomponentcleanup /resetbase
I’ve never seen the “/resetbase” argument in this command. What does it do when included in comparison to when it is not included?
Without it: superseded components (in WinSxS folder) are delta compressed
With it: superseded components are removed, and updated components become the new base + updates become permanent
resetbase is disabled in Windows 10/11 by default
Without it: superseded components (in WinSxS folder) are delta compressed
With it: superseded components are removed, and updated components become the new base + updates become permanent
And what would govern your decision, one way or the other?
In other words, why would you choose the command without the argument? or with the argument? Are there any problems down the road in losing the superseded components? Or any advantage to having the superseded components delta compressed?
@WCHS –
By delta compressing the superseded components, they still remain on the computer, albeit taking up a LOT less space, and potentially available for re installation by removing the update that superseded them, I would think (don’t know for sure because I’ve never had to try and “revive” a superseded update).
By removing the superseded components, they are no longer on the computer and no longer available for re installation, thereby making the newer components the new baseline installation and irremovable.
In other words, if you use the /resetbase argument, you’ll be forever linked to the latest update(s) you’ve installed and forever unable to go back to a prior installation successfully, because the items that would normally allow you to do that by being on your computer (but very compressed) won’t be there. From what I’ve read in this thread, IMHO the /resetbase argument should only be used if you’re absotively posolutely sure you’re NEVER going to need to go back to a prior version of windows 10, say back to last month’s patch level or earlier.
Clear things up for you a bit?
Absotively and posolutely were a deliberate use of those altered words in order to add emphasis.
From Windows 10 v1809 onwards, resetbase breaks installation of future cumulative updates.
Doesn’t do that for me on Win10 Pro.
I’ve been using that exact command approx every 6 month’s since Win10 1909 to clean out the old “superseded” updates right before installing the new monthly cumulative update.
When it’s done, I reboot and then install the new update and have never had an update fail to install after using it!
Did you enable “change” registry setting DisableResetbase?
Nope, just checked and it’s still set to 1 (i.e. disabled.)
However, I’ve never had that command generate any sort of error when I’ve used it and the size of the component store is always smaller (by ~6 — 8GB or so) after I run it so it’s obviously doing something.
From Windows 10 v1809 onwards, resetbase breaks installation of future cumulative updates.
At Clean Up the WinSxS Folder, it says:
All existing update packages can’t be uninstalled after this command is completed, but this won’t block the uninstallation of future update packages.
“This command” refers to
Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
From Windows 10 v1809 onwards, resetbase breaks installation of future cumulative updates.
At Clean Up the WinSxS Folder, it says:
All existing update packages can’t be uninstalled after this command is completed, but this won’t block the uninstallation of future update packages.
“This command” refers to
Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
So no contradiction there then.
From Windows 10 v1809 onwards, resetbase breaks installation of future cumulative updates.
So no contradiction there then.
So, what does “breaks installation of future cumulative updates” mean? To me it means “you can not install future cumulative updates.”
From Windows 10 v1809 onwards, resetbase breaks installation of future cumulative updates.
So no contradiction there then.
So, what does “breaks installation of future cumulative updates” mean? To me it means “you can not install future cumulative updates.”
Your quote from the documentation about UNinstallation after /ResetBase doesn’t refer only to 1809+.
There is
they should mention that “ResetBase” is disabled in Windows 10/11 by default and has no effect
why do you think they disabled it?
because:
a) it breaks installation of future cumulative updates on Windows 10 1809 and later
b) it breaks “Reset this PC” feature on all Windows 10/11
why do you think they disabled it (i.e., /ResetBase)?
because:
a) it breaks installation of future cumulative updates on Windows 10 1809 and later
But, Alejr at #2546589 says that post v 1803 he has been using /ResetBase and he’s been able to subsequently install new updates and has never had them fail.
Is he just plain lucky?? I’m confused.
Nevermind … I think I get it now … even though the command has the “/ResetBase” argument, it doesn’t work because it’s disabled, and because it’s disabled and doesn’t work, the command is really absent the “/ResetBase” argument, and so subsequent new updates WILL install. Right?
resetbase is disabled in Windows 10/11 by default
Does that mean the /resetbase option “has no effect”, as it doesn’t produce any error and is documented at https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/clean-up-the-winsxs-folder?view=windows-11#:~:text=Use%20the%20/ResetBase%20switch%20with%20the%20/StartComponentCleanup%20parameter (and everywhere else that I can find).
Disabled “by default” must mean it can be enabled, right?
It has the same effect without that switch + it additionally makes installed updates permanent.
Yes, DisableResetbase registry (see above) can be changed to restore old behavior.
—
In Windows 10 v1903 and later, Cumulative Updates are service-pack alike each one directly replace inbox system packages and components meaning, when you run /StartComponentCleanup command or Update Cleanup from Disk Cleanup, it automatically remove inbox superseded components /ResetBase switch is not really needed for that.
It has the same effect without that switch + it additionally makes installed updates permanent.
If /ResetBase does that by default, it’s not really disabled is it?
Yes, DisableResetbase registry (see above) can be changed to restore old behavior.
What’s the difference between new and old behaviour?
Oh, hang on. Now you’ve said /ResetBase has no effect by default. That’s what I was trying to clarify before:
abbodi86 wrote:
resetbase is disabled in Windows 10/11 by defaultDoes that mean the /resetbase option “has no effect”, as it doesn’t produce any error and is documented…
Noticed you have a Dell Latitude that is still running well. Good to hear since I have several E6540s. Checking into what I would get in case I needed to replace it. I was advised that a 5540 would be an improvement over what I have. Are you familiar with the Latitudes and what the various series number mean (For example model numbers range from the 5000s to the 9000s). Would need a numeric keypad. Thanks.
After doing a Check for Updates and installing on Windows 10 22H2 the update package (2023-03 (KB5023696) seems to install and then returns to regular screen not requesting a restart ?? Tried Checking for updates again after the updates installed and then it came back to a Restart now button and screen and Tray ICON for pending restart. Did this on 2 different machines.
Also experienced the same behavior within update Windows 10 22H2…it downloaded the MRT tool, was installing that, then began to download the KB5023696 update…got to about 50% or so and the interface switched back to the check for updates button. I let it go for awhile, then clicked check for updates, as it was checking for updates, the “Restart” button appeared.
It appears the update went fine, I’ve just never experienced the update interface going back to check for updates, even though it was updating.
Thank you guys for letting us know you experienced this also. Askwoody is the only place I could find others seeing this behavior. The restart and everything else went fine, but odd update behavior I haven’t seen before while doing a cumulative update.
FYI
This weird behavior is also reported in Reddit/r/Windows10 – Cumulative Updates: March 14th, 2023 :
Quotes:
The Windows Update is acting weird today. It starts to install the update and suddenly displays the You’re up to date screen while the installation is still in progress. It already happend on three different computers.
If you close the settings and then reopen it, it’ll show what’s still in progress
Yes. The same happened to me.
HTH.
Clicking on check for updates also ‘helps’, after a bit of waiting the update process is shown again. It all feels quite shabby to me. Besides, after updating the print server crashed after logging in. Not much new here though, guess the world according to Microsoft is a printerless one. Oh well, last machines here slowly phasing out, already largely replaced by Mac’s en Linux systems.
I’ve seen this new behavior with the Windows Update interface on multiple Win10 21H2 machines. Downloading KB5023696, then pending install, then it appears that nothing is happening, then finally a pending restart, with restart notification. It’s a little unnerving. Since I don’t have time to sit there and watch every test machine as it goes through its paces I thought I was missing something… Good to know others have seen this new behavior.
Like, I saw WU was going to install the update, what happened to the install phase status?
I suspect that this could be their fix to the glitch we’ve seen with premature restart notifications when there is a .NET update also. The .NET update would finish first, and before the normal OS Q&S update would finish, a restart notification was triggered…. If you did restart at that time, it would trash the normal OS Q&S update, requiring you still apply it after the restart. Correct but inefficient. Not sure I like this new method though.
Basic research is what I am doing when I don't know what I am doing - Werner Von Braun
Hardened Windows user successfully installed:
KB5023706 Cumulative Update for Windows 11 Version 22H2 for x64-based Systems
KB890830 Windows Malicious Software Removal Tool x64 – v5.111
Now running Windows 11 Pro Version 22H2 (OS Build 22621.1413)
No hiccups.
My NAS got the push after Active Hours.
KB890830 Windows Malicious Software Removal Tool x64 – v5.111
Installed 3/14/23
KB5023696 Cumulative Update for Windows 10 Version 22H2 for x64-based Systems
Installed 3/16/23
Now running Windows 10 Pro Version 22H2 (OS Build 19045.2728)
On https://www.askwoody.com/wp-content/uploads/2023/03/2023-03-14-March.htm it says:
Version 22H2 5023706 3/14/2023 Defer Install IF you have 22H2 Cumulative update Note I recommend holding off and not installing the feature release
I am confused by the Install IF … followed by the Note. Which is it? Does mean do not install if on 21H2? If so, would that not be clearer? I am on 22H2. The reports of success are encouraging, but…
Hanging fire… advice appreciated.
[Moderator note:] please don’t “copy/paste” info from another web page as that will cause problems with how your reply appears (the unacceptable HTML code in your post was modified.)
Are you aware that MSRT has a telemetry ‘heartbeat’ sent to MSFT/ affiliate?
I killed MSRT off many years ago. As Win8.1 is now officially ‘out of support’ you may wish to consider the options to keep or block it..
To block it via the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
“DontOfferThroughWUAU”=dword:00000001
“DontReportInfectionInformation”=dword:00000001
I never really understood the significance of the telemetry “heartbeat” talked about here on AskWoody. I read people here saying they don’t really know what the “heartbeat” telemetry does or sends.
The Malicious Software Removal Tool, I thought, was necessary and a good thing. It is “an anti-virus tool that scans the computer for specific widespread malware and tries to eliminate the infection” isn’t it? So, in the past, I decided to go ahead with it.
I haven’t installed this months yet. I installed it last month when it appeared unexpectedly and another AskWoody’s member indicated they installed it with no problems. Now you got me reconsidering. Also, I try not to change the registry at all since it has been said, here, not to unless you know exactly what you’re doing and know how to back out if necessary.
Anyways,thanks for your response.
Magniber ransomware actors used a variant of Microsoft SmartScreen bypass
Financially motivated threat actors used an unpatched security bypass to deliver ransomware without any security warnings
(Patched with March updates)
Google’s Threat Analysis Group (TAG) recently discovered usage of an unpatched security bypass in Microsoft’s SmartScreen security feature, which financially motivated actors are using to deliver the Magniber ransomware without any security warnings. The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet.
TAG reported its findings to Microsoft on February 15, 2023. The security bypass was patched today as CVE-2023-24880 in Microsoft’s Patch Tuesday release.
TAG has observed over 100,000 downloads of the malicious MSI files since January 2023, with over 80% to users in Europe — a notable divergence from Magniber’s typical targeting, which usually focuses on South Korea and Taiwan. Google Safe Browsing displayed user warnings for over 90% of these downloads…
Now running Windows 11 Pro 22621.1413
2023-03 Cumulative Update for Windows 11 Version 22H2 for x64-based Systems (KB5023706)
2023-03 .NET 7.0.4 Update for x64 Client (KB5024672)
Windows Malicious Software Removal Tool x64 – v5.111 (KB890830)
All installed without incident.
--Joe
When I used WuMgr to hide this Patch Tuesday updates, it only found the Malicious Software Removal Tool and not the 2023-03 Cumulative Update, so I hid the MSRT and closed WuMgr, then re-ran WuMgr and it found the 2023-03 CU on the second time. I hid it also, now waiting for Patch Lady advice to install these March 2023 updates. Thank you early patchers for volunteering to be our community “Beta Testers” – your input, good or bad is appreciated. Hopefully no one has this picture experience…
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
Summary
Microsoft Threat Intelligence discovered limited, targeted abuse of a vulnerability in Microsoft Outlook for Windows that allows for new technology LAN manager (NTLM) credential theft. Microsoft has released CVE-2023-23397 to address the critical elevation of privilege (EoP) vulnerability affecting Microsoft Outlook for Windows. We strongly recommend all customers update Microsoft Outlook for Windows to remain secure.Impacted Products
All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected….
CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required.
The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication…
After doing a Check for Updates and installing on Windows 10 22H2 the update package (2023-03 (KB5023696) seems to install and then returns to regular screen not requesting a restart ?? Tried Checking for updates again after the updates installed and then it came back to a Restart now button and screen and Tray ICON for pending restart. Did this on 2 different machines.
Doesn’t happen when using WUmgr.
Installed on Windows 10 Pro 22H2.
Installation went smoothly.
No problems.
CU (2023-03 (KB5023696) installs “twice“. First ‘Servicing Stack’ and then Security updates.
* Strange : checking ‘uninstall updates’ I see KB5022502 installed :
February 14, 2023-KB5022502 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10, version 20H2, Windows 10 Version 21H2 and Windows 10 Version 22H2
which didn’t appear in WUmgr list of updates.
Hi Susan:
After doing a Check for Updates and installing on Windows 10 22H2 the update package (2023-03 (KB5023696) seems to install and then returns to regular screen not requesting a restart ??…
Windows Update successfully installed the following March 2023 Patch Tuesday updates on my Win 10 Pro v22H2 laptop and I haven’t noticed any negative effects so far:
The was no Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Win 10 Version 22H2 this month so I didn’t encounter the early “Restart Now” glitch that I’ve reported for some past Patch Tuesday updates (see my 24-Feb-2023 post # 2536955 in Here Comes February’s Valentines of Patches for one example).
I also didn’t see the late “Restart Now” glitch reported in this thread by arbrich and a few other Win 10 users, although I did notice that the entire download and installation process was a bit slow this month – the GUI appeared to get stuck for about 10 min at “Downloading – 100%” before the “Install Now” button was displayed even though Task Manager showed there was ongoing CPU and disk activity for the Windows Update service host. However, I just left it alone and eventually saw the prompt to “Restart Now“ (see attached image) about 25 min after the initial check for updates started.
The release notes <here> for KB5023696 indicate a Win 10 Servicing Stack Update (SSU) v19045.2664 was delivered this month (the previous SSU v19045.2300 was delivered in Dec 2022), but I have no idea if that’s why my Patch Tuesday updates took so long to run to completion this month.
———–
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2728 * Firefox v111.0.0 * Microsoft Defender v4.18.2301.6-1.1.20100.6 * Malwarebytes Premium v4.5.24.248-1.0.1944 * Macrium Reflect Free v8.0.7279
Windows monthly updates explained<
Did you enable “change” registry setting DisableResetbase?
Nope, just checked and it’s still set to 1 (i.e. disabled.)
However, I’ve never had that command generate any sort of error when I’ve used it and the size of the component store is always smaller (by ~6 — 8GB or so) after I run it so it’s obviously doing something.
Like I said, in that case, running /StartComponentCleanup with or without /ResetBase will have the same outcome.
For Windows 10 version 1903 and later, it will remove the superseded components nevertheless.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
S | M | T | W | T | F | S |
---|---|---|---|---|---|---|
1 | 2 | |||||
3 | 4 | 5 | 6 | 7 | 8 | 9 |
10 | 11 | 12 | 13 | 14 | 15 | 16 |
17 | 18 | 19 | 20 | 21 | 22 | 23 |
24 | 25 | 26 | 27 | 28 | 29 | 30 |
31 |
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.