Master Patch List as of November 8, 2022

Topic

New Reply

#PatchTuesday I’ve updated the Master Patch List for Tuesday’s releases. It’s too soon at this time for consumers to be making recommendations, I’m st
[See the full post at: Master Patch List as of November 8, 2022]

Susan Bradley Patch Lady

1 user thanked author for this post.

abbodi86

Reply | Quote

Replies

NONE of the November updates are seen by Windows Updates on my computer. It says I am up to date when I am not.

Microsoft has made changes in downloads from the Catalog (popups, etc look different). Hmmm…very strange. I found in Downloaded Programs on my D drive that KB5019959 downloaded SIX TIMES but gave NO indication of this odd behavior on my screen rather I had to go to This PC, D drive, and find them all there! Even more strange is KB 5020623 which appears to have been downloaded 25 times but no indication of that on my screen on MS Catalog site. Downloads of KB5020623 show as a new download of it EVERY MINUTE until 25 downloads of it completed!

It’s late and I need some sleep but word of warning….if you are on Windows 10 wait if Windows Updates doesn’t offer these…don’t do what I did and fetch them from MS catalog!

Reply | Quote

I tested November patches on my Windows Server 2022 which functions only as a WSUS server. I noticed that “Last Status Report” was not updating. Sure enough, there was a error in the Application log, Event ID 12002, “The Reporting Web Service is not working.”

I found that I could correct the error by going into IIS and restarting the application pool,  WsusPool. However, the problem would return on reboot. Removing the .Net update did not change the behavior. However, when I removed the November cumulative update, the problem was resolved. I have no idea what is causing this, but I have not seen other reports of this.

Reply | Quote

if you have this policy
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\
Network security: Configure encryption types allowed for Kerberos
Set to: AES 128, AES 256, Future encryption types

Hold off from patching your Domain Controllers!!

We broke our 2 test environments. All member servers are having kerberos authentication issues.
If you also have RC4 set in the policy, or don’t have this policy set at all you should be fine.
See 2nd part of Updates for Windows (Nov. 2022): Changes in Netlogon and Kerberos protocol – causing issues | Born’s Tech and Windows World (borncity.com), as of paragraph ‘Stop: Issues with gMSA and KDC’.

Reply | Quote

https://dirteam.com/sander/2022/11/09/knowledgebase-you-experience-errors-with-event-id-42-and-source-kdcsvc-on-domain-controllers/

Susan Bradley Patch Lady

Reply | Quote

hi,
The link doesn’t exactly describe the problem I’m facing. We were already blocking DES & RC4. Only AES128/128/future types were explicitly enabled in that policy.

I had a call with MS support this morning. They know about this problem and are working on a fix in a future update. Something with a conflict in library versions…
For now I can revert the changes to the kerberos encryption type by adding a registry value on the DCs and restart their kdc service:

reg add HKLM\System\currentcontrolset\services\kdc /t REG_DWORD /v ApplyDefaultDomainPolicy /d 0 /f
net stop kdc && net start kdc

After that I can patch them again. I indeed don’t see the KDC errors reappearing on the DCs, nor do the member server fail to apply GPOs.

In my 2nd test environment I left everything patched, but reverted policy setting ‘Network security: Configure encryption types allowed for Kerberos‘ back to undefined, deleted the corresponding registry key on the member servers and reboot (twice, cause the GPO is cached).
That also gets things going again.

Reply | Quote

https://dirteam.com/sander/2022/11/08/spend-some-time-on-properly-configuring-and-monitoring-your-domain-controllers-this-patch-tuesday/

Susan Bradley Patch Lady

Reply | Quote

“Version 1809/Server 2019” .NET list needs small correction
5020627 is for 3.5 and 4.7.2
5020615 is for 3.5 and 4.8

5018210 is unrelated

Reply | Quote

For Windows 10 – Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1, it appears that there are different parent KB numbers, depending on whether it’s for 21H1 or 22H2 and maybe for 20H2. The parent number is what WU delivers and what is recorded in Settings|Update & security|View update history.

I am 21H2. The parent KB number that WU delivered is KB5020687. The MS Catalog says that the KB5020801 in the Master Patch List is the parent KB number for 21H1.

But, it also appears what whatever the parent number, either KB5020613 (for 3.5 and 4.8) or KB5020623 (for 3.5 and 4.8.1) will be installed and listed in Control Panel|Programs|Programs and features|Installed Updates.

Reply | Quote

.NET Framework November 2022 Security and Quality Rollup Updates – .NET Blog (microsoft.com)

Totally spazzed out and missed that.  But yes as you indicated the parent is not the same but the installed is the same.

Susan Bradley Patch Lady

Reply | Quote

My experience with .NET Framework is this:

What is listed in Windows Update is the KB number for the .NET CU. It is a Rollup, a Bundle. This KB number shows in “Update History”

The Bundle (CU) contains individual updates for each version (or combination of versions) that may be installed on a computer. Each of these individual updates have KB numbers different from the Bundle.

What gets installed on the computer, and what shows in “Installed Updates,” is only the individual update(s) for the version(s) installed on the computer. So the Bundle KB number is not shown in Installed Updates.

Here are screenshots for 2022-11 on Win10. The CUs have different KB numbers for Win10 v.22H2 and v.21H2, but the individual updates contained in the CUs are the same
v.22H2 CU KB5020694 contains KB5020613 for .NET 3.5/4.8 and KB5020623 for .NET 3.5/4.8.1
v.21H2 CU KB502067 contains KB5020613 for .NET 3.5/4.8 and KB5020623 for .NET 3.5/4.8.1

2 users thanked author for this post.

Cijan, Mark

Reply | Quote

FYI

From Neowin :

1) Microsoft confirms domain sign-in, printing, and other issues in latest Windows updates

“Microsoft has updated its official Windows Health Dashboard documentation with new details about freshly detected bugs in Windows 10 and 11.”

2)Microsoft confirms problems with Direct Access on Windows 11 and 10

“Here is another confirmed bug in recent updates for Windows 10 and 11: besides all sorts of problems caused by authentication bugs, users might experience issues using the Direct Access feature after temporarily losing network connectivity or transitioning between Wi-Fi networks or access points.”

HTH.

1 user thanked author for this post.

b

Reply | Quote

Both only affect businesses:

1) “… It is worth noting that the bug does not appear on home devices that are not part of an on-premises domain.”

2) “… Regular home users with active VPN connections and apps for remote access are unaffected.”

Windows 11 Pro version 22H2 build 22621.1483 + Microsoft 365 + Edge

Reply | Quote

Direct access is only business/domain related.  None of the items Neowin pointed to are consumer/home impacts.

Susan Bradley Patch Lady

Reply | Quote

FWIW, most of  the Windows 8.1 updates for November installed correctly, albeit slowly.  The slowness could be due to aging hardware.  I did not install the cumulative update, nor the MSRT, as it is in my opinion, useless.  I think that Microsoft wants to know if I have pirated their software.  In the 9 years that I have used it, it has only deleted 2 files, and did not tell me what they were. I certainly did not pirate their software, at least knowingly.

All updates were made from the Windows Update Catalog, except the .NET update, which came from WU.  The Catalog has changed since September, and is not as easy to use.

BTW, what are “BB Codes”.  I assume that it does not refer to BBEdit, which I used a long time ago on a Mac  (OS7 and 8).

Mark

 

 

1 user thanked author for this post.

DrBonzo

Reply | Quote

Mark wrote:

BTW, what are “BB Codes”. I assume that it does not refer to BBEdit, which I used a long time ago on a Mac (OS7 and 8).

bbCode allows you to post special formats in the WordPress editor. Here is a list of bbCodes commands that work in AskWoody:
https://www.askwoody.com/forums/topic/forum-alphabetical-order-bbcode-list/

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1413 x64 i5-9400 RAM16GB HDD Firefox112.0b3 MicrosoftDefender

Reply | Quote

I am not seeing the most current recommendation for moving from Win 10 21H2 to 22H2. Last I saw was a wait, and so I have. Will update 21H2 today to the recommened, but what about 22H2? And where should I monitor for changes in that advice?

 

Thanks.

Reply | Quote

This recommendation was made in yesterday’s Newsletter. Can’t get more recent than that.

Once again, I urge you to use InControl to keep yourself on the feature-release versions I recommend below:

• Windows 11 22H2: Not recommended

• Windows 11 21H2: If you have a Windows 11 PC, recommended

• Windows 10 22H2: Not recommended

• Windows 10 21H2: Recommended

Reply | Quote

Sorry, did not see it. Did look 🙂 I do stay on the feture releases as recommended. Which IS why I asked if that had changed.

Reply | Quote

You know, PK, just searched newsletters and STILL did not find that. Found lots of Apple. Defcon 3, but nothing as you have shown. Link? And wondering why I just did not see it more obviously.

Reply | Quote

Sorry, my bad. It was the last article in the Nov14th Newsletter.
But I think it was mentioned again in the DEFCON alert this morning (?).

Reply | Quote