Microsoft says they made a mistake with that Autopilot sorta-security patch rollout

Topic

New Reply

Thanks, Julia. PaulSey… Microsoft Employee | Forum Owner Replied on October 25, 2019 A Windows Autopilot update, which was targeted as part of the o
[See the full post at: Microsoft says they made a mistake with that Autopilot sorta-security patch rollout]

1 user thanked author for this post.

abbodi86

Reply | Quote

Replies

They could have gone retro and used an dolled-up animation of “Clippy” to deliver the old SNL line from Gilda Radner’s Emily Littella character saying “Never mind”….  At least that would have shown a degree of apologetic recognition with a bit of humor, but the approach actually taken had none, and no class whatsoever.

Reply | Quote

Windows Auto Pilot eh? I think some one at Redmond’s update central Dept. must be on Auto Pilot or another glitch in the much vaunted AI technology.

@Woody postulated some time back that during the summer vacations in Redmond the Patch flow may, to say the least, be somewhat erratic. Are they all still on Vacation? 😉

Reply | Quote

[Alex5723]

No action is required on your part.

Does it mean that Microsoft will uninstall KB 4523786 automatically from home users/not on domain, PCs ?

• This reply was modified 3 years, 5 months ago by Alex5723.

Reply | Quote

It doesn’t appear that way.

Every indication I have seen is that the patch doesn’t break anything, even on Home systems, so they aren’t going to clean it up.

Presumably it’ll be included in some future cumulative update.

Reply | Quote

woody wrote:

I have seen is that the patch doesn’t break anything

Not breaking anything doesn’t mean it doesn’t use resources or phone home…

1 user thanked author for this post.

KevinG3

Reply | Quote

[warrenrumak]

The only resources this update will use is a bit of disk space — a few hundred kb, to be exact.  It doesn’t “install” Autopilot.

Windows Autopilot is only for initial configuration of a computer when it is first used.  It is a replacement for Sysprep.

The short, short version is that when you’re a large company buying lots of computers from Dell, Lenovo or whoever, it can save you a bunch of setup time.  If you’re an IT admin, it’s pretty straightforward.

1. You configure Autopilot in Azure — what AD domain to join, what software to install, and other security policies.
2. You arrange with Lenovo to ship you machines that are preconfigured with Autopilot.
3. Lenovo provides a list of device Ids to you, which you register with the Autopilot service on Azure.
4. Lenovo can ship the machines directly to your users; you don’t need to have your IT staff intercept them, delete the preinstalled Windows, and install your own image.
5. When the user starts the machine for the first time, it downloads any available updates to Autopilot (i.e. this cumulative update), reboots, then everything gets configured.  Domain join, applications, settings, mobile device management, security, etc.  All the user has to do is type their name/password.

That’s it.  Now you’ve got a regular domain-joined machine like you’ve been doing with Active Directory for the last 20 years.  And with MDM configured, you can wipe/reload a machine remotely in the event of theft or whatever.

Maybe you can see how none of this would work on Windows 10 Home.  There’s just too many missing pieces in the Home version of the OS.

 

 

• This reply was modified 3 years, 5 months ago by warrenrumak.

5 users thanked author for this post.

KevinG3, abbodi86, Woody Leonhard, BillBecker, b

Reply | Quote

It actually update inbox Autopilot components, which exist even in Home editions

Reply | Quote

Sure — but only in the sense that all the components of Pro are included with every install of Home, but aren’t actually installed unless you upgrade to Pro.

Also worth noting that when you install cumulative updates to Windows 10, it’s applying the security fixes to all components, whether they are currently installed or not.

 

Reply | Quote

I’m aware of that 🙂

but in thise case, the files (which kb4523786 updates) are really part of Home edition, not just staged to Pro edition

Reply | Quote

[jhvance]

Upon booting this morning, Glasswire identified an app named “yourphone.exe” as making some inbound/outbound interaction briefly — this appears as a Microsoft product in a hidden folder (C:\Program Files\WindowsApps).  There are a large number of other applets within the hidden folder which appear to be MS-derived; the folder’s owner is “TrustedInstaller”, and so may be legitimate.  Still doesn’t give me much comfort…

• This reply was modified 3 years, 4 months ago by jhvance.

Reply | Quote

Sure. It’s behaving normally and correctly.

All UWP applications are installed in the WindowsApps directory.  It’s owned by TrustedInstaller, not Administrators, in order to avoid tampering by other applications — in pretty much the same way that the Windows directory is designed to be tamper-proof.

We went through 20 years of Windows applications being able to stomp all over eachother without your knowledge or consent.  Part of the design of UWP’s security model is to stop that.

 

2 users thanked author for this post.

KevinG3, jhvance

Reply | Quote

Hi Warren,

Having been one of the first to notice and post about this, and then having researched what, exactly, it’s supposed to do, I found your explanations above to be a good bit clearer than the brief MS versions of said same (short of reading a novel, which was their other choice).
While many of us find it hard to believe that MS isn’t also  tossing in a work around to better hide some new form of data collection, I always find comfort that someone out here seems to have a reasonable handle on the latest mystery and is willing to share what they know
Thanks again, much appreciated

Reply | Quote