ISSUE 19.47.1 • 2022-11-22 By Susan Bradley November updates lead to side effects My usual advice regarding updates with known side effects is to wait
[See the full post at: MS-DEFCON 3: Issues with domains]
Susan Bradley Patch Lady/Prudent patcher
![]() |
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
Home » Forums » Newsletter and Homepage topics » MS-DEFCON 3: Issues with domains
ISSUE 19.47.1 • 2022-11-22 By Susan Bradley November updates lead to side effects My usual advice regarding updates with known side effects is to wait
[See the full post at: MS-DEFCON 3: Issues with domains]
Susan Bradley Patch Lady/Prudent patcher
Susan –
So from your alert does this mean you recommend installing Windows 10 22H2 for Home/Consumers? I’m currently on Windows 10 22H1.
I wish you would have stuck with your previous simple and clear warning/instruction:
Thanks
Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2
OS build 19045.3086
I put the current recommendations at the top of the master patch list so there’s no misunderstanding. Does that help?
Because I know some around here have moved to Win 10 22H2 that’s merely a comment that it’s a minor update and not as disruptive as Window 11 22H2.
Susan Bradley Patch Lady/Prudent patcher
@PKCano – I was quoting the 11/14 newsletter in my original post – but Susan’s 11/21 seems to have changed recommendations and is now quite cryptic – unlike the 11/14 newsletter which was straight to the point.
Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2
OS build 19045.3086
I’m unclear as to when to apply the
DISM /Online /Set-OSUninstallWindow /Value:60
command. Should it be done before updating to Win11, or after the update but before the default 10-day uninstall window expires? On my current Win10 22H2 system, I do get the Error 1138 when I attempt to apply it.
I believe Susan’s recommendations have NOT changed.
OK as a home/consumer user – Windows 10 22H2 Not recommended.
But are Windows 10 22H1 updates recommended?
Like I said Susan’s newsletter this week is quite cryptic.
Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2
OS build 19045.3086
I give guidance to both consumers and businesses.
Businesses – and especially those that patch Domain controllers HAVE to install an out of band manual patch in order to ensure they don’t see side effects.
Consumers – I’m not seeing major issues. I try to put the summarized recap on the master patch list page in case I’m a bit more cryptic than I mean to be.
Susan Bradley Patch Lady/Prudent patcher
We have not patched our Domain Controller, but nearly all client computers in our org have this “start menu/win. components bug” after the latest Windows Updates. Is it related to the DC Kerberos issue somehow? https://learn.microsoft.com/en-us/answers/questions/1081681/after-the-last-update-every-component-of-windows-s.html
BleepingComputer is reporting possible issues with the OOB update related to LSASS memory leaks causing freezing and crashes, unless Microsoft makes another cumulative update fixing that. I’m thinking about bypassing this month’s update + OOB update.
Here is the link: https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-domain-controller-freezes-restarts/
The Windows 10, version 22H2 feature update is entering its final rollout phase and is now designated for broad deployment. As part of the broad deployment phase, Microsoft is offering this update to an expanded set of eligible devices running Windows 10, version 20H2 and later versions.
Business patcher here. I installed November updates Monday night. No issues reported. Just deployed a script to check these two events in the System log:
Microsoft-Windows-Kerberos-Key-Distribution-Center – 14 – Error
Kdcsvc – 42 – Error
No reports coming back. In fact, on one DC that I checked, Kdcsvc isn’t even registered as an Event Source. I wondered if they meant KdsSvc.
What I’m unclear on, even if there were issues, would installing the applicable out-of-band updates fix the issues, or do I have to go through all the steps and scripts in those two DirTeam articles to mitigate manually?
[Insert another gripe about frequent OOB updates and long mitigation articles. How is one supposed to manage a few small servers in this break-now-fix-later environment? Synology? Azure?]
Another Business Patcher here. Have a 2012R2 Domain Controller I need to patch.
If I have NOT installed the November updates yet have they fixed the updates that are being offered and I can I just install now and not worry about the additional manual update or do they not fix the broken updates that are offered and we just need to do both ??
Thanks for any feedback.
2012 R2 – you have to install the November update AND the out of band patch.
On each Domain Controller running Microsoft Windows 2012 R2, perform these steps:
Install the November 8, 2022 Monthly Rollup update for Windows Server 2012 R2 (KB5020023) or install the November 8, 2022 Security-only update for Windows Server 2012 R2 (KB5020010). Restart the Domain Controller.
Download the 36 MB weighing Out-of-band update for Windows Server 2012 R2: November 17, 2022 (KB5021653) manually from the Microsoft Update Catalog. Install it and restart the Domain Controller afterward.
Susan Bradley Patch Lady/Prudent patcher
For what it’s worth I’ve been running Windows 10 22H2 on my powerful development workstation for weeks now and I haven’t had many problems with it. It’s been surprisingly stable and glitch-free, and I’ve been pushing it hard doing business management, code development, engineering builds, product testing, etc. and also benchmarking a lot (heating the CPU way up) to see which performance tweaks are most effective.
-Noel
In a (multi-OS) homeuser capacity, I’ve also noticed stablity/performance is as good as 21H2 with W10 22H2 since upgrading a day after general release and that’s for both 32bit and 64bit Pro editions.
With 2 updates remaining after this update of Win 8.1 🙁
November patches installed with no problems to report on Win 8.1. 🙂
Installation Successful: Windows successfully installed the following update: 2022-11 Security and Quality Rollup for .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 for x64 (KB5020690)
Installation Successful: Windows successfully installed the following update: 2022-11 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5020023)
Win 10 ver. 22H2 x64
“Patch reliability is unclear, but widespread attacks make patching prudent”
I guess I may have missed it, but what widespread attacks are home users with Windows 10 version 21H2 seeing?
It’s a bit earlier than usual in the monthly cycle to be running the updates, meaning that it could cause a problem next month when the 35 days pause expires earlier than usual. I appreciate that no major issues have been tracked for such users this month, but what widespread attacks if any are we talking about for such users?
I’m wondering whether the split between business and home users, and Windows 8.1/10 and 11, not to mention different versions, are making a single DefCon rating problematic these days.
It’s near the end of the month. With the Thanksgiving holidays the extra days gives you time to install updates.
As far as active attacks:
Windows scripting attacks – CVE-2022-41128 – Security Update Guide – Microsoft – Windows Scripting Languages Remote Code Execution Vulnerability used in browser based attacks
Windows mark of the web – CVE-2022-41091 – Security Update Guide – Microsoft – Windows Mark of the Web Security Feature Bypass Vulnerability fixes an issue where an attacker can make a ‘mark of the web’ download not let you know it’s from the web
Print spooler CVE-2022-41073 – Security Update Guide – Microsoft – Windows Print Spooler Elevation of Privilege Vulnerability also seen in active attacks
CVE-2022-41125 – Security Update Guide – Microsoft – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability This final one is more network-y based.
Honestly by this time of the month, especially with holidays, black friday shopping, I want your systems to be patched up. I don’t find the single DefCon problematic. It’s batten down the hatches time.
Susan Bradley Patch Lady/Prudent patcher
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2023 by AskWoody Tech LLC. All Rights Reserved.