MS-DEFCON 3: Issues with domains

Topic

New Reply

ISSUE 19.47.1 • 2022-11-22 By Susan Bradley November updates lead to side effects My usual advice regarding updates with known side effects is to wait
[See the full post at: MS-DEFCON 3: Issues with domains]

Susan Bradley Patch Lady

6 users thanked author for this post.

SueW, oldfry, lmacri, geekdom, Alex5723, abbodi86

Reply | Quote

Replies

Susan –

So from your alert does this mean you recommend installing Windows 10 22H2 for Home/Consumers? I’m currently on Windows 10 22H1.

I wish you would have stuck with your previous simple and clear warning/instruction:

• Windows 11 22H2: Not recommended
• Windows 11 21H2: If you have a Windows 11 PC, recommended
• Windows 10 22H2: Not recommended
• Windows 10 21H2: Recommended

Thanks

Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2 (OS build 19045.2251)

Reply | Quote

Same recommendations as in yesterday’s Newsletter.

Reply | Quote

Master Patch List @ AskWoody

I put the current recommendations at the top of the master patch list so there’s no misunderstanding.  Does that help?

Because I know some around here have moved to Win 10 22H2 that’s merely a comment that it’s a minor update and not as disruptive as Window 11 22H2.

 

Susan Bradley Patch Lady

Reply | Quote

@PKCano – Yesterday’s newsletter was about Apple iOS and the MS-Defcon was 2 not 3.

Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2 (OS build 19045.2251)

Reply | Quote

Yeah, my bad. It was the Nov 14th Newsletter. Did it get mentioned in this morning’s DEFCON alert?

Reply | Quote

I, also, am unclear.  Ok to install win10 22H2?    or wait till defcon number gets to 4 or 5?

1 user thanked author for this post.

blueboy714

Reply | Quote

I believe Susan’s recommendations have NOT changed.

1 user thanked author for this post.

Susan Bradley

Reply | Quote

@PKCano – I was quoting the 11/14 newsletter in my original post – but Susan’s 11/21 seems to have changed recommendations and is now quite cryptic – unlike the 11/14 newsletter which was straight to the point.

Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2 (OS build 19045.2251)

Reply | Quote

Until Susan makes a clear statement that any 22H2 is OK, stay with 21H2.

Reply | Quote

I’m unclear as to when to apply the

DISM /Online /Set-OSUninstallWindow /Value:60

command. Should it be done before updating to Win11, or after the update but before the default 10-day uninstall window expires? On my current Win10 22H2 system, I do get the Error 1138 when I attempt to apply it.

Reply | Quote

I would do it before and then check it again if you move to 11.

Susan Bradley Patch Lady

1 user thanked author for this post.

rbailin

Reply | Quote

PKCano wrote:

I believe Susan’s recommendations have NOT changed.

OK as a home/consumer user – Windows 10 22H2 Not recommended.

But are Windows 10 22H1 updates recommended?

Like I said Susan’s newsletter this week is quite cryptic.

Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2 (OS build 19045.2251)

Reply | Quote

I give guidance to both consumers and businesses.

Businesses – and especially those that patch Domain controllers HAVE to install an out of band manual patch in order to ensure they don’t see side effects.

Consumers – I’m not seeing major issues.  I try to put the summarized recap on the master patch list page in case I’m a bit more cryptic than I mean to be.

Susan Bradley Patch Lady

2 users thanked author for this post.

MrToad28, blueboy714

Reply | Quote

We have not patched our Domain Controller, but nearly all client computers in our org have this “start menu/win. components bug” after the latest Windows Updates. Is it related to the DC Kerberos issue somehow? https://learn.microsoft.com/en-us/answers/questions/1081681/after-the-last-update-every-component-of-windows-s.html

Reply | Quote

There was no Windows 10 22H1 release.

Reply | Quote

We’re skipping the November updates for our server and workstations and will wait for December updates.

Reply | Quote

BleepingComputer is reporting possible issues with the OOB update related to LSASS memory leaks causing freezing and crashes, unless Microsoft makes another cumulative update fixing that. I’m thinking about bypassing this month’s update + OOB update.

Here is the link: https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-domain-controller-freezes-restarts/

Reply | Quote

4 hours to download all November non-Preview updates with three reboots. Now on Windows Home 10 22H2 OS build 19045.2251 with no problems. Thanks, Susan!

Reply | Quote

The Windows 10, version 22H2 feature update is entering its final rollout phase and is now designated for broad deployment. As part of the broad deployment phase, Microsoft is offering this update to an expanded set of eligible devices running Windows 10, version 20H2 and later versions.

Reply | Quote

Business patcher here. I installed November updates Monday night. No issues reported. Just deployed a script to check these two events in the System log:

Microsoft-Windows-Kerberos-Key-Distribution-Center – 14 – Error
Kdcsvc – 42 – Error

No reports coming back. In fact, on one DC that I checked, Kdcsvc isn’t even registered as an Event Source. I wondered if they meant KdsSvc.

What I’m unclear on, even if there were issues, would installing the applicable out-of-band updates fix the issues, or do I have to go through all the steps and scripts in those two DirTeam articles to mitigate manually?

[Insert another gripe about frequent OOB updates and long mitigation articles. How is one supposed to manage a few small servers in this break-now-fix-later environment? Synology? Azure?]

 

Reply | Quote

If you have reset your Kerberos password on a regular basis you may be going “what issues?’   I would recommend reviewing the resources here, here and here.

Susan Bradley Patch Lady

Reply | Quote

Windows 10 Pro. 21H2 , Home user. Installed  November update no issues.

Reply | Quote

Another Business Patcher here. Have a 2012R2 Domain Controller I need to patch.

If I have NOT installed the November updates yet have they fixed the updates that are being offered and I can I just install now and not worry about the additional manual update or do they not fix the broken updates that are offered and we just need to do both ??

Thanks for any feedback.

 

 

Reply | Quote

2012 R2 – you have to install the November update AND the out of band patch.

On each Domain Controller running Microsoft Windows 2012 R2, perform these steps:

Install the November 8, 2022 Monthly Rollup update for Windows Server 2012 R2 (KB5020023) or install the November 8, 2022 Security-only update for Windows Server 2012 R2 (KB5020010). Restart the Domain Controller.

Download the 36 MB weighing Out-of-band update for Windows Server 2012 R2: November 17, 2022 (KB5021653) manually from the Microsoft Update Catalog. Install it and restart the Domain Controller afterward.

See – HOWTO: Install the most recent Updates on your Domain Controllers – The things that are better left unspoken (dirteam.com)

 

Susan Bradley Patch Lady

1 user thanked author for this post.

arbrich

Reply | Quote

For what it’s worth I’ve been running Windows 10 22H2 on my powerful development workstation for weeks now and I haven’t had many problems with it. It’s been surprisingly stable and glitch-free, and I’ve been pushing it hard doing business management, code development, engineering builds, product testing, etc. and also benchmarking a lot (heating the CPU way up) to see which performance tweaks are most effective.

-Noel

2 users thanked author for this post.

Cybertooth, Microfix

Reply | Quote

In a (multi-OS) homeuser capacity, I’ve also noticed stablity/performance is as good as 21H2 with W10 22H2 since upgrading a day after general release and that’s for both 32bit and 64bit Pro editions.

Keep IT Lean, Clean and Mean!

1 user thanked author for this post.

MrToad28

Reply | Quote

With 2 updates remaining after this update of Win 8.1 🙁

November patches installed with no problems to report on Win 8.1. 🙂

Installation Successful: Windows successfully installed the following update: 2022-11 Security and Quality Rollup for .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 for x64 (KB5020690)

Installation Successful: Windows successfully installed the following update: 2022-11 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5020023)

Win 10 ver. 22H2 x64

1 user thanked author for this post.

DrBonzo

Reply | Quote

Same results here on an 8.1 pro.

1 user thanked author for this post.

JD

Reply | Quote

Thanks!

Reply | Quote

“Patch reliability is unclear, but widespread attacks make patching prudent”

I guess I may have missed it, but what widespread attacks are home users with Windows 10 version 21H2 seeing?

It’s a bit earlier than usual in the monthly cycle to be running the updates, meaning that it could cause a problem next month when the 35 days pause expires earlier than usual.  I appreciate that no major issues have been tracked for such users this month, but what widespread attacks if any are we talking about for such users?

I’m wondering whether the split between business and home users, and Windows 8.1/10 and 11, not to mention different versions, are making a single DefCon rating problematic these days.

1 user thanked author for this post.

Cybertooth

Reply | Quote

It’s near the end of the month.   With the Thanksgiving holidays the extra days gives you time to install updates.

As far as active attacks:

Windows scripting attacks – CVE-2022-41128 – Security Update Guide – Microsoft – Windows Scripting Languages Remote Code Execution Vulnerability used in browser based attacks

Windows mark of the web – CVE-2022-41091 – Security Update Guide – Microsoft – Windows Mark of the Web Security Feature Bypass Vulnerability fixes an issue where an attacker can make a ‘mark of the web’ download not let you know it’s from the web

Print spooler CVE-2022-41073 – Security Update Guide – Microsoft – Windows Print Spooler Elevation of Privilege Vulnerability also seen in active attacks

CVE-2022-41125 – Security Update Guide – Microsoft – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability This final one is more network-y based.

Honestly by this time of the month, especially with holidays, black friday shopping, I want your systems to be patched up.  I don’t find the single DefCon problematic. It’s batten down the hatches time.

Susan Bradley Patch Lady

2 users thanked author for this post.

geekdom, Seff

Reply | Quote