MS-DEFCON 3: Should you patch? It depends.

Topic

New Reply

ISSUE 20.43.1 • 2023-10-24 By Susan Bradley The October updates have been either mildly annoying or downright hostile. Stop the presses: I’m urging ca
[See the full post at: MS-DEFCON 3: Should you patch? It depends.]

Susan Bradley Patch Lady/Prudent patcher

14 users thanked author for this post.

jburk07, Noel Carboni, WCHS, deuce120, Kathy Stevens, CADesertRat, rebop2020, abbodi86, J9438, DLivesInTexas, LHiggins, lmacri, Coldheart9020, Alex5723

Reply | Quote

Replies

Some of us received three updates, each of which triggered a reboot.

Multiple reboots never happen when using WUmgr.
WUmgr downloads and installs all updates and ask for reboot.

Reply | Quote

There’s no indication as to what operating system/s are affected by multiple boots post patching. I only experienced one reboot on four different W10 Pro devices this month using WUMgr and the native WU..

Win8.1/R2 Hybrid lives on..

Reply | Quote

Same here – one reboot. I am using Windows Update, not WUMgr.
But I wait till all updates have completed downloading/installing and request restart, before I do restart.

Reply | Quote

Exactly. Consider this condition, where the Cumulative update is installing and Reboot is requested. One hand doesn’t know what the other hand is doing and it puts up the reboot prompt prematurely.

[in a whiny voice] Coordinating things is so harrrrrrd.

-Noel

Reply | Quote

Hi Susan:

Regarding the comment about certain HP models in your MS-DEFCON alert:

Got an HP?

If you’ve been installing updates since July on certain HP computers and have been able to boot each month,review this month HP’s list of impacted models. Without a needed BIOS update, you may brick the computers and need a replacement system board….

Did you mean “… have not been able to boot..”?

Reply | Quote

I read it to mean (added text in bold)

If you’ve been installing updates since July on certain HP computers and have been able to boot each month up to now, review this month HP’s list of impacted models. Without a needed BIOS update, installing another Windows Cumulative update you may brick the computers and need a replacement system board….

Reply | Quote

With reference to Susan’s comment

“three updates, each of which triggered a reboot.”

Last month my download dropped down to a crawl of a few KB’s every few minutes. In desperation I did a restart and downloading took off to MBs’ every few minutes.

Same thing today’s update. This time I did not waste an hour and went ahead and did a restart after the download dropped to a crawl. After the restart almost a GB downloaded in a few minutes.

SO, apparently now there is actually a need for multiple reboots between the individual updates. Will this also be for the future? Who knows?

Reply | Quote

For me: Only one intermediate reboot (after .Net 6),and one at the end.

Otherwise uneventful.

Dell Inspiron 7580 i7 16GB Win 10 pro 22H2 (19045.3570), Microsoft 365 Version 2310 (16924.20088) Location: UK

Reply | Quote

Updated with no problems, one restart.

2023-10 Cumulative Update for Windows 11 Version 22H2 for x64-based Systems (KB5031354)

2023-10 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 22H2 for x64 (KB5031323)

Windows Malicious Software Removal Tool x64 – v5.118 (KB890830)

 

 

Edition Windows 11 Pro
Version 23H2
Installed on ‎10/‎19/‎2022
OS build 22631.2715

Reply | Quote

Two questions:

1. You are recommending to install 356 to Win 10 22H2 even though it may n ot install?
2. Does Gibson In COntrol just put a GUI to my blocking updates in Group Policy or does it do something else?

Thanks.

Reply | Quote

InControl only controls Product/Feature Updates (22H1 -> 22H2). It does not control monthly Cumulative Updates. InControl puts entries in the Registry that control the changes (like ProductVersion = Windows 10 orWindows 11 and TargetReleaseVersion = 22H1 or 22H2).

It does not control monthly Build changes (like 19045.3448 -> 19045.3570 or 22621.2283 -> 22621.2428)

Reply | Quote

Thanks. But not my question.

I CONTROL VERSIONS in GP now. Is this just a GUI for that feature or something in addition or else?

Reply | Quote

It is a GUI that does the same thing as the GP ProductVersion and TRV. But I think it may add some additional settings. I do not use it. Please refer to the GRC website for more information.

Reply | Quote

I did check GRC which was unclear. But what I don’t understand, PK is why take the time to reply when you do not know or have first hand expereince? Perhaps someone else would. But I emailed Steve to be sure. Could save three or 4 keystrokes when I need it if that is all it does.

 

 

Reply | Quote

My comment was informed. 6 settings.Try reading this (if you really want to know:

https://www.grc.com/Incontrol/details.htm

1 user thanked author for this post.

WCHS

Reply | Quote

That is helpful. Thanks. When I looked at GRC I only saw this description which I felt incomplete: https://www.grc.com/incontrol.htm

 

 

Reply | Quote

How does a “known-issue rollback” work?

Reply | Quote

See https://techcommunity.microsoft.com/t5/windows-it-pro-blog/known-issue-rollback-helping-you-keep-windows-devices-protected/ba-p/2176831

Reply | Quote

Hi @b:
About the “Known-issue rollback” link:

I read the information at the link. For me, KB5031356 is hidden in WUSHOWHIDE right now. As I understand the information in the link, when this CU is unhidden, it will be downloaded from the cloud. The downloaded CU will have the fix in it.

There’s something at Windows 10, version 22H2 update history — October 10, 2023—KB5031356 in the “Known Issues” section about a 48-hour wait. When I looked at this on Oct 12, it said that the device can’t be sleeping during this wait.

If my device was sleeping during the 48-hour wait,
a) should I do the Dism /online /cleanup-image /RestoreHealth? If so, do I issue this command before I unhide the CU? or after I unhide it? {In GP, I have Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components | Windows Update > Configure Automatic Updates Enabled (2=notify for download and auto install) }.
b) should I do a Restart before I unhide it? or after I unhide it?

Reply | Quote

@WCHS

All good questions – me too.   What have you done regarding the October Updates?

My KB501148 .NET 4.8.1  update also disappeared from wushowhide.

Interesting though I have KB5031224 .Net October Cumulative Update in wushowhide, but I also still have KB5030180 .NET Cumulative Update from September that I never installed in wushowhide.  I would think the September CU would have disappeared being replaced by the October CU?  Doesn’t October CU include everything to-date?

Do I need to install both or just October CU?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

Windows Update correctly detects the .NET Framework updates your computer needs.

Install whatever updates it offers you.

Reply | Quote

Tex265 wrote:

Do I need to install both or just October CU?

Follow PKCano’s advice above.

You might want to look at @Imacri ‘s post, most notably the screenshots from WU history and Uninstall an update. I suspect that KB5030180 will install KB5030649, its 4.8.1 child. If so, you will see KB5030649 in Installed updates, and not KB5030841, its 4.8 child.

Reply | Quote

@WCHS and @PKCano

Thanks, your answers address the .NET Framework items.

What  about the KB5031356 KIR questions?

WCHS wrote:

If my device was sleeping during the 48-hour wait

 

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

WCHS wrote:

I suspect that KB5030180 will install KB5030649,

Installed the September .NET.   Windows Update History shows KB5030180 installed.  Control Panel uninstall show KB5029923 as installed.

What about the KIR questions in #2596844 ?

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

1 user thanked author for this post.

WCHS

Reply | Quote

Hi @Tex265,
Did you install the October KB5031224? If so, what does Windows Update History show? And what does Control Panel Uninstall Updates show?

Reply | Quote

1 reboot here. win11, Home menu in settings has changed to show various ‘blocks’ containing stuff like cloud storage (which is convenient),  Bluetooth devices, personalize your device (why when there is already an option on the left hand menu), nagging about adding a phone number (used to show as a badge on the start menu), and nagging about Microsoft 365 (don’t even use as this computer is a gaming computer.)

Other than the above, no other noticeable changes. And no I rarely if ever use Edge, so Copilot probably got added too.

Reply | Quote

Really good timing Susan!

I manage several Hyper-V clusters with “many” guest VM’s running Server 2019/22 and this coming weekend is our scheduled cluster-aware patching date. We also use Veeam . . .

Looks like I might pause them until the MSFT and Veeam get their act together regarding the Oct ’23 CU for Server 2019 and 2022.

Thank you!

~ Group "Weekend" ~

Reply | Quote

WCHS wrote:

How does a “known-issue rollback” work?

How Known Issue Rollback works for the end user
When Microsoft decides to rollback a bug fix in an update because of a known issue, we make a configuration change in the cloud. Devices connected to Windows Update or Windows Update for Business are notified of this change and it takes effect with the next reboot.

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/known-issue-rollback-helping-you-keep-windows-devices-protected/ba-p/2176831

Reply | Quote

I have wondered about this for a while:

Every month before updating I run a system Image using Windows Backup & Restore (Windows 7).  At the end it always ask if I want to make a system repair disc.  Is there any reason to make a new sys repair disc every month?  How often should I make one?

Reply | Quote

Foothills Dave wrote:

Is there any reason to make a new sys repair disc every month?

No.  You should test your current repair disk(s) to make sure they will boot your computer.

Foothills Dave wrote:

How often should I make one?

If your repair disk(s) are valid, creating more is not necessary.

Win 10 home - 22H2
Attitude is a choice...Choose wisely

1 user thanked author for this post.

Foothills Dave

Reply | Quote

In the process of installing updates on a number of HP Windows 10 workstations and laptops.

So far, no intermediate reboot.

However, we had to disable the new ‘Search Highlights’ feature.

Reply | Quote

As happened with the September updates, The October updates (Susan gave a conditional go-ahead), My desktop icon text again has shadow font and once again I have tried all the ways that I can find through a google search. The “Visual Effects Performance Options” for drop shadows is unchecked, the registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced DWORD ListviewShadow is set to zero. I looked in group policy editor on the desktop, desktop and there is no longer a switch to disable the shadows.

My solution again was to roll back the updates which resolved the font shadows issue.

I did not receive any helpful suggestions to the last post so I am hoping someone can offer a true solution.

I am out of update pauses (will happen November 1st).

I am positioning myself to do a full rebuild of my “C” drive but would prefer not to do that.

Again, any suggestions?

Reply | Quote

The “Visual Effects Performance Options” for drop shadows is unchecked

In addition, uncheck the “Smooth edges of screen fonts,” which is two items above drop shadows. This smooth edges setting is actually the one that does the trick for this issue. It doesn’t seem like the drop shadows setting actually makes a difference.

I did notice that despite eliminating the shadow, the icon text font quality is still poor. I also saw this on Edge tab text. Uninstalling the last CU fixes this issue. Many other with this problem have uninstalled the CU and are waiting for MS to hopefully address it in a future update.

1 user thanked author for this post.

b

Reply | Quote

The “Use drop shadows …” off setting having no effect after the last couple of Windows 11 updates has been reported by many and submitted to the Feedback Hub:

Disable Desktop Icon Text shadows

How to stop Windows 11 from putting drop shadow on desktop icon label?

Icon drop shadow after Windows Update

Unable to remove shadows on desktop icon text

On a previous occasion (Windows 10), it was claimed that switching a high contrast theme on (at Settings, Accessibility, Contrast themes in Windows 11) and then off again as a workaround could eliminate it.

Reply | Quote

I also encountered this problem with the drop shadow on the icon captions.

The only other option is to roll back the update.  Otherwise you will have to restore the backup. (or live with the drop shadow).  Maybe Microsoft will restore the option in the next update – who really knows?

Mark

 

 

Reply | Quote

Just finished updating my PC running Windows 11 Pro 22H2. Patches installed using WUMgr, the system required only one reboot after the patches finished installing. In particular, the following were installed:

– KB5031354 – 2023-10 Cumulative update for Win11 22H2
– KB5031323 – 2023-10 Cumulative .NET Framework update for Win11 22H2
– KB890830 – MSRT update

The system is now at build no. 22621.2428 and everything seems to be working correctly. No apparent changes to my Start menu and no trace of Copilot (but I’m in the EU so Copilot might have not shown up for that reason).

On the other hand, I just realized that when I access the Settings window a new “Home” section (with annoying nagging to use a Microsoft Account) is shown by default rather then the “System” section. No idea if this is a change introduced with the October updates or something from earlier updates that I entirely missed. Looks pretty much useless btw: in addition to the (unnecessary) MS Account nag thing, this Home section offers access to screen customization settings, Bluetooth device settings and links to access some “Suggested settings”, i.e. stuff we can readily access from other tabs of the Settings window.

Reply | Quote

[Berserker79]

Now updated also my PC running Windows 10 Home 22H2. Patches installed using WUMgr, the system required only one reboot after the patches finished installing. In particular, the following were installed:

– KB5031356 – 2023-10 Cumulative update for Win10 22H2
– KB5032874 – .NET 6.0.24 Security Update (dated 24/10/2023)
– KB890830 – MSRT update

The system is now at build no. 19045.3570 and everything seems to be working correctly. I did have the search icon reset to a search box, but the system prompted me to confirm whether I wanted to keep that change or cancel and pressing “Cancel” brought back the search icon which was my setting.

• This reply was modified 1 month, 1 week ago by Berserker79. Reason: Corrected the KB numbers

Reply | Quote

Looks like Microsoft put out an out-of-band Security Update for ,NET 6 & 7

Latest Security Updates are ,NET 6.0.24 & .NET 7.0.13

https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.24/6.0.24.md?WT.mc_id=dotnet-35129-website

Might want to snag these before regular November Updates,

1 user thanked author for this post.

WCHS

Reply | Quote

“we failed to put the september updates in there”

Lovely.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

And the .Net blog at https://devblogs.microsoft.com/dotnet/ still shows an October 10 date

If you open the item and are observant you might notice this –

“10/24/2023: this post was revised to update the October 10, 2023 security releases. Today’s .NET 7.0.13 and .NET 6.0.24 releases contain the security fixes from our previous September release that were missing in the October release.”

Why they didn’t make the fix a currently dated, new item escapes me.

Reply | Quote

I noticed this evening that .NET 6.0.23 is gone from my WUSHOWHIDE and .NET 6.0.24 was in the WU queue, after which I hid it.

I wonder whether all of the dust has now settled with this October patch cycle!!

Reply | Quote

.NET 6.0.24 security patch

.NET 7.0.13 security patch

Reply | Quote

Home user, just a few weeks behind the latest version of Win10 Pro this morning. I needed two reboots and just under 20 minutes to get up-to-date today at 6:30pm Eastern, which is a bit annoying but not out-of-norm, for either MS or Apple in monthly updates, in my experience. I’d rather it be done right than done fast.

Then again, yes, Susan, M$ did re-introduce for me its Search window in the taskbar with this update, which I don’t want and have killed time and again. I do “love” it when a big corporation puts its own needs ahead of what its paying customers want.

Reply | Quote

Hmm. Again these multiple reboots are happening. I wonder, are people pushing the restart now button before the updates have finished installing again? Is your machine set to reboot automatically?

1 user thanked author for this post.

creem

Reply | Quote

Jim, every month my Windows 10 machine gets two or three Cumulative Updates which, due to their size, download and install at different speeds. Which means, more often than not, I’ll get more than one reboot message as each update completes, all of which I ignore, because the other updates are still downloading and installing. It isn’t until everything has been downloaded and installed that I finally hit the reboot button. Multiple downloads; one reboot.

Reply | Quote

Same here

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

Same here. As long as I dont push that button until everything is finished I only get one reboot.

Reply | Quote

No issues with this month’s patches on Win 10 or 11.  Single reboots.  Only negative thing I saw was Microsoft’s anti-consumer decision to re-enable the taskbar search box on Win 10.

Reply | Quote

Did two laptops so far, one 11th gen Intel & one 12th gen. Win 11 pro 22H2.

Each initiated an intermediate reboot right after the black screen with spinner reached

“You’re almost there…30%”

As always, I was careful to let every component finish completely before giving it permission to restart. No problems noted on either post install.

Reply | Quote

Looong update for 356 tonight. A little more than 30 minutes from click update to desktop after install. Only one reboot. All seems fine. But slow. Seemed to stay on 22% and then 74% for long times.

Reply | Quote

In the September Master Patch List we we told to defer Office 2016 Patch Number 5002457 9/12/2023 but there is no mention of it in the current patch list. So is it okay to install it now or not?

Reply | Quote

Forgot to put this in the notes:

Ensure you install both KB5002498 and KB5002457.  That should get you to where you don’t see the error message.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Mike D, oldfry

Reply | Quote

Just a quick question – the list of HP laptops and computers  affected by the need for a BIOS update is the final list? I have an HP Envy laptop – not on the list, so it isn’t affected?  I’ve installed each monthly update as it came along – no issues with booting.

I really don’t want to mess around with a BIOS update if it isn’t needed, and just wanted to check to be sure that HP hasn’t added any models to that list.

Thanks!!

Reply | Quote

LHiggins

Have you installed HP Support Assistant on your HP Envy laptop?

If so, you can click on Updates and HP will advise you if you need a BIOS update.

We use this approach on all of our workstations and laptops.

1 user thanked author for this post.

LHiggins

Reply | Quote

Hi Kathy and thanks for this reminder! I do have the HP Support Assistant, but rarely have used it, so it was a good reminder for me! I did check and there are no updates showing, so I guess I am good to go with the October patches.

Thanks for the help and great suggestion!

LH

1 user thanked author for this post.

Kathy Stevens

Reply | Quote

This evening, 3 Desktop Win10 Pro 22H2 PC – Macrium backup – WUMGR Updates (Individual KB with restart as requested for each) – no issues.  NOTE for below – all these machines I always go back to WU and see what the screen pops as and it says you are Up to Date.

One DELL Inspiron 15 Win11 Pro 22H2 AMD – second Month with major issues.

Last Month – Added InControl – Had Target Feature set in Group Policy – Macrium backup – WUMGR Updates including 22H2 Feature Update (Individual KB with restart as requested) – check WU and “Up to date”.  Wanted to use CleanMgr to clean up leftover Feature Update remnants.  CleanMgr appeared to work properly.  Done, ready to Shut Down – system will not shutdown, stuck in restart loop.  Checked all power settings, researched online fixes (Some Dell owners with same issue after Updates).  Never could resolve, thought maybe too aggressive with Cleanmgr, MACRIUM restore to 21H2 and redid Feature Update and Sep Updates.  System cleared and restart loop cleared.

Tonight – Macrium Backup – WUMGR individual with restarts – ready shutdown, back to restart loop – checked WU and all October Updates shown as not installed.

This is work/school laptop so needed immediate fix, brought home and decided to let WU install what it wanted. WU did not indicate any “already installed” but the page cleared after restart but still in restart loop.  Opened WU one more time and no updates listed, still restart loop.  Tried one more Start Menu Shutdown and then one power button hold and system finally cleared.

I think for this machine next month I’m going to just let WU run after hiding any KB marked in the Master Patch list in time for WU daily to register the hides before letting it update and see if it completes w/o the restart loop.

 

Reply | Quote

In windows 10 and 11, if there are problematic patches can the user prevent the installation of patches until the next period by selecting ‘Resume updates’ and then quickly pausing updates for up to 5 weeks?

Reply | Quote

How to cheat pause

https://www.askwoody.com/forums/topic/is-there-a-way-to-cheat-pause-update/

Reply | Quote

Will the ‘resume then pause method’ I described work?

Some AI’s are confirming it will.

I’m eager to dig through the posts in that 3 year old link to find a solution that may not work today because of changes.

Thanks.

Reply | Quote

It still works.

1 user thanked author for this post.

MrToad28

Reply | Quote

In order skip the problematic Oct. updates, I implemented the RESUME UPDATES – PAUSE TO MAX TIME strategy on 3 Win10 Pro & 1 Win11 pro and it worked without a hitch. I did restore points  beforehand. In update settings I resumed updates, the pause button then shows available, hit pause several times and that’s it: Updates delayed till 12/9 by which time I hope Microsoft has fixed the issues.

Reply | Quote

Just updated. As always for me, 1 reboot. Everything seems normal, patching took a little while this time but nothing to unusual.

Reply | Quote

I am Win 10/Pro 22H2 on two PCs
Downloaded and installed these October Tuesday patches, one by one: — no problems so far::
1) KB5031356 CU from downloading to ‘Restart Now’ took 30 minutes. 2 cycles of 30% to 100% on the blue screen.
2) KB5031244 .NET Framework 3.5, 4.8, and 4.8.1 – from downloading to ‘Restart Now’ took 1 minute- one cycle on the blue screen
3) KB5022974 .NET 6.0.24 from downloading to ‘Restart Now’ took 1 minute- one cycle on the blue screen.
4) MSRT version 5.118-downloading and install was instantaneous – no Restart

sfc /verifyonly no integrity errors.

Now at Build 10.0.19045.3570 and SSU 19045.3562

Reply | Quote