• MS-DEFCON 4: A mixed bag for May

    Home » Forums » Newsletter and Homepage topics » MS-DEFCON 4: A mixed bag for May

    • This topic has 55 replies, 24 voices, and was last updated 3 weeks ago by anonymous.
    Author
    Topic
    #2448670

    ISSUE 19.21.1 • 2022-05-24 By Susan Bradley Good news! Most consumer and home users should be just fine after installing this month’s updates. I’m not
    [See the full post at: MS-DEFCON 4: A mixed bag for May]

    Susan Bradley Patch Lady

    9 users thanked author for this post.
    Viewing 26 reply threads
    Author
    Replies
    • #2448695

      This was the weirdest update ever on this four years, five months old Windows 10 Pro computer 21H2. When I saw Defcon 4 here about a hour ago, I immediately tried to do a cumulative update for this computer (from the last cumulative update for April to this current May one).

      I use Winaero Tweaker for many years now on various versions of Windows. So, I unchecked the box in it that, when checked, stops willy-nilly Windows updates and then I rebooted and was offered KB4023057. I got it installed, rebooted and to my consternation Windows Updates said I was up to date! No, I have the APRIL cumulative update not May so what the….???

      I had to go to the Microsoft Catalog website and search for the May cumulative update and then download and install it manually. I don’t mind doing that at all but what has me puzzled and a bit concerned is that Windows Update was insisting that this computer was UP TO DATE when it had ONLY the April cumulative update installed…not the May one! Has Microsoft fiddled with Windows Update and checking for new updates from a Windows 10 computer in the last month? Or is my computer getting wacky because of its age? I have always bought a new desktop in the past when a computer reached four years of age. I didn’t this time and it is almost 4 and one-half years old now. Plus, I have never needed in the past to wait a day or more with the box in Winaero Tweaker blank for stopping Windows Updates. In the past, all I needed to do was remove that checkmark and reboot and Windows Updates would IMMEDIATELY begin downloading any available updates like a cumulative update (I never update drivers through WU).

      When I removed the checkmark in Winaero Tweaker so that WU was free to offer/download available updates this time all it offered was KB4023057. Windows Updates seemed oblivious to the fact that I did NOT have the May Windows 10 Cumulative Update and did not offer it. Weird. Plus, WU claimed I was up to date when obviously I was not!

    • #2448673

      so if i understand correctly after updating my win 10 21h1 on my home PC version 19043.1706 is the latest build?

      many thanks in advance.

    • #2448692

      That was interesting. Windows decided not to reenable dotnet after update.

      Windows 11 21H2

      Binisoft Firewall Control was running with no problems before update.

      After update. WFC refused to start. Error 0xc0000135. It also refused to run the installation file.

      The cure was to

      1. open the run box
      2. enter optionalfeatures
      3. check .net options and click OK.

       

      Sigh! Update  fiddled with WFC firewall settings. I’ll need to run through the process of checking all the ‘experience’ things remain off.

    • #2448712

      I’ll leave updates as usual for a few more days, I like to let others take the initial plunge when the DefCon changes so I can see how they fare!

      On the subject Susan mentions of “dribble” mode, the one new thing I’ve noticed is that a couple of days ago I saw a new round icon on the taskbar which turned out to be a reference to “Your location is currently in use”. I disabled it under the Win10 privacy settings and haven’t seen it since, nor have I experienced any issues from having disabled it. Is that one of the new things being “dribbled” onto our machines? I can’t think of any other reason why it would have appeared all of a sudden.

    • #2448744

      I had posted a few months ago about problems with Windows Update where WU would download and install the first update and wait for a restart before installing other updates.  Today I installed the May updates to my Windows 10 Professional 64-bit 21H2 system.  WU downloaded and installed the .NET update (which this month was not a preview), and then finished and installed the monthly MRT update.  When WU told me that the Win 20 cum upd had been downloaded 100%, I noticed that the Task Manager Internet graph was still showing constant 4Mb download.  I waited 15-20 minutes until the download activity stopped, and then WU installed the downloaded Win 10 update.  So, as I had seen previously in Win 7, Windows Update erroneously tells me that an update is 100% downloaded, when the update is still being downloaded.  If I wait until the download stops, then the update gets installed, even when the first installed update is waiting for a reboot.  My system has been up for about 1/2 hour, so I have not have time to experience any problems.

      • #2448757

        With Win10, the SSU is bundled with the CU and you don’t see it.
        I suspect what you are seeing in WU is the SSU downloading and installing first (that’s the first 100% you see) then the CU installs taking longer (the second 100%).
        After the CU installs is when you need to restart, not the first time you see 100%.

        1 user thanked author for this post.
    • #2448764

      For a long time now I’ve been following Susan’s advice to defer installment of KB4023057. In the latest May Update sheet ( 5/24/2022) it now says to install this update.

      What changed?

      Thanks,

      Marc

      2 users thanked author for this post.
      • #2448771

        Ooops I got cut and paste happy.  I’ll fix, that should be defer.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
        • #2448777

          Thanks, thought I’d check first!

        • #2449954

          Thanks for the work you always do on your patching recommendations. I rely upon your advice. I appreciate the updates to defer (rather than install) KB5005463 and KB4023057.

          I usually go straight to the links to the monthly recommendation listings. For instance, MAY UPDATES … May 24, 2022 … Consumers and Businesses …  Those links need to be updated with your latest version to defer those two patches.

          Thanks for helping us manage Windows patching.

          Win 10 Pro 64-bit 21H2, Office 2019.
          Win 7 Pro 64-bit, Office 2010.
          Nethermost of the technically literate.

        • #2449973

          I did update it?

          Susan Bradley Patch Lady

        • #2450864

          Links were updated at the top of the Master Patch List article https://www.askwoody.com/patch-list-master/ but not down where MAY UPDATES are listed. Specifically, May 24, 2022 … Consumers and Businesses … links to the original patch list files for May 24, 2022:

          For example https://www.askwoody.com/wp-content/uploads/2022/05/2022-05-24-May.xlsx

          I’m suggesting that these should be the same as you updated at the top of the Master Patch List.

          For example https://www.askwoody.com/wp-content/uploads/2022/05/2022-05-24-May-1-1.xlsx

          Maybe just copy a single line from the top?

          Win 10 Pro 64-bit 21H2, Office 2019.
          Win 7 Pro 64-bit, Office 2010.
          Nethermost of the technically literate.

    • #2448789

      Win 10 Pro 21H2. Quick query: Master Patch list reco’s installing quite a list under ‘.NET core/NET 5.0’ . I have never been offered these. Do I need to install any of those, if so how? (I have ‘get updates for other Microsoft..’ turned off.) I do have KB5013642 .Net framework for 3.5 & 4.8 in winshowhide.

    • #2448794

      I have never been offered these

      If you don’t use software that need .net 5 or 6 you won’t be offered updates.

      1 user thanked author for this post.
      Deo
    • #2448793

      Hello Susan,

      Domain Controllers
      Certificate Authorities
      Small Companies

      Small businesses who use AD, do not typically have the money to have,  A real/virtual server (+license) for  AD server and Certificate Authority server, and perhaps, as recommended by all Microsoft literature, a 2nd Domain Controller server.

      Back in the ‘SBS’ server days, the Certificate Authority (CA) was also on the DC itself.
      If any techs migrated to a newer MS Server flavor, they might have also migrated the Certificate Authority to that newer server.  I know I have encountered some.

      If the AD is NOT PAIRED with a CA, and there is no CA in the domain, do the May updates have any gotchas?   Customers in this situation will not be updating any SID into any OID, as there are no OID without CA.  (And an alphabet soup to you too 😉

      • #2448797

        I’m not seeing issues reported in SBSized firms – i.e. one domain controller, workstations joined to the domain.  It’s only in the larger networks that I’m seeing this cert side effect.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
    • #2448804

      For a long time now I’ve been following Susan’s advice to defer installment of KB4023057. In the latest May Update sheet ( 5/24/2022) it now says to install this update.

      What changed?

      Thanks,

      Marc

      I see that KB5005463 is also listed as “install” instead of “defer”. I have studiously avoided installing KB4023057 and KB5005463 for a long time. Are both “copy and paste” errors?

      Win10 Pro x64 21H2, Win10 Home 21H2, Linux Mint + a cat with 'tortitude'.

      1 user thanked author for this post.
      • #2448808

        Refresh and try it again?  Both should be skipped or uninstalled.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
    • #2448816

      How do I report an issue with the May 2022 Security Update to Microsoft?

      • #2448819

        Honestly not easily if you aren’t an enterprise customer.  They tell us to go into the windows feedback app on your Windows device, look for similar issues and upvote.  You can open a support case ($425 if the issue is due to a security patch the fee will be refunded) but the last time I opened a support case, it was a lesson in futility.

        What’s the exact issue and I can see if it’s being discussed and thus on Microsoft’s radar?

        Susan Bradley Patch Lady

        1 user thanked author for this post.
    • #2448927

      Thanks for the link to the blog on Domain-Join Computers.  I’ve been meaning to do this for some time now.

      Casey

      • #2449068

        Doing what, install a DC?
        This is not a trivial task and it may not be wise to mess with a working system.

        cheers, Paul

    • #2449163

      winver 19043.1706 and no issues with updates. Thank you Susan for the master patch list guidance.

      Win10 Pro version 21H2

    • #2449176

      Glad to see Defcon 4.  Today I am working on a Dell Inspiron that is running Windows 20H2.  I used the InControl.exe program from Steve Gibson to set the Target Release Version to 21H2.

      Windows Update is offering me the following, all marked pending download

      1. Feature update to Windows 10, version 21H2, no version number
      2. MSRT KB890830 twice – version 5.101 AND version 5.98
      3. 2022-05 CU for .NET for 20H2 KB5013624
      4. 2022-04 Update for Win 10 version 20H2 KB 5005463
      5. 2022-04 Update for Win 10 version 20H2 KB 4023057

      I have WUMgr 1.1b by David Xanatos installed.  So, I wonder if I should use WUMgr to install ONLY the Feature update to version 21H2, and then see if the same updates are offered after that.

      Any advice is much appreciated.

      Depending upon results, I might  go through a similar process tomorrow on an old but still running Thinkpad T61,

       

      • #2449177

        Use WUMgr to hide KB 5005463 and KB 4023057. They are MS Health check and Susan doesn’t recommend them.

        Install the Feature Update, MSRT, and NET.

        2 users thanked author for this post.
        • #2449747

          Thank you very much PK.

          I did exactly as you suggested, and after a reboot the Inspiron has been updated
          from 20H2 Build 19042.1110
          to     21H2 Build 19044.1706

          without any apparent errors or problems.

          Interestingly, I am now offered the updates that are shown below:

          Screenshot-2022-05-29-205301

          It seems strange to update drivers offered by Microsoft instead of coming straight from the hardware manufacturer, especially those that are a year or more old.  So I will ignore those.  The Dell Inspiron laptop comes with a preinstalled application called “Dell Update” that has updated a few things in the past, and it currently says (May 2022) that eveything is up to date.

          Finally, I will re-hide the other two (KB5005463 and KB4023057) which you mentioned before, even though that second one is considered “critical” by Microsoft.

           

        • #2449814

          Block drivers updates in Windows updates.
          Hide in WUmgr.

          1 user thanked author for this post.
    • #2449219

      I have downloaded WUMgr, but has no clue how to use it. Is anyone kind enough to point me to the right direction?

    • #2449274

      Some Windows 7 Machines lost their activation after the May-Patchday.

      What is going on?

       

      • #2449341

        what editions of Windows 7 are these machines running, mr anonymous?
        Win7 Home Premium, Professional or Ultimate

    • #2449412

      May patches installed with no problems to report on Win 8.1. 🙂

      Installation Successful: Windows successfully installed the following update: 2022-05 Security and Quality Rollup for .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 for x64 (KB5013872)

      Installation Successful: Windows successfully installed the following update: 2022-05 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5014011)

      Installation Successful: Windows successfully installed the following update: 2022-05 Servicing Stack Update for Windows 8.1 for x64-based Systems (KB5014025)

      Group "A"- Win 8.1 x64
      Win 10 ver. 21H2 x64

      1 user thanked author for this post.
      • #2449522

        Thanks from another Windows 8.1 user!

      • #2449565

        Updated an 8.1 machine last night. Same 3 updates as JD and same result – no problems.

    • #2449834

      “You do not need the out of band update, so skip it.”

      not so fast

      updates KB5011831 and KB5013942 for Win10 seem to crash clipsvc for some users reported on reddit, lenovo forum & elsewhere:

      https://www.reddit.com/r/sysadmin/comments/uipvj3/kb5011831_crashing_clipsvc_ms_store_affected/

      https://forums.lenovo.com/t5/Gaming-Laptops/My-Windows-getting-weird-and-windows-store-app-cant-be-opened/m-p/5146984

      https://answers.microsoft.com/en-us/windows/forum/all/the-client-license-service-clipsvc-service/fcc0d96c-880e-4633-8996-5c87743a4f92

      so for these Win10 users having these specific problems, go with the out-of-band updates instead

    • #2450542

      new preview updates for Win10 20H2, 21H1 & 21H2 released THU June 2:

      KB5014023 update build 1904x.1741:
      https://support.microsoft.com/help/5014023

      KB5013887 .NET 3.5 & 4.8 update:
      https://support.microsoft.com/help/5013887

      1 user thanked author for this post.
    • #2450745

      It was indicated that update KB5014032 (servicing stack update) was not necessary since it is included in the Cumulative update.

      After I updated (without seeing a KB5014032 listed using wushowhide) I saw that a servicing stack update was installed, though it is designated as 10.0.19041.1704.

      I do not know how to (if applicable) “convert” to a KB number!

      I use Win 10, 21H2.

      A little help requested.

      Thanks,
      Gunny

    • #2450778

      10.0.19041.1704

      This is a Windows version number. Run “winver” to see what version you have.

      Can you post more details / screenshot of the installed SSU?

      cheers, Paul

      1 user thanked author for this post.
    • #2450933

      Susan is currently recommending folks to be on Win 10 21H2.  But what if you have a Win 10 system that apparently won’t upgrade to it?  One of my systems is a Lenovo Legion Y520 laptop, currently running Win 10 Pro 21H1.  It has all the latest Lenovo driver updates, and is current with all available Windows updates — except for KB4023057 and KB5005463, both of which I deliberately keep hidden.  But this system never gets offered an upgrade to 21H2.  Does anyone have an idea why Windows Update is telling me this system is “up-to-date” with no other updates available for it?  Should I be concerned that maybe (for some strange reason) this system isn’t compatible with 21H2?

      • #2450955

        Did you previously use Susan’s script to set the Target Release Version (TRV) to 21H1?
        Did you use wushowhide or WUMgr to hide the 21H2 update?
        If the answer to either of these is “Yes”, that is the reason you are not being offered 21H1.

        See this Knowledge Base article to set the TRV to 21H2.

        https://www.askwoody.com/forums/topic/6000003-registry-keys-and-group-policy-settings-to-select-specific-feature-rele/

        1 user thanked author for this post.
      • #2450962

        why Windows Update is telling me this system is “up-to-date”

        That’s because 21H1 doesn’t actually reach EoS until 2022-12-13.

        You can “force” the update by going to Microsoft’s Download Windows 10 page and clicking the  Update now button.

        The upgrade from 21H1 to 21H2 only takes ~15 mins to complete because all it really does is enable some “already existing” features included in 21H1.

        2 users thanked author for this post.
    • #2450934

      Should I be concerned that maybe (for some strange reason) this system isn’t compatible with 21H2?

      There are no known block for 21H2.
      Set ‘target Release’ to Windows 10 21H2, you can use InControl, and check that there are no deferrals.
      Let Microsoft handle the upgrade.

      1 user thanked author for this post.
      • #2451080

        Alex, thanks for the suggestion about using InControl.  Up until now, I hadn’t even been using that.  But just for kicks I tried running it on this problem system.  It said that the system had 2 of the 6 registry keys set, which got me to go check which of those keys had been set.  What I found was that TargetReleaseVersion was set to 1 (which was OK); but for some unknown reason the TargetReleaseVersionInfo was set to “1909“.

        What’s strange about that is that (a) I don’t recall ever making that change; and (b) I don’t understand how the system ever got updated previously to 21H1.  In any event, I used InControl to set the TargetReleaseVersionInfo to 21H2; and Windows Update was then more than happy to offer the update.  So the system is now on 21H2; and all’s well.  Thanks again for the advice to check things with InControl.

        1 user thanked author for this post.
    • #2451130

      I don’t understand how the system ever got updated previously to 21H1.

      Microsoft is pushing new upgrades to EOL versions disregarding any Target release settings.
      21H1 isn’t EOL yet so no pushing of new upgrades.

      • #2451139

        You have evidence of MS doing this?

        cheers, Paul

        • #2451158

          EOL has always overridden TRV:

          Select the target feature update version … When you use this policy, specify the version that you want your devices to use. If you don’t update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition.

          I want to stay on a specific version

          Windows 11 Pro version 22H2 build 22621.105 (group ASAP) + Microsoft 365

          2 users thanked author for this post.
        • #2451162

          This has been documented in AKB2000016 since it’s inception, with a link to the MS documentation included.

          Screen-Shot-2022-06-06-at-5.40.09-AM

          1 user thanked author for this post.
    • #2451149

      You have evidence of MS doing this?

      cheers, Paul

      There are many such case here on the forum.

    • #2451500

      “…First, update your Certificate Authorities servers. The patch adds a new OID to the templates used for authentication. The OID is then populated by the AD object SID, which further identifies the specific device in the certificate. Once Certificate authorities are updated and the OID is present in the certificates offered to the computers (be sure to test this), you can revoke older certificates without the OID and issue new certificates through auto-enrollment. Then you can patch your domain controllers, and authentication will work — because the domain controllers will now understand the new identifier…”

      – Updated DC’s and servers running certificate services. How do I test the “…OID is present in the certificates…” and revoke older certs? …..also do I need to ‘reapply’ the patch to the DC’s?

    • #2451550

      Do the out-of-band server updates for both 2016 and 2012r2 mean I will have to re-boot the server machines twice? Once for the updates and then another time for the out-of-band updates?

      • #2451553

        For 2016 you can just install the out of band and reboot once.  For 2012r2 if you haven’t installed the first update, you can install it -and- the out of band at the same time and reboot once.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
        Zad
    Viewing 26 reply threads
    Reply To: MS-DEFCON 4: A mixed bag for May

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: