MS-DEFCON 4: A very complicated patching month

Topic

New Reply

ISSUE 19.04.1 • 2022-01-25 By Susan Bradley Thanks, Microsoft, for a very messy January. This month will be somewhat convoluted for patching, due to t
[See the full post at: MS-DEFCON 4: A very complicated patching month]

Susan Bradley Patch Lady/Prudent patcher

17 users thanked author for this post.

Sennva, lmacri, jburk07, ChrisAVWood, Casey S, Ayjaydee, DrBonzo, LH, Fred, Carl, oldfry, Save_Us_from_MS, Mele20, raBUSTiO, abbodi86, MHCLV941, Alex5723

Reply | Quote

Replies

Does Defcon=4 for January include the out-of-band updates ?

1 user thanked author for this post.

Microfix

Reply | Quote

Perhaps a small quibble, but “If you run consumer-class VPN software, the side effects mentioned later in this alert do not impact you” seems overly simplified. The VPN issues hit the native IPSEC, IKEv2 and L2TP VPN clients in both Windows 10 and Windows 11. There is nothing, so far as I know, that restricts these clients to business VPNs.

BTW, what IS “consumer-class VPN software”?

Reply | Quote

Anything that is used for hiding your IP rather than connecting you to a server/domain for your business.  So it’s like Express VPN/Nord VPN etc etc. I have not seen side effects in consumer VPN software.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

MHCLV941

Reply | Quote

I use CISCO AnyConnect to vpn into work from my home laptop. Does this make me a Business level or just a home/consumer user? I do have AVG VPN to protect my home laptop.

Thanks

 

Chris

 

Reply | Quote

Both.

Reply | Quote

So I should go with 5010793 then
<h1 id=”page-header” class=”x-hidden-focus”></h1>

Reply | Quote

I installed 5010793 and so far both my Home VPN AVG and the one for work are working as expected. I see Microsoft have already added a preview for Win 10 21H2 builds.

Reply | Quote

I just installed the January cumulative update for my Windows 10 Pro computer after reading here that the DEFCON level is at 4 now. So far, no problems.

Update: Ugh. Three black screens while surfing all in the past few minutes of installing the January cumulative update. On older version of Fx (60.9ESR) so maybe a later version of Fx would be fine. I have later versions…I am just attached to this particular version. No problems before this update with this old version.

1 user thanked author for this post.

jburk07

Reply | Quote

Small correction: KB5010798 is for W7/WS 2008R2.  I think it should have said KB5010794.  Thanks for you great work on patching though!

Reply | Quote

Would it be better to skip updateing Servers all together this month and what are the ramifications as far as patching is concerned for Feb. will the current updates just drop off if they are already downloaded and in que and will the new ones (hopefully fixed in Feb) will include all of January’s fixes without the side effects? What do you reccomend as safest approach?

 

Reply | Quote

On the Windows server 2016 and later, grab the out of band.  On the older platforms install both the main January update and the out of band.  I don’t like to skip a month completely unless I have a very good reason to. We have fixes this month.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Think the KB’s and links for 2012 R2 might be wrong (i.e. 2008 R2).
Think they were meant to be:
KB5009624 (Monthly Rollup)  – or –  KB5009595 (Security-only update)
+ KB5010794: Out-of-band update for Windows 8.1 and Windows Server 2012 R2: January 17, 2022

2 users thanked author for this post.

Ayjaydee, blackbox

Reply | Quote

Are there any major security issues one would face we bypassed the January updates and waited for the February updates (assuming the February updates include the appropriate server and VPN fixes)?

Reply | Quote

There’s always security issues if you bypass. Remember the http protocol bug?

Microsoft Patch Tuesday by Morphus Labs (patchtuesdaydashboard.com)

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I run Windows 10. When I ran this months update it messed up my 3 monitors. It changed where each one was supposed to be, the order. I went back to an earlier version using an Acronis disc image. Then I delayed the patch for as long as possible.

Any idea how to avoid this.

Reply | Quote

Normal security updates won’t trigger this, are you sure you didn’t get a video card update as well?  You can unplug/replug and drag around the monitors anytime you want.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

well, actually that won’t work because not only are the monitors out of order, but the content is not on the correct monitors, either.

it would take several hours to fix – very agravating

 

Reply | Quote

Confused.. In your email that you sent out

“Now comes the fly in the ointment. In order to properly patch Server 2012 R2, you must install both the original patch released in January (choose either KB5009610 monthly rollup or the KB5009621 security-only update) and then install the out-of-band update KB5010798. This ensures that you reboot only after the installation of the out-of-band update, not after the initial install of the monthly rollup or the security-only patch. On these older platforms, you choose monthly rollup or security-only; they are not cumulative updates, as the Windows 10/11 patches are.”

When I look at the KB number listed  it shows that these belong to patching Server 2008 R2 and not Server 2012 R2.  Please take a look and advise.  Thanks.

 

1 user thanked author for this post.

blackbox

Reply | Quote

Yes, I’m confused by this as well. I’m hesitant to install an update on a 2012R2 server where 2021R2 isn’t listed in the applies to section. Maybe this is right, but I don’t know what I may be missing.

Reply | Quote

Could it be these two instead for 2012 R2:

KB5009624 for the monthly quality rollup

and

KB5009595 for the security only rollup?

Reply | Quote

My sincere apologies. I’ll fix.  I meant KB5010794

https://support.microsoft.com/en-us/topic/kb5010794-out-of-band-update-for-windows-8-1-and-windows-server-2012-r2-january-17-2022-a92500fb-f227-400e-b70e-f7dd50386fd3

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

So do I need to install KB5009695 or KB5009624 before installing KB5010794 for Server 2012 R2?  Or do I need to install the single KB5010794?  Thanks again.

Reply | Quote

When running Windows Update on my Server 2012 R2 machine, KB5009624 is an Important update and KB5010794 is an Optional Update.  My understanding is that I should select both and install them at the same time so that the “issues” in the former can be mitigated right away by the latter.

Reply | Quote

Both the main as well as the optional on the 2012R2 platform.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Dumb question.  So this only applies only to the following servers

• Addresses a known issue that might cause IP Security (IPSEC) connections that contain a vendor ID to fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP Security Internet Key Exchange (IPSEC IKE) might also be affected.
• Addresses a known issue that might cause Windows Servers to restart unexpectedly after the January 11, 2022, update on domain controllers (DCs) is installed.
• Addresses an issue that prevents Active Directory (AD) attributes from being written properly during a Lightweight Directory Access Protocol (LDAP) modify operation when you make multiple attribute changes.
• Addresses an issue that might prevent removable media formatted using the Resilient File System (ReFS) from mounting, or might cause the removable media to mount in the RAW file format. This issue occurs after installing the January 11, 2022 Windows update.

My domain controllers are all 2012 R2, so I install the update then install the OOB.  All other 2012 R2 servers I only need to install the main update correct?  I’m not affected by the VPN or ReFS.

Reply | Quote

The 2012 R2 were impacted by virtual server bug as well as the restart issue.  I’m installing the out of band update on all servers.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Does the same apply for 2208 R2 servers.  Are you installing the OOB on all 2008 R2 servers as well?

Reply | Quote

I can’t afford ESUs on servers 🙂  yes you want the OOB on any server this month https://support.microsoft.com/en-us/topic/kb5010798-out-of-band-update-for-windows-7-sp1-and-server-2008-r2-sp1-january-17-2022-5b976915-5de5-4197-9b45-35c19050f656

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

sabel9579

Reply | Quote

Well, the new year is not off to a very auspicious start. Hopefully, not an indicator of what to expect going forward.

I’m looking at a 2012 R2 server right now — thanks for the heads up Sue.

I went ahead and patched Win 10 Pro 21H1 and 21H2 desktops with minor issues related to software that intermittently started crashing during the boot process after installing the cumulative updates. Updating the errant software seems to have resolved this. My networked printers are still working which is a big plus.

Reply | Quote

Carl wrote:

Well, the new year is not off to a very auspicious start. Hopefully, not an indicator of what to expect going forward.

Don’t hold any hope as every monthly update in 2021 hasn’t been better.

Reply | Quote

You are recommending installing both the troublesome patch (5009543) AND the out-of-band (KB5010793). If the latter contains everything in the former PLUS the fix, why install the former at all?

Thanks!!

Reply | Quote

Only for 2012 R2 and prior server platforms do you need to install both.  For Windows 10/11 you pick one or the other.  If you think/know you will be impacted by the vpn bug pick the out of band.  If you don’t use vpn pick the normal January update.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

Ayjaydee, MHCLV941

Reply | Quote

Maybe I missed this somewhere, so if I did, I apologize in advance.  But I couldn’t find anywhere addressing the .NET monthly updates and the Security Exchange update.  Are both of those ok to install?  For Exchange, I’m specifically referring to Security update for Exchange 2016 CU22, KB5008631…Thanks.

Reply | Quote

Susan Bradley wrote:

Anything that is used for hiding your IP rather than connecting you to a server/domain for your business.  So it’s like Express VPN/Nord VPN etc etc. I have not seen side effects in consumer VPN software.

I wonder if that’s because the consumer VPNs are SSL-based rather than because they are not end-to-end. I don’t have any experience with consumer VPNs but do have an SSL-based client that I and my clients use for remote access to their offices. This was not impacted by this bug.

Reply | Quote

Carl wrote:

My networked printers are still working which is a big plus.

Yes, indeed!!!!

Reply | Quote

stormbirdd wrote:

You are recommending installing both the troublesome patch (5009543) AND the out-of-band (KB5010793). If the latter contains everything in the former PLUS the fix, why install the former at all?

Are you sure of your assumption? I doubt Microsoft would continue offering an update with major problems and another update with all the good stuff and minus the bugs as an optional update.

Reply | Quote

According to the documentation the OOB patch only resolves the problems associated with the main rollup.  Without the main rollup you dont get the security updates..  Unless I’m misunderstanding

Reply | Quote

I am not sure of my assumption :D, but I see that the OOB update has about 61K files and the original around 60K. If this was a fix for a specific problem in the original, and required the original, why have 1000 more files than the original baked in?

Microsoft also does not list 5009543 as a prerequisite.

***

I am trying to avoid sending out the old, broken KB to 5500 machines and then having to patch it and THEN hope every single one of those machines gets the update and applies it in the correct order. If I can just get the corrected CU in the first place, that would save quite a lot of bother for us.

Merci!

Reply | Quote

sabel9579 wrote:

According to the documentation the OOB patch only resolves the problems associated with the main rollup.  Without the main rollup you dont get the security updates..  Unless I’m misunderstanding

It is not helpful that Microsoft named both updates the same, except for the KB number.

2022-01 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5009543)
2022-01 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5010793)

1 user thanked author for this post.

Cybertooth

Reply | Quote

I am not sure of my assumption :D, but I see that the OOB update has about 61K files and the original around 60K. If this was a fix for a specific problem in the original, and required the original, why have 1000 more files than the original baked in?

Microsoft also does not list 5009543 as a prerequisite.

Beats the heck out of me, too! That said, everything about this “fix” is presented is very odd. Even the way it shows up in the list of updates if the original update has not already been installed is odd.

I am trying to avoid sending out the old, broken KB to 5500 machines and then having to patch it and THEN hope every single one of those machines gets the update and applies it in the correct order. If I can just get the corrected CU in the first place, that would save quite a lot of bother for us.

If I were still doing that sort of thing, I would feel the same way. I think I would be inclined to skip both updates and see what the February Cumulative Update looks like.

Reply | Quote

Beware that the January updates can break ReFS formatted mirrored Storage Spaces on external USB3 drives on Windows 10 21H2 64 bit. The Storage Space will show as unformatted, and Windows will ask if you want to format it(!). The only solution is to roll back the update, and the drive will work normally again.

Reply | Quote

Concerning KB5009624 for W8.1 and Server 2012R2: am I correct in concluding that the out-of-band patch, KB5010794 does not need to be installed when dealing with a non-server standalone PC. It seems the Hyper V issue of VMs not starting only pertain to VMs installed on servers with UEFI enabled. Therefore, it seems if KB5009624 is installed on a PC, then one may ignore KB5010794. Anyone disagree with this conclusion?

Reply | Quote

January 2022 Windows non-security preview “C” release available all supported versions of Windows

LCU
KB5009616 / 17763
KB5009596 / 1904x
KB5009608 / 20348
KB5008353 / 22000

.NET CU
KB5009468 / 17763
KB5009467 / 1904x
KB5009470 / 20348
KB5009469 / 22000

1 user thanked author for this post.

doriel

Reply | Quote

thanks abbodi.

gonna manually download these patches from MS Catalog & install them later

Reply | Quote

Another Out-of-band-out-of-band, but not available yet
January 25, 2022—KB5010690 (OS Build 22000.467) Out-of-band

Reply | Quote

anonymous wrote:

Addresses a known issue that might cause IP Security (IPSEC) connections that contain a vendor ID to fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP Security Internet Key Exchange (IPSEC IKE) might also be affected.

This applies to PCs as well.

Reply | Quote

Matthew wrote:

When running Windows Update on my Server 2012 R2 machine, KB5009624 is an Important update and KB5010794 is an Optional Update.  My understanding is that I should select both and install them at the same time so that the “issues” in the former can be mitigated right away by the latter.

With respect to

Windows 10

(and probably Windows 11), installing both updates at once does fix not the VPN problem. And, if/when you run Windows Update after restarting, the “optional” update is there again and does need to be installed to fix the VPN problem.

Reply | Quote

ChrisAVWood wrote:

I installed 5010793 and so far both my Home VPN AVG and the one for work are working as expected. I see Microsoft have already added a preview for Win 10 21H2 builds.

IF they are SSL-based, they were not impacted by the patch problems. Also, not ALL IPSEC-based are impacted, either. Something about vendor name on the VPN host configuration, I think but don’t remember the details.

Reply | Quote

My question: Is it necessary to install KB5010798 on Windows 7?

I mean, MS says it resolves an Active Directory issue and restarts on
Windows Servers. So, excuse my ignorance, but how any of that applies to Windows 7?

Reply | Quote

Is your W7 PC connected to a domain (with servers)? If not, you don’t need that patch.

cheers, Paul

Reply | Quote

Susan Bradley wrote:

Only for 2012 R2 and prior server platforms do you need to install both.  For Windows 10/11 you pick one or the other.  If you think/know you will be impacted by the vpn bug pick the out of band.  If you don’t use vpn pick the normal January update.

Without any patch management tools, aka plain standalone Windows 10/11 Pro, how does one reject the original patch and pick the out-of-band patch?

That was simple in Windows 7 but so far as I know, the capability disappeared from Windows 10.

Reply | Quote

You can use WUSHOWHIDE.diagcab tool to hide pending updates, that you dont want to install.

Download the the tool from majorgeeks, for example. There is instructional video on the page, so you will know how to do that. Its quite simple.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

What about the Server 2016 Core edition? Does it take KB5010790 as well?

Reply | Quote

KB5009596 Cumulative Update Preview for Windows 10 Version 21H2 for x64-based Systems

on the B side of my dual boot.

No hiccups.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

Same here. No problems with this update.

--Joe

Reply | Quote

2022-01 Cumulative Update for Windows 11 for x64-based Systems (KB5008353) installed on Windows 11 Pro machine.

No problems.

--Joe

1 user thanked author for this post.

hyppolyte

Reply | Quote

doriel wrote:

WUSHOWHIDE.diagcab

Thank you but it’s not really helpful because it does not permanently deselect an update. Its only advantage over the built-in (and visible!) 7-35 day suspension is that one can delay one update rather than suspending all updates.

With Windows 7, one could permanently hide an update and it would not reappear unless one took steps to unhide it.

Reply | Quote

For Server 2012 R2, we’re skipping January updates.  Too much risk if the patch fails to install after the cumulative update, which I’ve read has happened.  Not interested in dealing with a boot looped server. We can wait two weeks or so for February updates.  Not a big deal.

Reply | Quote

January patches installed with no problems to report on Win 8.1. 🙂

Installation Successful: Windows successfully installed the following update: 2022-01 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 for x64 (KB5009721)

Installation Successful: Windows successfully installed the following update: 2022-01 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5009624)

Win 10 ver. 22H2 x64

2 users thanked author for this post.

Microfix, DrBonzo

Reply | Quote

Thank you. I selected all the boxes on the Important and Optional sides, then clicked on Install. Hopefully letting Windows choose the correct installation. I ended up with the .Net, SMQR and the MSRT successfully installed on my Dell Win8.1 x64 machine. I’m guessing Windows chose not to install the optional, but I don’t really know.

Reply | Quote

Check the Update History in Windows Update. KB5010794 is the out of band optional update and should be near the top of the list and should say either “successful” or “failed” under installation.

Reply | Quote

My apologies in advance for any unintended violations of forum protocol or display of ignorance. I generally try to stay in my comfort zone, use default automatic Windows Update, and post online questions about once every 15 years or so, but I’m having a problem trying to fix this problem and don’t want to get in any deeper than I already am.

I lost my reliable VPN connection from my personal computer (Windows 10 Home 20H2) to my work network after the previous update, and (following recommendations on other sites) paused automatic updates and uninstalled the offending update (wusa /uninstall /kb:5009543). Easy. That fixed the VPN access problem, but I wasn’t comfortable with not having the latest security updates, so after reading Susan’s column, I went to Windows Update to look for the optional update (KB5010793), but the “optional update” link did not appear.

I turned on automatic updates to see if the option would be displayed and it started installing the Feature Update to Windows 10, version 20H2; 2021-11 Update for Windows 10 Version 21H2 (KB4023057); and Feature update to Windows 10, version 21H2 (I may have put a checkmark next to one of them; it’s a bit of a blur at this point, but I’m reconstructing the sequence from what’s displayed in my Update History). After restarting, a test of trying to establish the VPN connection failed. The attempt reported the same error message as a couple of weeks ago (which I had then been able to fix at the time with the earlier uninstall). After another restart, same VPN error message. I didn’t retry the earlier uninstall command this time, for fear today’s update may have made changed the playing field.

At this point, I don’t know how to go forward and I don’t know how to go back. Unfortunately, I need access to my work VPN rather urgently, so I’m hoping someone here can help me.

Thanks in advance.

Reply | Quote

January 17, 2022—KB5010793 (OS Builds 19042.1469, 19043.1469, and 19044.1469) Out-of-band (microsoft.com)

Install that (you can download it from the catalog site) and see if it fixes you up?

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

WSPKP

Reply | Quote

https://www.youtube.com/watch?v=LB_iSTBlA08

Follow that example on how to use the catalog site

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

WSPKP

Reply | Quote

It worked! (My earlier reply may have gotten lost.)

Thanks very much, Susan.

Reply | Quote

Susan,

On Jan. 25 as you suggested I installed the out of band update for Win 21H2. I believe the KB number ended in 73. Installing the out of band update removed the original Jan. Cumulative update from windows update. Now I see another optional update KB5009596. I do not see this one listed on the master patch update list. Do we install this or leave it for now?

Reply | Quote

We have patched around 5 Server 2019 hosts (Hyper-V, DCs, Standalone) with 2012R2 and 2019 VMs as well as 2012 R2 Hyper-V hosts without any issue yesterday (around 12 physical servers and around 90 VMs).

We just added the 2012 R2 and 2019 optional patches to WSUS and installed the cumulative patches as well as the optional patches (the 2019 optional patch seems to be cumulative, i.e. replaces the official cumulative patch).

We had no issues.

Reply | Quote

Hello all. I use wushowhide to hide updates offered each month until DEFCON is 3 or higher.

Used unhide on KB5008876 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 and KB5009543 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems on 1/26/2022.

KB5008876 installed no problems.

KB5009543 was not offered by WU on 1/26 or today 1/27. Made sure it no longer appeared in hidden list of wushowhide. Does not appear in hide list either. Is it safe to assume Microsoft has withdrawn KB5009543 from WU due to issues?

Reply | Quote

it’s still available to download via the MS Catalog:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB5009543

Win8.1/R2 Hybrid lives on..

1 user thanked author for this post.

italiangm

Reply | Quote

Indeed, but I suspect that version contains the same problems as the version that (I assume) has been withdrawn from WU.

Reply | Quote

9543 has been replaced by the following: 5010793 and 5009596. You can see this by clicking on the link @microfix gave and the clicking on the KB number on the left. An Update Details window will come up. Look at the package details tab and you’ll see what I just said.

2 users thanked author for this post.

italiangm, Microfix

Reply | Quote

I have a few 2016 servers.  In the support Susan said to just install the OOB updates.  The issue is that I set my servers to automatically download updates and let me choose when to install.  If I install the OOB for 2016 server then what happens to the previous “normal” updates that were downloaded?  Do I just hide them forever or will they be taken down when February updates come in?

Thanks again for the support Askwoody.

Reply | Quote

The previous patches will be superceded and not replace the installed code.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

What’s the best way to go about installing the 2012R2 updates on the DCs?  Are you installing both old and new updates at the same time (loaded in WSUS) or installing the old update first, then the new update, then rebooting?

And thank you to everyone for all of the info so far, it has helped ease a lot of the confusion!

Reply | Quote

Yes, you don’t reboot until the second patch is installed.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Hi Susan.

 

I manage two sites and one site fell victim to the DC boot loop issue on both DCs (server 2012r2) . Ended up manually unistalling kb5009624 and kb5009595 on both affected DCs.

In your opinion for the 4 DCs across both my sites can I allow wsus to patch all January updates and then manually install oob update kb5010794?

 

i.e will the servers  allow me to patch with kb5010794 before it needs to reboot to complete the main january patches?

 

Reply | Quote

Once the OOB patches have been applied to servers and rebooted (and OOB patches for Windows 10, for that matter), can we continue & install all other updates that Windows Update (on servers) or WSUS (for workstations) recommends?
Thanks!

Reply | Quote

Just reporting that January updates have apparently installed smoothly on my two Windows 10 systems using WUMgr. More in detail:

1) Windows 10 Home 20H2
– KB5009543, 2022-01 Cumulative update
– KB5008876, 2022-01 Cumulative .NET Framework update
– KB890830, MSRT v5.97 update
– KB5002128, KB6002064, KB5002119, KB4462205, KB5002124, various Office 2013 security updates

2) Windows 10 Pro 21H1
– KB5009543, 2022-01 Cumulative update
– KB5008876, 2022-01 Cumulative .NET Framework update
– KB890830, MSRT v5.97 update

On both machines I installed the “regular” .NET Framework CU (dated January 11) and hid the “preview” (dated January 25).

1 user thanked author for this post.

jburk07

Reply | Quote

Updates so far without incident:

Win10 Pro on ARM Insider
KB5008880, 2022-01 Cumulative .NET Framework update
KB5008353, 2022-01 Cumulative Preview update,  Build 22000.469

Win10 Pro v21H1 (x3)
KB5009543, 2022-01 Cumulative update, Build 19044.1466
KB5008876, 2022-01 Cumulative .NET Framework update

Win8.1 Pro (x2)
KB5009624 SMQR
KB5010794 OOB Update for Win8.1
KB5009721 SMQR for .NET Framework

Update 1/30/2022 also without incident :
One more Win10 Pro (same as above)
One more Win8.1 Pro (same as above)

One Win7 Ultimate and one Wi10 Home Premium using W7ESUI and dotNetFx4_ESU_Installer_r
KB5009610 SQMR
KB5010798 1/17/22 OOB
KB5008885 .NET 4.8

4 users thanked author for this post.

jburk07, Microfix, DrBonzo, abbodi86

Reply | Quote

Last night on a Win 8.1 pro I installed the .NET update (KB5009721) followed immediately with a restart, then the SMQR (KB5009624) followed immediately with a restart. I did not install the OOB update (KB5010794) because none of the “solved issues” in the KB support article applied to me (no VMs etc.). Everything seems fine. Do I need to install the OOB patch. It’s a stand alone laptop, no network, no VPN, just a standard computer.

1 user thanked author for this post.

Microfix

Reply | Quote

Win8.1 Pro x64 (x3)
KB5009624 SMQR CU
KB5010794 OOB Update for Win8.1
(on one device only and still on that system, not needed but fully updated)
KB5009721 SMQR dotNET
no issues with ANY of the installations or target OSes.

Win7 Pro ESUb all good since patch release day.

Win8.1/R2 Hybrid lives on..

1 user thanked author for this post.

DrBonzo

Reply | Quote

So I am correct in assuming the OOB really is not needed if my 8.1 machine is not a server, not running a VM, not networked, etc.? It’s offered through Windows update as optional and I’m assuming it will make it’s way into next months Rollup anyway.

Reply | Quote

You are completely correct…if you’re not having the problems described then you don’t need it now, and it will indeed be rolled up into next month’s patch anyway.

R/

Bob99

2 users thanked author for this post.

jburk07, DrBonzo

Reply | Quote

Susan Bradley wrote:

Yes, you don’t reboot until the second patch is installed.

You had mentioned doing this earlier in this thread (or perhaps a related one), so I tried with Windows 10 Pro 21H2 – NOT 2012R2. After the restart, Windows Update presented the second update again.

Win10 does not have the failed restart problem 2012R2 does, but installing the two updates at the same time does not really save any time. which is what I was hoping.

Reply | Quote

For Windows 10 you only need the second update.  Remember with Windows 10 all updates are cumulative, thus you only need to install the later update and no other.  2012 R2 is the other patch model where the “fix” update was not cumulative and you had to install both.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

After imaging with Reflect and then using abbodi86’s Standalone Script:

KB5008282 = SO
KB5010798 = OoB Update for Win 7
KB5008867 = S&QR for .NET Framework 3.5.1
KB5008859 = S&QR for .NET Framework 4.7

Windows Update = KB890830 MSRT (v5.97)

So far, so good . . .

Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'

Reply | Quote

Susan Bradley wrote:

For Windows 10 you only need the second update.  Remember with Windows 10 all updates are cumulative, thus you only need to install the later update and no other.  2012 R2 is the other patch model where the “fix” update was not cumulative and you had to install both.

Understood, but baring external trickery, there is no way to bypass the busted update. There ought to be, as there was from Win2K through Win7 (didn’t spend enough time with 8/8.1 to know!).

Reply | Quote

Installed KB5009543 on February 11, 2022.

Tested CISCO AnyConnect and SonicWall NetExtender VPNs with no problems found.

Reply | Quote