• MS-DEFCON 4: A very complicated patching month

    Home » Forums » Newsletter and Homepage topics » MS-DEFCON 4: A very complicated patching month

    Author
    Topic
    #2420968

    ISSUE 19.04.1 • 2022-01-25 By Susan Bradley Thanks, Microsoft, for a very messy January. This month will be somewhat convoluted for patching, due to t
    [See the full post at: MS-DEFCON 4: A very complicated patching month]

    Susan Bradley Patch Lady

    Viewing 44 reply threads
    Author
    Replies
    • #2420976

      Does Defcon=4 for January include the out-of-band updates ?

      1 user thanked author for this post.
    • #2420984

      Perhaps a small quibble, but “If you run consumer-class VPN software, the side effects mentioned later in this alert do not impact you” seems overly simplified. The VPN issues hit the native IPSEC, IKEv2 and L2TP VPN clients in both Windows 10 and Windows 11. There is nothing, so far as I know, that restricts these clients to business VPNs.

      BTW, what IS “consumer-class VPN software”?

      • #2421028

        Anything that is used for hiding your IP rather than connecting you to a server/domain for your business.  So it’s like Express VPN/Nord VPN etc etc. I have not seen side effects in consumer VPN software.

        Susan Bradley Patch Lady

        1 user thanked author for this post.
        • #2421161

          I use CISCO AnyConnect to vpn into work from my home laptop. Does this make me a Business level or just a home/consumer user? I do have AVG VPN to protect my home laptop.

          Thanks

           

          Chris

           

        • #2421176

          Both.

          Windows 10 Pro version 21H2 build 19044.1682 + Microsoft 365 (group ASAP)

        • #2421184

          So I should go with 5010793 then
          <h1 id=”page-header” class=”x-hidden-focus”></h1>

        • #2421198

          I installed 5010793 and so far both my Home VPN AVG and the one for work are working as expected. I see Microsoft have already added a preview for Win 10 21H2 builds.

    • #2420991

      I just installed the January cumulative update for my Windows 10 Pro computer after reading here that the DEFCON level is at 4 now. So far, no problems.

      Update: Ugh. Three black screens while surfing all in the past few minutes of installing the January cumulative update. On older version of Fx (60.9ESR) so maybe a later version of Fx would be fine. I have later versions…I am just attached to this particular version. No problems before this update with this old version.

      1 user thanked author for this post.
    • #2420988

      Small correction: KB5010798 is for W7/WS 2008R2.  I think it should have said KB5010794.  Thanks for you great work on patching though!

    • #2421008

      Would it be better to skip updateing Servers all together this month and what are the ramifications as far as patching is concerned for Feb. will the current updates just drop off if they are already downloaded and in que and will the new ones (hopefully fixed in Feb) will include all of January’s fixes without the side effects? What do you reccomend as safest approach?

       

      • #2421027

        On the Windows server 2016 and later, grab the out of band.  On the older platforms install both the main January update and the out of band.  I don’t like to skip a month completely unless I have a very good reason to. We have fixes this month.

        Susan Bradley Patch Lady

    • #2420993

      Think the KB’s and links for 2012 R2 might be wrong (i.e. 2008 R2).
      Think they were meant to be:
      KB5009624 (Monthly Rollup)  – or –  KB5009595 (Security-only update)
      + KB5010794: Out-of-band update for Windows 8.1 and Windows Server 2012 R2: January 17, 2022

      2 users thanked author for this post.
    • #2421010

      Are there any major security issues one would face we bypassed the January updates and waited for the February updates (assuming the February updates include the appropriate server and VPN fixes)?

    • #2421012

      I run Windows 10. When I ran this months update it messed up my 3 monitors. It changed where each one was supposed to be, the order. I went back to an earlier version using an Acronis disc image. Then I delayed the patch for as long as possible.

      Any idea how to avoid this.

      • #2421025

        Normal security updates won’t trigger this, are you sure you didn’t get a video card update as well?  You can unplug/replug and drag around the monitors anytime you want.

        Susan Bradley Patch Lady

        • #2421037

          well, actually that won’t work because not only are the monitors out of order, but the content is not on the correct monitors, either.

          it would take several hours to fix – very agravating

           

    • #2421043

      Confused.. In your email that you sent out

      Now comes the fly in the ointment. In order to properly patch Server 2012 R2, you must install both the original patch released in January (choose either KB5009610 monthly rollup or the KB5009621 security-only update) and then install the out-of-band update KB5010798. This ensures that you reboot only after the installation of the out-of-band update, not after the initial install of the monthly rollup or the security-only patch. On these older platforms, you choose monthly rollup or security-only; they are not cumulative updates, as the Windows 10/11 patches are.”

      When I look at the KB number listed  it shows that these belong to patching Server 2008 R2 and not Server 2012 R2.  Please take a look and advise.  Thanks.

       

      1 user thanked author for this post.
    • #2421062

      Dumb question.  So this only applies only to the following servers

      • Addresses a known issue that might cause IP Security (IPSEC) connections that contain a vendor ID to fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP Security Internet Key Exchange (IPSEC IKE) might also be affected.
      • Addresses a known issue that might cause Windows Servers to restart unexpectedly after the January 11, 2022, update on domain controllers (DCs) is installed.
      • Addresses an issue that prevents Active Directory (AD) attributes from being written properly during a Lightweight Directory Access Protocol (LDAP) modify operation when you make multiple attribute changes.
      • Addresses an issue that might prevent removable media formatted using the Resilient File System (ReFS) from mounting, or might cause the removable media to mount in the RAW file format. This issue occurs after installing the January 11, 2022 Windows update.

      My domain controllers are all 2012 R2, so I install the update then install the OOB.  All other 2012 R2 servers I only need to install the main update correct?  I’m not affected by the VPN or ReFS.

    • #2421101

      Well, the new year is not off to a very auspicious start. Hopefully, not an indicator of what to expect going forward.

      I’m looking at a 2012 R2 server right now — thanks for the heads up Sue.

      I went ahead and patched Win 10 Pro 21H1 and 21H2 desktops with minor issues related to software that intermittently started crashing during the boot process after installing the cumulative updates. Updating the errant software seems to have resolved this. My networked printers are still working which is a big plus.

    • #2421103

      Well, the new year is not off to a very auspicious start. Hopefully, not an indicator of what to expect going forward.

      Don’t hold any hope as every monthly update in 2021 hasn’t been better.

    • #2421109

      You are recommending installing both the troublesome patch (5009543) AND the out-of-band (KB5010793). If the latter contains everything in the former PLUS the fix, why install the former at all?

      Thanks!!

      • #2421221

        Only for 2012 R2 and prior server platforms do you need to install both.  For Windows 10/11 you pick one or the other.  If you think/know you will be impacted by the vpn bug pick the out of band.  If you don’t use vpn pick the normal January update.

        Susan Bradley Patch Lady

        2 users thanked author for this post.
    • #2421055

      Maybe I missed this somewhere, so if I did, I apologize in advance.  But I couldn’t find anywhere addressing the .NET monthly updates and the Security Exchange update.  Are both of those ok to install?  For Exchange, I’m specifically referring to Security update for Exchange 2016 CU22, KB5008631…Thanks.

    • #2421126

      Anything that is used for hiding your IP rather than connecting you to a server/domain for your business.  So it’s like Express VPN/Nord VPN etc etc. I have not seen side effects in consumer VPN software.

      I wonder if that’s because the consumer VPNs are SSL-based rather than because they are not end-to-end. I don’t have any experience with consumer VPNs but do have an SSL-based client that I and my clients use for remote access to their offices. This was not impacted by this bug.

    • #2421129

      My networked printers are still working which is a big plus.

      Yes, indeed!!!!

    • #2421130

      You are recommending installing both the troublesome patch (5009543) AND the out-of-band (KB5010793). If the latter contains everything in the former PLUS the fix, why install the former at all?

      Are you sure of your assumption? I doubt Microsoft would continue offering an update with major problems and another update with all the good stuff and minus the bugs as an optional update.

      • #2421131

        According to the documentation the OOB patch only resolves the problems associated with the main rollup.  Without the main rollup you dont get the security updates..  Unless I’m misunderstanding

      • #2421138

        I am not sure of my assumption :D, but I see that the OOB update has about 61K files and the original around 60K. If this was a fix for a specific problem in the original, and required the original, why have 1000 more files than the original baked in?

        Microsoft also does not list 5009543 as a prerequisite.

        ***

        I am trying to avoid sending out the old, broken KB to 5500 machines and then having to patch it and THEN hope every single one of those machines gets the update and applies it in the correct order. If I can just get the corrected CU in the first place, that would save quite a lot of bother for us.

        Merci!

    • #2421134

      According to the documentation the OOB patch only resolves the problems associated with the main rollup.  Without the main rollup you dont get the security updates..  Unless I’m misunderstanding

      It is not helpful that Microsoft named both updates the same, except for the KB number.

      2022-01 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5009543)
      2022-01 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems (KB5010793)

      1 user thanked author for this post.
    • #2421145

      I am not sure of my assumption :D, but I see that the OOB update has about 61K files and the original around 60K. If this was a fix for a specific problem in the original, and required the original, why have 1000 more files than the original baked in?

      Microsoft also does not list 5009543 as a prerequisite.

      Beats the heck out of me, too! That said, everything about this “fix” is presented is very odd. Even the way it shows up in the list of updates if the original update has not already been installed is odd.

      I am trying to avoid sending out the old, broken KB to 5500 machines and then having to patch it and THEN hope every single one of those machines gets the update and applies it in the correct order. If I can just get the corrected CU in the first place, that would save quite a lot of bother for us.

      If I were still doing that sort of thing, I would feel the same way. I think I would be inclined to skip both updates and see what the February Cumulative Update looks like.

    • #2421159

      Beware that the January updates can break ReFS formatted mirrored Storage Spaces on external USB3 drives on Windows 10 21H2 64 bit. The Storage Space will show as unformatted, and Windows will ask if you want to format it(!). The only solution is to roll back the update, and the drive will work normally again.

    • #2421165

      Concerning KB5009624 for W8.1 and Server 2012R2: am I correct in concluding that the out-of-band patch, KB5010794 does not need to be installed when dealing with a non-server standalone PC. It seems the Hyper V issue of VMs not starting only pertain to VMs installed on servers with UEFI enabled. Therefore, it seems if KB5009624 is installed on a PC, then one may ignore KB5010794. Anyone disagree with this conclusion?

    • #2421182

      January 2022 Windows non-security preview “C” release available all supported versions of Windows

      LCU
      KB5009616 / 17763
      KB5009596 / 1904x
      KB5009608 / 20348
      KB5008353 / 22000

      .NET CU
      KB5009468 / 17763
      KB5009467 / 1904x
      KB5009470 / 20348
      KB5009469 / 22000

      1 user thanked author for this post.
    • #2421193

      Addresses a known issue that might cause IP Security (IPSEC) connections that contain a vendor ID to fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP Security Internet Key Exchange (IPSEC IKE) might also be affected.

      This applies to PCs as well.

    • #2421194

      When running Windows Update on my Server 2012 R2 machine, KB5009624 is an Important update and KB5010794 is an Optional Update.  My understanding is that I should select both and install them at the same time so that the “issues” in the former can be mitigated right away by the latter.

      With respect to

        Windows 10

      (and probably Windows 11), installing both updates at once does fix not the VPN problem. And, if/when you run Windows Update after restarting, the “optional” update is there again and does need to be installed to fix the VPN problem.

    • #2421202

      I installed 5010793 and so far both my Home VPN AVG and the one for work are working as expected. I see Microsoft have already added a preview for Win 10 21H2 builds.

      IF they are SSL-based, they were not impacted by the patch problems. Also, not ALL IPSEC-based are impacted, either. Something about vendor name on the VPN host configuration, I think but don’t remember the details.

    • #2421216

      My question: Is it necessary to install KB5010798 on Windows 7?

      I mean, MS says it resolves an Active Directory issue and restarts on
      Windows Servers. So, excuse my ignorance, but how any of that applies to Windows 7?

      • #2421254

        Is your W7 PC connected to a domain (with servers)? If not, you don’t need that patch.

        cheers, Paul

    • #2421225

      Only for 2012 R2 and prior server platforms do you need to install both.  For Windows 10/11 you pick one or the other.  If you think/know you will be impacted by the vpn bug pick the out of band.  If you don’t use vpn pick the normal January update.

      Without any patch management tools, aka plain standalone Windows 10/11 Pro, how does one reject the original patch and pick the out-of-band patch?

      That was simple in Windows 7 but so far as I know, the capability disappeared from Windows 10.

      • #2421298

        You can use WUSHOWHIDE.diagcab tool to hide pending updates, that you dont want to install.

        Download the the tool from majorgeeks, for example. There is instructional video on the page, so you will know how to do that. Its quite simple.

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        PRUSA i3 MK3S+

    • #2421320

      What about the Server 2016 Core edition? Does it take KB5010790 as well?

    • #2421323

      KB5009596 Cumulative Update Preview for Windows 10 Version 21H2 for x64-based Systems

      on the B side of my dual boot.

      No hiccups.

      Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
      We all have our own reasons for doing the things that we do. We don't all have to do the same things.

    • #2421329

      2022-01 Cumulative Update for Windows 11 for x64-based Systems (KB5008353) installed on Windows 11 Pro machine.

      No problems.

      --Joe

      1 user thanked author for this post.
    • #2421393

      WUSHOWHIDE.diagcab

      Thank you but it’s not really helpful because it does not permanently deselect an update. Its only advantage over the built-in (and visible!) 7-35 day suspension is that one can delay one update rather than suspending all updates.

      With Windows 7, one could permanently hide an update and it would not reappear unless one took steps to unhide it.

    • #2421422

      For Server 2012 R2, we’re skipping January updates.  Too much risk if the patch fails to install after the cumulative update, which I’ve read has happened.  Not interested in dealing with a boot looped server. We can wait two weeks or so for February updates.  Not a big deal.

    • #2421444

      January patches installed with no problems to report on Win 8.1. 🙂

      Installation Successful: Windows successfully installed the following update: 2022-01 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 for x64 (KB5009721)

      Installation Successful: Windows successfully installed the following update: 2022-01 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5009624)

      Group "A"- Win 8.1 x64
      Win 10 ver. 21H2 x64

      2 users thanked author for this post.
      • #2422224

        Thank you. I selected all the boxes on the Important and Optional sides, then clicked on Install. Hopefully letting Windows choose the correct installation. I ended up with the .Net, SMQR and the MSRT successfully installed on my Dell Win8.1 x64 machine. I’m guessing Windows chose not to install the optional, but I don’t really know.

        • #2422259

          Check the Update History in Windows Update. KB5010794 is the out of band optional update and should be near the top of the list and should say either “successful” or “failed” under installation.

    • #2421459

      My apologies in advance for any unintended violations of forum protocol or display of ignorance. I generally try to stay in my comfort zone, use default automatic Windows Update, and post online questions about once every 15 years or so, but I’m having a problem trying to fix this problem and don’t want to get in any deeper than I already am.

      I lost my reliable VPN connection from my personal computer (Windows 10 Home 20H2) to my work network after the previous update, and (following recommendations on other sites) paused automatic updates and uninstalled the offending update (wusa /uninstall /kb:5009543). Easy. That fixed the VPN access problem, but I wasn’t comfortable with not having the latest security updates, so after reading Susan’s column, I went to Windows Update to look for the optional update (KB5010793), but the “optional update” link did not appear.

      I turned on automatic updates to see if the option would be displayed and it started installing the Feature Update to Windows 10, version 20H2; 2021-11 Update for Windows 10 Version 21H2 (KB4023057); and Feature update to Windows 10, version 21H2 (I may have put a checkmark next to one of them; it’s a bit of a blur at this point, but I’m reconstructing the sequence from what’s displayed in my Update History). After restarting, a test of trying to establish the VPN connection failed. The attempt reported the same error message as a couple of weeks ago (which I had then been able to fix at the time with the earlier uninstall). After another restart, same VPN error message. I didn’t retry the earlier uninstall command this time, for fear today’s update may have made changed the playing field.

      At this point, I don’t know how to go forward and I don’t know how to go back. Unfortunately, I need access to my work VPN rather urgently, so I’m hoping someone here can help me.

      Thanks in advance.

    • #2421515

      Susan,

      On Jan. 25 as you suggested I installed the out of band update for Win 21H2. I believe the KB number ended in 73. Installing the out of band update removed the original Jan. Cumulative update from windows update. Now I see another optional update KB5009596. I do not see this one listed on the master patch update list. Do we install this or leave it for now?

    • #2421517

      We have patched around 5 Server 2019 hosts (Hyper-V, DCs, Standalone) with 2012R2 and 2019 VMs as well as 2012 R2 Hyper-V hosts without any issue yesterday (around 12 physical servers and around 90 VMs).

      We just added the 2012 R2 and 2019 optional patches to WSUS and installed the cumulative patches as well as the optional patches (the 2019 optional patch seems to be cumulative, i.e. replaces the official cumulative patch).

      We had no issues.

    • #2421608

      Hello all. I use wushowhide to hide updates offered each month until DEFCON is 3 or higher.

      Used unhide on KB5008876 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 for x64 and KB5009543 Cumulative Update for Windows 10 Version 21H2 for x64-based Systems on 1/26/2022.

      KB5008876 installed no problems.

      KB5009543 was not offered by WU on 1/26 or today 1/27. Made sure it no longer appeared in hidden list of wushowhide. Does not appear in hide list either. Is it safe to assume Microsoft has withdrawn KB5009543 from WU due to issues?

    • #2421647

      I have a few 2016 servers.  In the support Susan said to just install the OOB updates.  The issue is that I set my servers to automatically download updates and let me choose when to install.  If I install the OOB for 2016 server then what happens to the previous “normal” updates that were downloaded?  Do I just hide them forever or will they be taken down when February updates come in?

      Thanks again for the support Askwoody.

      • #2421651

        The previous patches will be superceded and not replace the installed code.

        Susan Bradley Patch Lady

    • #2421773

      What’s the best way to go about installing the 2012R2 updates on the DCs?  Are you installing both old and new updates at the same time (loaded in WSUS) or installing the old update first, then the new update, then rebooting?

      And thank you to everyone for all of the info so far, it has helped ease a lot of the confusion!

      • #2422008

        Yes, you don’t reboot until the second patch is installed.

        Susan Bradley Patch Lady

        • #2422336

          Hi Susan.

           

          I manage two sites and one site fell victim to the DC boot loop issue on both DCs (server 2012r2) . Ended up manually unistalling kb5009624 and kb5009595 on both affected DCs.

          In your opinion for the 4 DCs across both my sites can I allow wsus to patch all January updates and then manually install oob update kb5010794?

           

          i.e will the servers  allow me to patch with kb5010794 before it needs to reboot to complete the main january patches?

           

        • #2423970

          Once the OOB patches have been applied to servers and rebooted (and OOB patches for Windows 10, for that matter), can we continue & install all other updates that Windows Update (on servers) or WSUS (for workstations) recommends?
          Thanks!

    • #2421796

      Just reporting that January updates have apparently installed smoothly on my two Windows 10 systems using WUMgr. More in detail:

      1) Windows 10 Home 20H2
      – KB5009543, 2022-01 Cumulative update
      – KB5008876, 2022-01 Cumulative .NET Framework update
      – KB890830, MSRT v5.97 update
      – KB5002128, KB6002064, KB5002119, KB4462205, KB5002124, various Office 2013 security updates

      2) Windows 10 Pro 21H1
      – KB5009543, 2022-01 Cumulative update
      – KB5008876, 2022-01 Cumulative .NET Framework update
      – KB890830, MSRT v5.97 update

      On both machines I installed the “regular” .NET Framework CU (dated January 11) and hid the “preview” (dated January 25).

      1 user thanked author for this post.
    • #2421994

      Updates so far without incident:

      Win10 Pro on ARM Insider
      KB5008880, 2022-01 Cumulative .NET Framework update
      KB5008353, 2022-01 Cumulative Preview update,  Build 22000.469

      Win10 Pro v21H1 (x3)
      KB5009543, 2022-01 Cumulative update, Build 19044.1466
      KB5008876, 2022-01 Cumulative .NET Framework update

      Win8.1 Pro (x2)
      KB5009624 SMQR
      KB5010794 OOB Update for Win8.1
      KB5009721 SMQR for .NET Framework

      Update 1/30/2022 also without incident :
      One more Win10 Pro (same as above)
      One more Win8.1 Pro (same as above)

      One Win7 Ultimate and one Wi10 Home Premium using W7ESUI and dotNetFx4_ESU_Installer_r
      KB5009610 SQMR
      KB5010798 1/17/22 OOB
      KB5008885 .NET 4.8

      4 users thanked author for this post.
      • #2422036

        Last night on a Win 8.1 pro I installed the .NET update (KB5009721) followed immediately with a restart, then the SMQR (KB5009624) followed immediately with a restart. I did not install the OOB update (KB5010794) because none of the “solved issues” in the KB support article applied to me (no VMs etc.). Everything seems fine. Do I need to install the OOB patch. It’s a stand alone laptop, no network, no VPN, just a standard computer.

        1 user thanked author for this post.
        • #2422061

          Win8.1 Pro x64 (x3)
          KB5009624 SMQR CU
          KB5010794 OOB Update for Win8.1
          (on one device only and still on that system, not needed but fully updated)
          KB5009721 SMQR dotNET
          no issues with ANY of the installations or target OSes.

          Win7 Pro ESUb all good since patch release day.

          "-rw-rw-rw-" extreme computing
          1 user thanked author for this post.
        • #2422071

          So I am correct in assuming the OOB really is not needed if my 8.1 machine is not a server, not running a VM, not networked, etc.? It’s offered through Windows update as optional and I’m assuming it will make it’s way into next months Rollup anyway.

        • #2422262

          You are completely correct…if you’re not having the problems described then you don’t need it now, and it will indeed be rolled up into next month’s patch anyway.

          R/

          Bob99

          2 users thanked author for this post.
    • #2422021

      Yes, you don’t reboot until the second patch is installed.

      You had mentioned doing this earlier in this thread (or perhaps a related one), so I tried with Windows 10 Pro 21H2 – NOT 2012R2. After the restart, Windows Update presented the second update again.

      Win10 does not have the failed restart problem 2012R2 does, but installing the two updates at the same time does not really save any time. which is what I was hoping.

      • #2422037

        For Windows 10 you only need the second update.  Remember with Windows 10 all updates are cumulative, thus you only need to install the later update and no other.  2012 R2 is the other patch model where the “fix” update was not cumulative and you had to install both.

        Susan Bradley Patch Lady

    • #2422040

      After imaging with Reflect and then using abbodi86’s Standalone Script:

      KB5008282 = SO
      KB5010798 = OoB Update for Win 7
      KB5008867 = S&QR for .NET Framework 3.5.1
      KB5008859 = S&QR for .NET Framework 4.7

      Windows Update = KB890830 MSRT (v5.97)

      So far, so good . . .

      Win 7 SP1 Home Premium 64-bit; Office 2010; Group B (SaS); Former 'Tech Weenie'
    • #2422085

      For Windows 10 you only need the second update.  Remember with Windows 10 all updates are cumulative, thus you only need to install the later update and no other.  2012 R2 is the other patch model where the “fix” update was not cumulative and you had to install both.

      Understood, but baring external trickery, there is no way to bypass the busted update. There ought to be, as there was from Win2K through Win7 (didn’t spend enough time with 8/8.1 to know!).

    • #2424645

      Installed KB5009543 on February 11, 2022.

      Tested CISCO AnyConnect and SonicWall NetExtender VPNs with no problems found.

    Viewing 44 reply threads
    Reply To: MS-DEFCON 4: A very complicated patching month

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.