• MS-DEFCON 4: All clear for consumers, less so for businesses

    Home » Forums » Newsletter and Homepage topics » MS-DEFCON 4: All clear for consumers, less so for businesses


    ISSUE 18.32.1 • 2021-08-25 By Susan Bradley This month has been a bit bumpy for business users needing to print. This month’s change to a technology c
    [See the full post at: MS-DEFCON 4: All clear for consumers, less so for businesses]

    Susan Bradley Patch Lady

    4 users thanked author for this post.
    Viewing 24 reply threads
    • #2385776

      …The upcoming release of iOS 15 on the iPhone, iPadOS 15 on the iPad, macOS Monterey on Macintosh, and watchOS 8 on Apple Watch will add scanning for child-sexual-abuse images (known as CSAM). If you live in the USA and use iCloud for storing your photos, this update will install databases of CSAM as strings of numbers (called database hashes) onto Apple devices. The system will automatically compare images on your device before they get uploaded to your iCloud Photos account against the databases. ..

      Seems, like may others, you have fallen to wrong conclusion.

      Images won’t be compared, hashes of images will be compared .
      Apple, like Microsoft, Twitter, Google, Instagram and every cloud storage service already create hashes of images for CSAM and no one has cried wolf so far.

      Disabling iCloud uploads will disable creating hashes, but then the only solution for backing up images will be to a local drive.

      • #2385838

        While I may not have made it quite as clear as I should have I indicate that hashes are involved in this. To the best of my knowledge this is the first time the vendor has gone to the device I have in my pocket, not just the server they own in the cloud.  Regardless EFF has a petition as they believe it’s an overreach and possibly could lead to false positives.

        Susan Bradley Patch Lady

      • #2386101

        I have not enables icloud as yet but was  considering using it for the keychain(wallet for passwords?) Will enabling the cloud for this also mean my photos or other files would also be sent to the cloud?

        • #2386172

          Assuming you are referring to iPhone?
          Under Settings\Your ID (at the top)\iCloud you can choose from the list what you want to be saved on iCloud.
          There is a 5GB free on iCloud.
          I store Messages, Safari settings. Keychain, Contacts, Calendars. These are synced between iPhone, iPad, and my Macs. I have turned off iCloud backup, eMail and Photos (I do eMail online and transfer Photos directly by AirDrop to my Macs Also the iPhone is backed up to my Mac). And the rest of the stuff is turned off also.

          If you turn on iCloud Drive, that is extra storage equivalent to OneDrive in Windows. You can pay for as much storage as you need after you pass the default amount.

          1 user thanked author for this post.
    • #2385836

      I use Print Management to proactively deploy two printers in a small domain. All computers should have those printers automatically. Users have no need to dynamically add printers, which is how I understand the purpose of Point and Print.

      After the August update, a non-admin user can still print without being prompted to update a driver. So I’m confused by the report here that you need to work around the latest admin-only restrictions.

      I have not, so far, configured Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions. Do I need that if I’m not using Point and Print? Is having that configured perhaps behind the additional admin-only prompts?

    • #2385842

      Susan — I think the pdf of the Patch List has an error for Win 7.

      For Win 7, your pdf says

      Win 7/Server 2008 R2
      5005088  —  Install — Servicing stack update
      5005089  —  Install — Monthly rollup

      But MS indicates that 5005088 is the Cumulative Update, and that 5005089 is the Security Only Update.

      Please advise.  Thanks.

    • #2385887

      EFF has a petition as they believe it’s an overreach and possibly could lead to false positives.

      EFF isn’t God’s gospel and they are wrong too.
      Apple will submit images only after 30 confirmed images.
      According to Apple the chance of false positive is one-in-a-trillion.

      Everyone is letting A/V software to scan every single file on devices but “scanning” for CSAM on devices is wrong.

    • #2385937


      Could you please clarify your patch recommendations?

      You give one for Consumer and Home Users – is this for people with Win10 Home only? I am a Consumer who happens to run Win10 Pro – is Pro the version you include in your Businesses recommendation? If so, what  should the average user of Win10 Pro do?


    • #2385942

      When I say “consumers/home users” I mean anyone not in a business/not in a domain setting/more peer to peer network.  It doesn’t matter if you run Home or Pro, I recommend that you install updates at this time.

      Susan Bradley Patch Lady

      1 user thanked author for this post.
    • #2385955

      I installed on my 2 Desktops today with no ill effects. MSRT, KB 5005033 Cum for 21H1, SSU 10.0.19041.1161, also KB 4023057 again. No .NET showed up.

      Don't take yourself so seriously, no one else does 🙂
      All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

    • #2385989

      Well, guess everyone has Windows Updates going crazy every once in a while and this is my turn.

      So, I’m on Windows 10 20H2 Home sitting at build 19042.1110 with July updates installed. Once I read the blog post green-lighting the August updates, as per my usual practice I used WuMgr to unhide the previously hidden updates, set my connection to non-metered and let WU do it’s work. However, while the .NET (KB5004331) and MSRT 5.92 (KB890830) patches were downloaded and successfully installed, the monthly CU KB5005033 repeatedly refuses to download with error code 0x80070002.

      What are you recommendations to solve the problem? Would you recommend to download KB5005033 from the Update Catalog and do a manual install? Or is this a good moment to upgrade to 21H1? Other?

      Thanks in advance!

      • This reply was modified 1 year, 9 months ago by Berserker79. Reason: Fixed typo
      • #2386005

        There is a new SSU KB5005260. Try downloading and installing it first (if it isn’t installed already or unhide it in WUMgr if hidden). See if that helps.
        I think they separated the CU and SSU this month to facilitate those who haven’t patched in the last few months.

        • #2386052

          I ran into a similar update problem with KB5005033. I am running Win 10 Pro, V 20H2 and have tried unsuccessfully for the past 4 hours to install KB5005033. It will download, and then stops at 100% and never installs.I restarted several times, and each time, it redownloads, and the stalls at downloading 100% – never installs.

          I had a similar issue last month with KB 5004237 taking three unprompted restarts to finally install. That did the same thing and finally completed the process on the third restart.

          I tried to download that KB from the catalog to install it that way, but it seems to be a .cab file and I don’t know how to get it to install.

          I’ve also seen a few suggestions on a couple of other sites that involve resetting the SoftwareDistribution and catroot2 folders to old and then recreating them. Is that something to try?

          At this point, I am ready to roll back to my earlier backup so that it doesn’t keep getting stuck in the cycle and trying to download that KB over and over.

          Thanks for any ideas!

          ETA: Just now, after about an hour being stuck at downloading, it said Installing 100%, but then went to a second round of installing, and now seems stuck at 45%. I didn’t try downloading the SSU PKCano referred to – but may try that if this fails to install.

          In any case – something seems to be wrong with WU that this has now happened two months in a row. 🙁

          And…just now – all on its own – it went to “Checking for Updates” scrolling – which has overridden the installation. Guess I’ll restart and see what happens then.

          • #2386072

            I tried to download that KB from the catalog to install it that way, but it seems to be a .cab file and I don’t know how to get it to install.

            Option 1, after adding Install cab to the context menu, is easiest:

            How to Install a CAB File in Windows 10

            Windows 11 Pro version 22H2 build 22621.1778 + Microsoft 365 + Edge

            1 user thanked author for this post.
          • #2386078

            Unfortunately, installing the SSU suggested by PKCano did not work for me and in the end I installed KB5005033 manually after downloading the relevant file from the Update Catalog.

            If you are still having problems installing KB5005033 and the new SSU suggested by PKCano did not help, downloading from the Catalog and installing seems to get the job done. BTW, the file I downloaded from the Catalog does not have .cab extension, rather it’s a .msu file. I simply double-clicked onto it to make it install the update.

            1 user thanked author for this post.
            • #2386103

              FWIW, I manually install all updates as suggested on the master patch list. Do not trust wu to offer all I need or offer MORE than I need!

        • #2386077

          Thanks for the suggestion PKCano, I installed the new SSU KB5005260, but unfortunately that did not help.

          I tried to run the Windows Update Troubleshooter and it reported nothing wrong. Next, I tried DISM (dism.exe /Online /Cleanup-image /Restorehealth), but KB5005033 still did not download. Tried also SFC (sfc /scannow), but that did not solve the issue. Tried also to download and install from WuMgr, but that did not work either (interestingly, WuMgr reported all attempts at downloading KB5005033 as failed with error code 0x80240034 and in one case 0x80246007, which are different codes from the one I get from Windows Update).

          In the end, I download KB5005033 from the MS Update Catalog and installed the update manually. It took much longer than expected and seemed to be stuck, then after several minutes the installation quickly progressed to 100% and I was prompted to reboot. The reboot completed without problem and I’m now at build no. 19042.1165.

          Hopefully next month’s CU will not turn out to be as much problematic to install…

          1 user thanked author for this post.
      • #2386080

        Susan Bradley Patch Lady

    • #2385997

      Apple isn’t always perfect. So sayeth my personal iphone when it resets settings/loses passwords etc etc.

      Never happened to me from iPhone 4 all the way to iPhone 12 and I run dev and beta version.

    • #2386001

      In addition to the .Net Core/.Net 5.0 content listed in the Master Patch List there is also an August 2021 security update for .Net Core 2.1.30 – https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005418

    • #2386029


      August patches installed with no problems to report on Win 8.1. 🙂 The only small issue I have encountered is that I have lost my profile picture on the login screen. It has now defaulted as if you didn’t save a profile picture.

      Installation Successful: Windows successfully installed the following update: 2021-08 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 for x64 (KB5004873)

      Installation Successful: Windows successfully installed the following update: 2021-08 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5005076)

      Win 10 ver. 22H2 x64

      1 user thanked author for this post.
      • #2386573

        I have once again duplicated @JD’s results on two Win 8.1 x64 computers. I don’t have a profile picture on the login screen so I can’t comment on that.

    • #2386047

      Anybody noticed when the annoying banner at the top of the Settings page appeared?

      I’m using a Local Account, not a Microsoft one. And I don’t want to use one to login. Yet Microsoft only wants me to jump in the “everyone does it so it must be worth it” bandwagon…


      1 user thanked author for this post.
    • #2386051

      Been running this since Aug 12 on 4 machines w/o issue (3 Pro 1 Home) YMMV. 😎


      May the Forces of good computing be with you!


      PowerShell & VBA Rule!
      Computer Specs

      1 user thanked author for this post.
    • #2386088

      new “preview” updates for older Win10 versions like 1809 & 1909 released TH Aug. 26:

      KB5005103 for Win10 v1909 enterprise/education:

      KB5005102 for Win10 LTSC 2019 v1809:

    • #2386094

      I ran into a problem after installing the August monthly rollup for Windows 8.1 (KB5005076). After a certain period without any network activity (did not time it but seemed to be around an hour or so) the DNS cache would always reload causing a noticeable delay when trying to get out to the Internet (delay is caused by having to reload a large blocking hosts file, Steven Black base file). Otherwise the problem did not happen with the default system hosts file. So something with the August update is not playing well any longer with a large hosts file and causes the DNS cache to reload. So I ended up rolling back to the previous system image (July monthly rollup) with Macrium Reflect and all is well again.

      • #2386096

        Would it be better to use something like openDNS and put the blocking urls in there?

        Susan Bradley Patch Lady

        • #2386294

          Hello this is the OP above, thank you for the suggestion. I prefer the blocking be done at the PC level as it’s the easiest and most direct method to administer for the two computers on my home network. Otherwise with OpenDNS I would need to create an account with them and log into it to administer blocking. But also because I’m not sure how practical it would be to enter and maintain 90,000+ plus unique domains that are in the blocking hosts file (which is usually updated a couple times a week, sometimes more often).

      • #2386114

        I will admit to a fair degree of ignorance about DNS and DNS caches. But I’m assuming that if I’ve never modified anything having to do with DNS that I would be using the “default system hosts file” and would not have the problem described above?

        • #2386296

          Yes that’s correct, unless you specifically modified or replaced the file (normally located in this directory: C:\Windows\System32\drivers\etc) you would be using the default stock hosts file that comes with Windows.

          1 user thanked author for this post.
    • #2386161

      Anybody noticed when the annoying banner at the top of the Settings page appeared?


      2 users thanked author for this post.
    • #2386202

      PK Cano:  Sorry, I thought that I had  posted in the correct topic. Re-posting in correct location.

      RE: Master patch list updated 21-08-25: What is the installation status for the following update KB5004871–2021-08 Security and Quality Rollup for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 7 for x64? It doesn’t seem to appear to be on the Master Patch list. Should I install this separately from the other update, Kb5005088, Monthly Security quality update, that I received for the August updates? Thank you very much for giving us the help and guidance with the updates. It is appreciated.

      I appreciate your response.  Still would like to know if the NET KB5004871 needs to be installed by itself.  Thank you.

      • #2386207

        KB5004871 does not have to be installed by itself.
        KB5004871 is a Rollup (bundle) that contains individual separate updates with different KB numbers for each of the different versions of .NET.
        The only way you can install KB5004871 as a single KB is through Windows Update (if you have an ESU license. Then WU chooses which individual updates to install according to the version(s) of .NET installed.


        If you download from the Catalog, you will see all the individual (different KBs) updates for each version. You only need the updates for the versions on your computer. That is explained in #2382937 where you will find links for the only two new Aug individual updates (.NET 4.6-4.7.2 and ,NET 4.8). The other updates are in the bundle, but they were released in Oct 2020 and should already be installed (you can check in installed updates).

    • #2386301

      Windows 10 Pro   21H1.  home user.  No problems.

      1 user thanked author for this post.
    • #2386932

      I am running 21H1, installed on 7/15/21. Last quality update was 6/30/21.  I have GP settings as per instructions from askwoody.  Turned Quality updates delay to 0 with the “all-clear” for August updates.   Still waiting…… I even clicked “Check for updates” this morning 😮 Nothing…. except! KB4023057, which I hid.  I guess Aug update will eventually download…… I am not familiar with downloading from MS website – but I suppose I could do that if it doesn’t  show up.  Just didn’t think it should take so long.  Is this normal behavior?  Donna

    • #2387041

      What is with the reappearance today of KB5005033 for yet another round of the August updates? Is it yet another try at fixing the print spooler issues without messing up everything else (not that Microsoft seems to ever think about that)? Anyone else seeing it?

      • #2387384

        Never mind-I figured it out. If you follow Fred Langa’s suggestion to try out the Application Guard, which I did after putting on the August updates, then KB5005033 will reappear. Apparently, a substantive part of the update affects Application Guard and wouldn’t have been applied if the option wasn’t active.

        1 user thanked author for this post.
        • #2387464

          Interesting.  I will have to test that out.  I wouldn’t think that enabling that would trigger a reinstall of August.

          Susan Bradley Patch Lady

    • #2387226

      Still no August updates in Windows update!  Would someone be so kind as to tell me how I may how to install it?  I actually have never updated this way!



      Is it the same as any other download/install?  Download the file. Click to install?  I would also need to get KB4023057 – as per Master patch list.

      Or should I just wait?? Thanks. Donna

      • #2387266

        Hi Donna,

        I ran into some updating issues with the August KB KB5005033 and tried to install it using the catalog. If that is the KB you need – it is a .cab file, and you need to follow the instructions listed above by b in post #2386072. I didn’t get it to install that way and did finally get it to complete the “regular” way.

        As to not seeing the updates – my laptop also is very slow to show updates in WU. If I hid one and then unhide it – it can take a week or more to actually show up.No idea why or how to fix it.

        I would also need to get KB4023057 – as per Master patch list.

        If you look at the Master Patch List, KB4023057 is on the list as DEFER – don’t install it, so leave it hidden.


        • #2387272

          oh yes, I made a mistake on the patch list, it was the other one 5004331 I meant to say I would install.

          I guess I’ll wait a bit longer to see WU downloads before taking any action.
          Thank you for the instructions.

          • #2387273

            Yes, it is frustrating to look each day, expecting to see them, and it takes forever! I have never found why that happens, and even when I had set my laptop to check every hour, it would check, but the updates weren’t there.

            Good luck!

      • #2387328

        Still no August updates

        It may be an issue with WU. Install WUMgr and check for updates via the circle icon (search). This will show you if any updates are available.

        cheers, Paul

        1 user thanked author for this post.
        • #2387354

          Thanks Paul. So I’ve never download WUMgr.  Can you send me the link for it? : D

          I googled it but…….too many choices and I don’t know what is safe. thanks!


        • #2388142

          Still no August updates.  I assume WUmgr is totally safe??? When I open the .exe I get a warning message from MS.  Just makes me uncomfortable.  But Virus Total shows the exe is clean.  I went to the MS catalog to get the updates, but that link goes to HTTP site not https!! Which also makes me uncomfortable.

          I also read it may get flagged by Antivirus – and saw some files in the zip for Defender. Does it work with Defender? Do I have to do anything for that?  Sorry to be so overly cautious – I think I get anxious about some stuff when I don’t understand it due to my lack of in-depth technical knowledge…….

          I’m trying to understand ; )  But some stuff is and will remain beyond my comprehension…….thanks. Donna

    • #2387288

      new “preview” update for Win10 v2004, 20H2 & 21H1 – KB5005101 released WED Sept. 1:

    • #2388754

      Can someone please help me? I’ve had a problem with WU (imagine that?!)  August updates did not download.  I have shut that back down now that we are in Defcon 2 (gp edit setting).  I am running Windows 10 Pro, 64 bit, 21H1 (also set in gp edit settings).  But when I had opened quality update settings for Defcon 4, August never came in.  I continued to get Defender updates daily.  I ran WU troubleshooter and it found one problem today that it fixed.  I had found BITS was not running. I started it this morning and turned to auto delayed start.  I just checked it again, BITS is not running and is back on Manual start. Is that because I changed my GP edit settings to not download windows quality updates?

      Should I get August update from the catalog ? Or wait til Sept?  I have never downloaded updates form the catalog.  I see the file is .MSU not .exe  – is it the process to install the same as any other .exe I’ve ever downloaded and installed?

      And when I click on the link from the catalog, it says it’s HTTP! Anyway – should I do the update from the catalog or wait? And if I update, is it the same process as installing any other .exe download?   I just backed up everything with Macrium.

      • #2388766

        Before you try anything else, look in Installed Updates (not Update History) and see if it’s already installed.
        Go to “View Update History,” then click on the “uninstall updates” link at the top. That actually takes you to the list of what is installed on your computer.

      • #2388767

        Download and run WUmgr (portable) and check updates.

        1 user thanked author for this post.
        • #2388789

          okay okay, I have to admit I’ve been stubborn!  I resisted downloading wumgr bc i don’t like downloading anything from the internet these days ; )  but, after repeated suggestions (and checking the exe on VT, Defender and MBAM) to do that, I did. I searched for updates and lo & behold – August update is in there.  With Defender and MSRT!  I know I can use this to hide updates too in the future. Thanks everyone!  Donna

        • #2388815

          Got questions on WUmgr.  I installed Aug update. Rebooted.  Now WU mgr is gone. Do I have to click on the .exe again to open it up? I thought it was an installed program but I checked in Control panel and it’s not there in programs.  How do open it back up?

          #2 When I look at WU history it does not show the August update, so I assume WUmgr does not update WU history??  It does show under “View Installed Updates” in Control panel (or Uninstall updates in history).

    • #2388850

      Now WU mgr is gone. Do I have to click on the .exe again to open it up? I thought it was an installed program

      The app is portable and doesn’t install.
      You run it every time you need to.

      Store the file in a folder of its own preferably on drive D (never keep data on drive C (OS).
      You can create a shortcut to the .exe on your desktop.

      • #2388872

        ok. I moved the files to a folder and created a desktop shortcut for the exe.  When I click on that, I get the Windows “Warning” about installing a ‘non-Microsoft-verified’ app.  Is that the way it’s supposed to work?  I understand it’s portable, which means it does not install the software on my computer. So the files are contained in the WuMgr_v1.1b and it runs every time from there when I click on wumgr.exe? Is my understanding correct?  I am not familiar with how this app works or portable apps, in general.

        I haven’t changed any of wumgr settings – Auto update is not checked.  My machine is updated through August.  I have gpedit settings to not auto download, target release 21H1 and quality updates set to 30.   I know others may have different settings.  This morning, I got Defender update, which is good.  That should continue until we get the all clear and then – I’d run wumgr?  Or sooner if there were a need, I guess, for me to check anything.

        How often to you run Wumgr?    Thank you.  Donna

        • #2388880

          and quality updates set to 30

          This is the reason you are not getting August updates – if you have Quality Updates deferred for 30 days they won’t show up in WU until 30 days after Aug Patch Tues. You are shooting yourself in the foot and wondering “why.”

          • #2388881

            oh duh! yeah.  I didn’t think of that……thank you 🙂

            • #2388883

              Use the recommended settings. If you have the “2” (notify download/install) set, the updates won’t download until you say so. And if they are not downloaded, they can’t install.

              1 user thanked author for this post.
    • #2389032

      “Warning” about installing a ‘non-Microsoft-verified’ app.  Is that the way it’s supposed to work?

      Where did you download WUmgr from ?
      WUmgr is portable and doesn’t install

      This pop-up maybe Defender’s SmartScreen. I don’t use Defender so can’t recommend apps settings.
      I think you should allow the app.

      • #2389035

        I got it from github.  I ran the file on VT, Defender and MBAM checks.  No Malware found.  I think it’s ok. thanks.

        1 user thanked author for this post.
    Viewing 24 reply threads
    Reply To: MS-DEFCON 4: All clear for consumers, less so for businesses

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: