MS-DEFCON 4: Dual-boot computers now safe to patch

Topic

New Reply

ISSUE 21.39.1 • 2024-09-24 By Susan Bradley In the August updates, Microsoft introduced a bug that impacted Windows users who dual-booted into Windows
[See the full post at: MS-DEFCON 4: Dual-boot computers now safe to patch]

Susan Bradley Patch Lady/Prudent patcher

9 users thanked author for this post.

Perq, abbodi86, LHiggins, pandarunnerpt, WCHS, jburk07, DLivesInTexas, lmacri, Alex5723

Reply | Quote

Replies

link to PDF in “Master Patch List” no good

Reply | Quote

Regarding the update to iOS 18, just last night I distinctly remember selecting it to install overnight (and not 17.7).  This morning, when I checked my phone, it had updated to 17.7. I thought that rather odd.

Also, my son was one of the iOS 18 beta testers (he loved doing it) and had no issues with it. He’s been encouraging me to update to it, but I’m being my usual cautious self and waiting (especially now that my phone didn’t update to it last night!).

Reply | Quote

@SB, your HTML file is munged.

Reply | Quote

And pdf missing and Excel seems like not updated.

Reply | Quote

Apologies, republished all four sheets.  Try them now?

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

sheldon

Reply | Quote

The Excel looks good now.

Reply | Quote

I have a question about uninstalling the August update before installing the September update:
After uninstalling the August update, is it necessary to pause updates (as recommended in the video linked from https://www.askwoody.com/2023/need-to-uninstall-an-update/) if the Group Policy is set to 2, Notify before downloading?
I’ve never had to uninstall a Windows 10 update before so I’m trying not to make assumptions.

Linux Mint Cinnamon 21.1
Group A:
Win 10 Pro x64 v22H2 Ivy Bridge, dual boot with Linux
Win l0 Pro x64 v22H2 Haswell, dual boot with Linux
Win7 Pro x64 SP1 Haswell, 0patch Pro, dual boot with Linux,offline
Win7 Home Premium x64 SP1 Ivy Bridge, 0patch Pro,offline

Reply | Quote

If you use Group Policy setting of “2” notify download/install, you should never use Pause. The GP setting will keep the updates from downloading. If you use Pause, Windows can not search for updates. And when you Resume, whatever is out there will download/install ignoring the “2” setting.

2 users thanked author for this post.

JD, jburk07

Reply | Quote

Thank you for confirming!

Linux Mint Cinnamon 21.1
Group A:
Win 10 Pro x64 v22H2 Ivy Bridge, dual boot with Linux
Win l0 Pro x64 v22H2 Haswell, dual boot with Linux
Win7 Pro x64 SP1 Haswell, 0patch Pro, dual boot with Linux,offline
Win7 Home Premium x64 SP1 Ivy Bridge, 0patch Pro,offline

Reply | Quote

It looks like all the server cumulative updates are in Defer status on the latest master patch list in Excel format. Is that correct?

Reply | Quote

No, I had publishing issues last night converting the excel sheets, try it again now.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

PatchingAgain

Reply | Quote

Updating to be notified.

Reply | Quote

Thanks for the information on iOS.  Earlier I had trouble installing Outlook.  Microsoft promises to help us install any program we buy, and indeed they will.  But MS wanted to charge me $100.  Consequently, I switched to Mac.

Where can I find out how to thank an author for an article?

Reply | Quote

cesmart4122 wrote:

Where can I find out how to thank an author for an article?

There is a “Thanks” button at the bottom of all posts.
I think you need to be logged in.

Reply | Quote

I am trying to download the Windows 11 ISO from the link provided. I can open  and select the correct file, but when I click Download, a verification page appears for a few seconds, then closes with no download occurring. I am attempting this from a Windows 10 Pro system with a Local User Account.  Any suggestions as to how to proceed?

Regards, Steve

Reply | Quote

Did you select the language you need for the OS? Then you’ll have to click the download button.

--Joe

Reply | Quote

Using Susan’s link, I tried to download the Win 11 ISO. Got the following error message.

“Error
We are unable to complete your request at this time. Some users, entities and locations are banned from using this service. For this reason, leveraging anonymous or location hiding technologies…”

Likewise, Media Creation tool failed as well, but with different error message suggesting that computer was not eligible.

This a new, 2 month old Dell Inspiron Laptop Win 11 23H2. Other than personalizing some Windows settings and installing a couple portable app utility programs, it is basically factory fresh. No VPN or anything that remotely fits the error message. Using Chrome browser.

Thoughts, please…

Reply | Quote

Just for test I downloaded Windows 11 ‘Media Creation Tool’ and downloaded Windows 11 23H2 ISO.

No problems.

1 user thanked author for this post.

KWGuy

Reply | Quote

Many thanks!!!  Using the Media Creation Tool, I was able to successfully download the ISO to local HD.  Was also able to create bootable USB flash drive using this MCT method.  No MCT error message like a week ago…probably operator error!

Per a quick google search, the error message received when I used the direct ISO d/l option (which still occurs with each attempt)  is not unique to just me.

Thanks for pointing me to the solution!

Reply | Quote

Update:

The problem with the “banned from using this service” error message when using Susan’s direct ISO download link was solved by changing browsers from Chrome to Firefox.  Simple as that!

The earlier issue with using the Media Creation Tool option to download the ISO to a flash drive resulted from using a FAT32 flash drive to download a 6 gb file.  Turns out, ya can’t do that! <grin>  Reformatted to NTFS and problem solved.  Yes, definately operator error!

Again thanks for your help.

1 user thanked author for this post.

Alex5723

Reply | Quote

Ok, I’ve read the September KB5041580 and the linked CVE-2022-2601 instructions.  I’m still a bit confused. Before installing the August update, I followed Susan’s registry edit to prevent the installation of the problematic SBAT:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD

I’m not currently dual booting Linux on this machine but may want to do so in the future. I may even be converting it to a Linux-only machine. So, I don’t want any SBAT issues to “bite me in the bios” and limit my choices – even if it is a Linux distribution that MS has chosen to blacklist. (I consider the risk to be an acceptable trade-off in order to retain personal choice.)

Can I retain this registry key and still go ahead with the September patch that supposedly corrects the bug that was in the August patch? Will this registry key still opt me out of the latest SBAT patch – and future patches?

 

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

Reply | Quote

Steve S. wrote:

Will this registry key still opt me out of the latest SBAT patch – and future patches?

Only if MS continue to honour the reg setting – not guaranteed.
But you will hear it here if anything changes…

cheers, Paul

1 user thanked author for this post.

Steve S.

Reply | Quote

Susan, I don’t understand why you are recommending that people uninstall the August updates and then install the September updates?  Everything I’ve read about this says that the “bug” was that the update was not detecting certain dual-boot setups and then going ahead and updating our BIOS with its black list.  Everything has also said that uninstalling the update would not fix this issue, because the issue is that Microsoft thought it was reasonable to go ahead and just modify our firmware without a reasonable warning.  As I read it now, the only thing “fixed” in the September updates is that the new updates will now properly detect dual-boot systems and NOT nuke your shim SBAT?  But if the damage was already done, uninstalling is not going to fix anything or prevent anything in the future.  Am I not understanding this correctly?

Also, their “workaround” isn’t a solution for people like me that don’t actually dual-boot, but boot off a linix usb for a backup solution.  There’s no way to enter that convoluted sequence of command lines from this usb boot.  With no way to undo this fiasco, I was forced to purchase an unnecessary update to my backup software just to get the latest shim.  (My version was only 9 months old).  This has been in my top 5 most infuriating things M$ has done.  And I go back to the DOS days.

3 users thanked author for this post.

TonyC, jburk07, M. N.

Reply | Quote

Yes, although I am not affected because I don’t have a dual boot, that statement by SB caught my eye and left me wondering. If the August updates being referred to were cumulative, and the September updates are also cumulative, surely the September updates should correct anything done or undone by the August updates?

Reply | Quote

I haven’t seen anyone comment on having done a regular, non duel-boot related update without issue so I’ll wait till next weekend to see if folks are are aren’t having problems.

Reply | Quote

MrToad28 wrote:

I haven’t seen anyone comment on having done a regular, non duel-boot related update without issue so I’ll wait till next weekend to see if folks are are aren’t having problems.

Start reading at this post in the “Sept 2024 updates are on us” thread and continue reading the rest of the posts in that thread. All the posts were made between 9/11/24 and 9/16/24, before Susan lowered the MS-DEFCON level for the month to 4, where it currently sits.

I hope this helps you decide.

1 user thanked author for this post.

MrToad28

Reply | Quote

Applied Sept updates to 3 Win10 desktops and 1 Win11 laptop without adverse impact.

Reply | Quote