News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • MS-DEFCON 4: July updates should be installed

    Home Forums AskWoody blog MS-DEFCON 4: July updates should be installed

    Viewing 27 reply threads
    • Author
      Posts
      • #2380193
        Susan Bradley
        Manager

        ISSUE 18.28.1 • 2021-07-27 PATCH WATCH By Susan Bradley July patches have been well behaved. Consumer and home users If you’ve used the “pause updates
        [See the full post at: MS-DEFCON 4: July updates should be installed]

        Susan Bradley Patch Lady

        4 users thanked author for this post.
      • #2380213
        Sproots
        AskWoody Plus

        Re: Print Spooler

        So what is the safest option for a household that has to have constant printer services for two work at home office Educators and Med professionals?

        Computers have mix of direct USB printing as well as across MoCA LAN.  They also print from tablets and laptops over WiFi to same printer.

        The MoCA LAN is hung off owned Cable Modem for ISP and the WiFi Router is hung off the owned Cable Modem.  Both Modem and WiFi Router have as much hardening as available in settings.

        Manual Print Spooler reset every time is not viable for the amount of work they may have on any day.

        Just stay with the current patches and follow normal security best practices in their daily usage?

        • #2380288
          Susan Bradley
          Manager

          If you really need to print, just be careful on what you click and watch for more updates soon.  I honestly expected either out of bands or preview updates by now.

          Susan Bradley Patch Lady

      • #2380214
        JLamede
        AskWoody Plus

        Many thanks, but no W10 patches are listed as anything other than ‘Defer’ on 13 July sheet.

        1 user thanked author for this post.
      • #2380217
        Ayjaydee
        AskWoody Plus

        Grateful if the Master Patch List spreadsheet could be updated please. I always follow this when Approving patches on the WSUS server for which I am responsible. The current version is 13th July and says to defer pretty well everything. Good to see that 21H1 has been given the go ahead. Is this a minor update? I like to warn users if it is a major one that will take some time to install.

        Thank you for providing this vital service.

        Arthur J Davis
        UK

        1 user thanked author for this post.
        • #2380225
          PKCano
          Manager

          If the July patches are already applied to the current version, the move from 2004 or 20H2 to 21H1 is a minor one. If the July patches have not yet been applied, you have the update PLUS the Enablement Pack turn on.
          So it’s the July update itself that is the “big” part. The turn on of the switches is minor.

          1 user thanked author for this post.
          • #2380368
            WCHS
            AskWoody Plus

            in Settings>System>About it lists an Experience Pack. In Installed Updates, it lists an Enablement Package. Are these two names for the same thing?

            • #2380371
              PKCano
              Manager

              Will change the name to Enablement so you won’t be confused. 🙂

              2 users thanked author for this post.
          • #2380652
            hms
            AskWoody Plus

            PKCano, I am sorry that I do not understand this as I am in this situation — I have 2004 pending the July update & plan to install 21H1 soon.

            I am not familiar with “Enablement” or with “switches” referred to in your 2nd par.

            Thanks for your understanding and help.

            • #2380665
              PKCano
              Manager

              v2004, 20H2 and 21H1 all have the same core based on 2004.
              All three get the same updates and have the components.
              The difference between them is the enablement of the components/packages that provide the extra features that 20H2 has over 2004, and 21H1 has over both of the others.
              So, all three will get the same CU each month. Given that the version is up to date with the monthly patches (all have the same), the upgrade from 2004 to 20H1, for example, is just enabling the features that are already present by turning on the Enablement Package for that version.

              1 user thanked author for this post.
              hms
              • #2380672
                hms
                AskWoody Plus

                PKCano, thanks so much for the explantion of Enablement. Along the way I missed discussion of the term as it relates to Windows 10.

        • #2380245
          Susan Bradley
          Manager

          Apologies I forgot to hit publish last night.  The updated spreadsheet is there now.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
      • #2380231
        glnz
        AskWoody Plus

        As always, for my Win 7 Pro 64-bit machines, the .NET update KB5004229 actually contains various individual updates depending on the levels of .NET I have, but it’s still not clear which ones I should install.

        Using the dotnet.exe utility, I see I have .NET 3.5 and 4.8 on my Win 7 machines.

        While KB5004229 offers me KB5004116 for .NET 4.8 (good), it also offers me these and it’s not clear what version of .NET they apply to or whether I should try to install them:

        KB4019990
        msipatchregfix-amd64
        KB4578952

        What do you think?  Thanks.

      • #2380264
        glnz
        AskWoody Plus

        Just hit “Check for Updates” and finished my July update KB5004237 for Win 10 Pro version 20H2.

        But Belarc Advisors says I installed two updates, of which the second is KB5003742.

        However, there is no MS article about KB5003742.

        Any idea what it is?  Thanks.

        • #2380270
          PKCano
          Manager

          Look in Installed Updates (Control Panel\Programs & Features\View Installed Updates.
          There should be a description there.

          2 users thanked author for this post.
          • #2380365
            glnz
            AskWoody Plus

            PKCano – thanks for good suggestion.  My old-style Installed Updates does not show KB5003742 but does show as today’s second item “Servicing Stack 10.0.19041.1081”.

            Do you think that the mystery KB was this servicing stack?

            • #2380392
              EP
              AskWoody_MVP

              yes glnz, KB5003742 is that .1081 SSU as verified in another forum in this post

              2 users thanked author for this post.
      • #2380299
        Microfix
        AskWoody MVP

        I see that MSFT have dumped more? superseded? July patches in the catalog dated 07/26/2021
        https://www.catalog.update.microsoft.com/Search.aspx?q=2021-07
        for Win7/8.1 and 10 (and other updates); PIV/smartcard fix on (DC) that can leave multifuntion printers inoperable, I’ll leave it to the experts 🙂

        | Quality over Quantity |
        2 users thanked author for this post.
        • #2380305
          Susan Bradley
          Manager

          It’s just for those printers that use smart cards to authenticate for printing jobs.  Big enterprises only, haven’t seen it widely reported at all.  Still doesn’t fully protect us from the unpatching printing bugs.

          Susan Bradley Patch Lady

          • #2380394
            EP
            AskWoody_MVP

            those new out-of-land updates are only obtainable from the Catalog and will not be distributed thru WU. so those are not really needed for most of us

            currently only available for Win7, 8.x and Win10 v1809; MS will probably release more out-of-band updates for other Win10 versions later this week

      • #2380343
        Coldheart9020
        AskWoody Lounger

        Installed KB5004237 for 20H2 as well as the MSRT (which seem to be back on a monthly cycle rather than quarterly); rebooted with no apparent issues.

        Still have the Print Spooler service disabled, but I do anyway because I don’t print on this machine, and it’s easy enough to re-enable should I ever need to.

        Bottom line: No issues that I can tell 🙂

        1 user thanked author for this post.
      • #2380351
        sheldon
        AskWoody Plus

        Office 2016 non-security updates  kb5001980 kb5001971 are not on your master patch list

      • #2380369
        WCHS
        AskWoody Plus

        Should a consumer user (Win10/Pro-20H2) be concerned if Shadow copies exist?

        • #2380382
          Susan Bradley
          Manager

          My hope is that Microsoft comes out with a fix.  As with any issue where the attacker first has to get on your system, my hope is that my hesitation in telling you (or any non business user) to take action and possibly leave you in a position where you can’t restore/recover is countered by your level of being paranoid enough to keep the bad guys away through your actions.  If shadow copies are on your machine, they are there because your backup software probably put them there.

          Susan Bradley Patch Lady

          • #2380396
            WCHS
            AskWoody Plus

            You are correct — that’s how the shadow copies got on my system. I am very careful in the URLs I visit and I don’t click on any link that comes through my e-mail. You would say I am paranoid, but that doesn’t mean that the bad guys can’t get to me.

            • #2380481
              WCHS
              AskWoody Plus

              You would say I am paranoid,…

              That doesn’t read right. I mean “you”, in general, not in particular. A better way to say it is I would say that I am paranoid, but that doesn’t mean that the bad guys can’t get me — How paranoid is that??

              These updating issues and CVE’s drive me crazy. I’d like to just sit back and be confident that everything is running fine.

      • #2380373
        Geo
        AskWoody Plus

        Home user.  I have an old HP Deskjet   The update didn’t affect it.  runs fine.

      • #2380379
        rebop2020
        AskWoody Plus

        Took longer to install than expected after download. No issues. Printers print. Did appear to install two new Tasks under Windows for “Diagnosis”

      • #2380490
        Alex5723
        AskWoody Plus

        You are correct — that’s how the shadow copies got on my system

        What backup software created Shadow Copies on your PC ?

        I have created a daily schedule to create Shadow Copies. My backup software (Acronis) doesn’t create Shadow Copies.

        • #2380501
          WCHS
          AskWoody Plus

          What backup software created Shadow Copies on your PC ?

          You are not going to like to hear this, but I use Windows Settings>Update & security>Backup>Backup and Restore (Windows 7). I can hear you groan now 🙂

          1 user thanked author for this post.
      • #2380500
        bsfinkel
        AskWoody Lounger

        My experiences with the July patches

        What I hope/expect/want from Windows Update:

        o Un-pause WU ==> search for updates
        o Download updates (at “normal” speed)
        o Install updates
        o Prompt for reboot

        What happened:

        Search for updates found two updates – July MRT.exe and Win 10 Pro 64-bit Cum 21H1, and the download started. MRT was fairly quick to download and install because it is small. It took about an hour to download KB5004237. After WU said that the download was 100% complete, there was still more Internet activity than usual. So I started Wireshark to see what the activity was; Wireshark wanted to download a new version, so I allowed it. The download was 71.4 Mb at a constant 4 Mb/s (about 2 minutes and much faster than WU). After the Wireshark install (about 30 minutes after WU said that the download was 100% complete), the install of the 21H1 update started.  It took about 2 minutes to install. But there was NO prompt for an update. I needed to reboot anyway to fix a problem caused by a full Defender scan.  I noticed that TiWorker,exe was using 44% CPU, and I had no idea what this Trusted Installer executable was doing, I figured that if it was doing something important, the reboot would be refused. The reboot started, and Windows told me that updates were being installed; do not power down. The reboot completed, but I have not done much to see if anything is not working.  I think that WU (i.e. TiWorker.exe) did not complete normally, so it did not prompt for a reboot.  But WU did schedule the required updates for the reboot,

         

        • #2380556
          bsfinkel
          AskWoody Lounger

          “NO prompt for an update” should have  been “NO prompt for a reboot”.  Sorry.

      • #2380538
        dmt_3904
        AskWoody Plus

        I downloaded & installed 21H1 on 7/15/21 using WU.  I use GP Edit settings to prevent Quality updates. I changed that setting to 0 days once we got the go ahead for July updates.  Have not seen anything yet – would the version of 21h1 have it? If not, I’ll just have to keep waiting…….

        • #2380546
          PKCano
          Manager

          Restart the computer. Then run wushowhide and see if it’s available.

          1 user thanked author for this post.
          • #2382488
            HE48AEEXX77WEN4Edbtm
            AskWoody Plus

            Last year I requested from PKCano step-by-step instructions for running WUSHOWHIDE and received very explicit instructions that have worked fine until the last two months. I am following the same written instructions, but WUSHOWHIDE is not cooperating. Today, I followed the normal steps up to   setting Windows Update Services to “Disabled” and then stopped the service. I then restarted the computer and then set Windows Update Services to “Manual”. When I open WUSHOWHIDE and tried to Pause to 7 days, I could not because the “Cumulative Update Preview for .NET Framework had already downloaded. I don’t get a chance to hide the file and the only options available was to restart and install. Any suggestions?

            OS:                        Window 10 Pro

            Version:               10.0.19042 Build 19042

            Computer:           ASUS x-64

            • #2382500
              Bob99
              AskWoody Lounger

              Last year I requested from PKCano step-by-step instructions for running WUSHOWHIDE and received very explicit instructions that have worked fine until the last two months.

              Are you referring to instructions in AKB2000013 that deal with hiding unwanted updates that may have already shown up in Windows Update but have not yet been downloaded for installation?

              • This reply was modified 1 month, 2 weeks ago by Bob99. Reason: Added clarification to the question posed
              1 user thanked author for this post.
              • #2383820
                anonymous
                Guest

                Sorry for my late reply, but I had surgery and have not been able to respond. Yes, those are the instructions that I am referring to.

        • #2380552
          Bob99
          AskWoody Lounger

           

          If PK’s suggestion above doesn’t do the trick to get the July update to show up, please consider the following:

          Since you say that you installed the upgrade to 21H1 back on July 15th, the July update may very well have been part of that package. That was the case for me when I updated to 21H1 last month…I got the latest updates out there as part of the package without being asked and despite having settings the same as yours for Quality Updates.

          So, right click on the Start icon on the taskbar and select the “Run” command. Now, in the resulting box, type”winver” and hit the enter key. If it reports that you have Windows 10 build number 19043.1110, then you’ve already got the July update so there’s no need to keep looking for it.  🙂

          If it says you’ve got a build number of 19043.1052-19043.1083, then keep looking for the update (as PK suggests above) and it should show up any moment if it hasn’t already by now.

          2 users thanked author for this post.
          • #2380666
            dmt_3904
            AskWoody Plus

            Windows 10 build number 19043.1110

            thanks this is my version

            • #2380673
              PKCano
              Manager

              Build 1943 = 21H1 and .1110 = the July update.
              So you already have v21H1 and it is up to date as of July!

      • #2380544
        JD
        AskWoody Plus

        July patches installed with no problems to report on Win 8.1.  🙂

        Installation Successful: Windows successfully installed the following update: 2021-07 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 for x64 (KB5004231)

        Installation Successful: Windows successfully installed the following update: 2021-07 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5004298)

        Group "A"- Win 8.1 x64
        Win 10 ver. 21H1 x64

        1 user thanked author for this post.
        • #2382114
          DrBonzo
          AskWoody Plus

          I just duplicated JD’s results on two 8.1 x64 computers.

      • #2380584
        Alex5723
        AskWoody Plus

        Title: Microsoft Security Update Revisions
        Issued: July 28, 2021
        ************************************************************************************

        Summary
        =======

        The following advisory and CVE have undergone major revision increments.

        ======================================================================================

        * ADV210003

        – ADV210003 | Mitigating NTLM Relay Attacks on Active Directory Certificate
        Services (AD CS)
        https://msrc.microsoft.com/update-guide/vulnerability/ADV210003
        – Version: 1.1
        – Reason for Revision: Executive Summary text has been revised, and a statement has
        been added to inform customers that KB5005413 –
        https://support.microsoft.com/help/5005413 has been revised. These are informational
        changes only.
        – Originally posted: July 24, 2021
        – Updated: July 28, 2021
        – Aggregate CVE Severity Rating: N/A

        * CVE-2021-36934

        – CVE-2021-36934 | Windows Elevation of Privilege Vulnerability
        https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
        – Version: 4.0
        – Reason for Revision: The following revisions have been made: 1) Removed Windows
        Server versions from the Security Updates table as they are not affected by this
        vulnerability. 2) Updated the Workaround information with a Caution regarding
        restoring a system from backup.
        – Originally posted: July 20, 2021
        – Updated: July 27, 2021
        – Aggregate CVE Severity Rating: N/A

        • #2380716
          WCHS
          AskWoody Plus

          I have some questions about the update guide for CVE-2021-36934 (HiveNightmare / SeriousSAM) and have posted them <here>… so, as not to cause veering off topic.

      • #2380677
        KP
        AskWoody Plus

        @SB and AskWoody Readers

        KB5004772 .NET

        I am a manual installer.  2021-07 .NET Core 3.1.17 Update for x64 Client (KB5004772) shows the pictured items for download.

        I am not doing any .NET development so don’t need the SDK files. (Likely the x86 files there, are a mistake.) I am down to 3 files pictured below: Core runtime, Runtime and Desktop runtime.

        Any comments on what is the appropriate use is for each of these three files?

         

        • #2380684
          KP
          AskWoody Plus

          Looking back at 3.1.16, I am guessing the Desktop runtime is needed. We also installed the Core .NET from February 2021 so we may need that too.

          • #2381021
            KP
            AskWoody Plus

            I think I only need Desktop runtime since that is what is in 3.1.16 .NET Core. Looking back at June 24 Patch Watch, I think the 3.1.16 .NET core is referencing a patch released in February 2021 hence my confusion about Core.

      • #2380683
        EP
        AskWoody_MVP

        new “preview” updates released Thursday July 29 afternoon for recent Windows 10 versions:

        KB5004296 (build 1904x.1151) for Windows 10 versions 2004, 20H2 & 21H1:
        https://support.microsoft.com/help/5004296

        KB5004293 (build 18363.1714) for Windows 10 version 1909 enterprise & education:
        https://support.microsoft.com/help/5004293

        these recent preview updates, however, do not include the fix from MS support article 5005408 for smart card authentication printing/scanning problems

      • #2380704
        Mike
        AskWoody Plus

        Just a report:

        July 2021 Update:  Major Mouse Issue

        After installing the July, 2021 update, I notice lag, inaccurate and other “glitchy” like symptoms with using my Microsoft mouse.  Updating the mouse drivers did not fix the problem.

        Uninstalling the update resolved the problem.

        Works fine pre July, 2021 update.  Flawlessly and never had an issue until update.

        Mike

        Lenovo Z580 Laptop

        Edition Windows 10 Pro
        Version 20H2
        Installed on ‎10/‎26/‎2020
        OS build 19042.1052
        Experience Windows Feature Experience Pack 120.2212.2020.0

        Device name DESKTOP-3SNQMJ2
        Processor Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz 2.50 GHz
        Installed RAM 8.00 GB (7.86 GB usable)
        Device ID 1E7F429F-FEAE-440B-BF57-A085B0AACCCD
        Product ID 00330-81478-16093-AA278
        System type 64-bit operating system, x64-based processor
        Pen and touch No pen or touch input is available for this display

         

         

        • #2381022
          KP
          AskWoody Plus

          I also had mouse issue but I think it happen after the May patches installed. (PCs upgraded from W10 1909 in May. (One to W10 20H2 and one to W10 2004.) I had problems with a Microsoft mouse and a Logitech mouse. A third Microsoft mouse ended up being the solution. I can’t explain why this one mouse is OK on both PCs.

      • #2380758
        Alex5723
        AskWoody Plus

        “After installing the June 21, 2021 (KB5003690) update, some devices cannot install new updates, such as the July 6, 2021 (KB5004945) or later updates. You will receive the error message, “PSFX_E_MATCHING_BINARY_MISSING”.”

        For more information and a workaround, see KB5005322

        https://support.microsoft.com/en-us/topic/kb5005322-some-devices-cannot-install-new-updates-after-installing-kb5003690-june-21-2021-66edf7cf-5d3c-401f-bd32-49865343144f

        • #2381048
          Susan Bradley
          Manager

          BTW that’s a business related patching issue not home user one.  That said an inplace repair is often the only way to get machines to behave and fix windows updating issues.

          Susan Bradley Patch Lady

          1 user thanked author for this post.
      • #2380784
        anonymous
        Guest

        Windows 7 64-bit computer hooked (USB) to an older HP Inkjet printer. Printer is only turned on when we are printing (literally 2-3 times per month). KB5004951 stopped the printer from working, with an odd message saying (paraphrased) that HP solution center needed an Adobe Flash Player update for Internet Explorer.

        Those are several products that I don’t touch right there. Uninstalling the printer spooler update immediately brought the printer back to life.

        For a while I followed all the update do and don’t threads religiously but to be honest it became too much: time, frustration, effort.

        Should I just skip the print spooler update and hope for the best? Like I said, we don’t print much but we do need to occasionally print documents to be signed and mailed.

        Thanks.

         

      • #2380816
        LHiggins
        AskWoody Plus

        OK I ran into a problem getting KB5004237 on my 20H2 WIn 10 Pro laptop. It downloads fine – but then stops at Downloading 100% and won’t install. I restarted twice now, and it will download up to that 100% point and then it won’t move to Installing.

        I have turned off metered connection, but I can’t seem to find the setting for changing the active hours if that might have anything to do with it – seems that was just for restarting after installation.

        Suggestions welcome and how to get this moving.

        Thanks!

        • #2380820
          LHiggins
          AskWoody Plus

          Update – third time must have been the charm. I stopped Windows Update in Services, rebooted and let it run again and it finally did install. Not sure what the problem was, but seems OK now.

          1 user thanked author for this post.
        • #2389316
          rontpxz81
          AskWoody Plus

          Same happened to me- thanks for the tip.

      • #2382268
        WCHS
        AskWoody Plus

        Using the dotnet.exe utility,

        Where is this utility?

      • #2386135
        Alex5723
        AskWoody Plus

        BTW that’s a business related patching issue not home user one.  That said an inplace repair is often the only way to get machines to behave and fix windows updating issues.

        New updates 8/24/21 : KB5005322 – Some devices cannot install new updates after installing KB5003214 (May 25, 2021) and KB5003690 (June 21, 2021)

        Resolution/Workaround
        We recommend an in-place upgrade. An in-place upgrade installs an operating system on your device without removing the older version first. Your files, apps, and settings will not be affected. There are a few ways to perform an in-place upgrade, but we will only focus on the following:

        Wait for the Windows Update Medic Service (WaaSMedicSVC) to automatically perform an in-place upgrade. The Windows Update Medic Service runs in the background and diagnoses and repairs Windows updates based on the WaaS Assessment Impact Level. This in-place upgrade process will only run automatically on devices that are significantly out of date.

        For a faster resolution, perform a manual in-place upgrade as described below. Doing this will install the most recent security quality update available. This is our preferred workaround.

        Updated 8/24/21

        Note The in-place upgrade option is only available to devices that have been online for at least 30 days.

        Note For ARM64 devices, an in-place upgrade will only succeed if KB5005932 has already been installed. You can verify that KB5005932 has been installed by going to Settings > Windows Update > Update History > Other Updates. If your ARM64 devices do not have KB5005932 installed, select Check for Updates on the Windows Update settings page to initiate a scan…

        I had to restart my 21H1 August updated PC after a version update to Kaspersky A/V.
        After the restart I watched Task Manager and noticed WaaSMedic.exe running for ~5min with high CPU. It is the first time I have seen this service running.
        I no Windows Update problems.

      • #2386247
        WCHS
        AskWoody Plus

        glnz wrote:

        Using the dotnet.exe utility,

        Where is this utility?

        I never saw an answer to this question.

      • #2386265
        Alex5723
        AskWoody Plus

        glnz wrote:

        Using the dotnet.exe utility,

        Where is this utility?

        I never saw an answer to this question.

        You mean portable .NET Version Detector ?

      • #2386310
        WCHS
        AskWoody Plus

        You mean portable .NET Version Detector ?

        In this thread you are reading, at #2380231, @Ginz mentioned using a dotnet.exe utility to find out what .NET versions were on a Win 7 machine. I did a search for it, but could find nothing, so I was asking for more information about where/how to find this utility.

        I don’t really know what was meant, but portable .NET Version Detector might be what @Ginz was referring to.

        I’ll try it.

        • #2389303
          KP
          AskWoody Plus

          A late answer and not exactly what you asking but another way to try.

          The command may not show up right, in which case it best to see the Microsoft web site.
          “dotnet -–list-runtimes”

    Viewing 27 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: MS-DEFCON 4: July updates should be installed

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.