Report: The October Win7 Monthly rollup, KB 4462923, forces TLS 1.0

Topic

New Reply

Just got a report from reader MB: I’m not sure what others are experiencing but, at my place of employment, KB4462923 appears to have changed the syst
[See the full post at: Report: The October Win7 Monthly rollup, KB 4462923, forces TLS 1.0]

7 users thanked author for this post.

Elly, Morty, cesmart4125, GreatAndPowerfulTech, Microfix, Mr. Natural, Propje

Reply | Quote

Replies

TLS 1.0 and SSL3 was supposed to have be dumped back in June 2016 in favor of TLS 1.2
a bit of background regarding the protocol:
https://www.varonis.com/blog/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/
and that article is 14 months old.

Windows - commercial by definition and now function...

1 user thanked author for this post.

Elly

Reply | Quote

I though that was those were some of the things that were supposed to be removed from Windows, since those are now broken protocols.

Reply | Quote

Just when you think the bumbling and fumbling at Microsoft couldn’t get any worse…..

Microsoft officially dropped support of TLS 1.0 just over a week ago on their Office 365 exchange servers. They gave plenty of warning, over a year for the deadline. Any of our hardware or older software that only used TLS 1.0 to send email had to be re-routed through an smtp relay server instead of pointing directly to Office 365 Exchange servers because Microsoft said TLS 1.0 will no longer be allowed to pass on October 31rst.

I can’t confirm the situation. We only have one 2008r2 server left and it does not do send mail. But this would not surprise me at all. Just as they discontinue the use of a protocol they release a patch that re-enables it which causes send mail failure.

This has become a comedy of errors in which it seems each new day brings a new failure from Microsoft.

 

Red Ruffnsore

Reply | Quote

So I decided to do a little more digging. I went to our Office 365 Exchange console and ran a message trace on outgoing email. I wanted to see if emails sent by users from Outlook were using TLS 1.2 which they should be. KB4462923 is installed on most of our W7 and W10 desktop computers. They are sending in TLS 1.2 format. However I see another issue with Office 365 Exchange servers.

Looking at all outgoing email I see a lot of emails showing as “Getting Status” and not showing that the emails have been delivered. These would be emails being exchanged with users in house which means they are going directory from Outlook on a user desktop to Office365 servers which send to another local user on our domain. No outside interference.

I confirmed the emails are delivered but obviously Microsoft has something else going on with Exchange as well because there are a lot of “Getting Status” along with a lot of “Resolved” reports showing up. The emails are getting delivered but something else going on in which Exchange is having a lot of delays in reporting the messages as being delivered.

So I can report our users are sending email using TLS 1.2 but something else is going on. Our relay servers are running Server 2012r2 so they are not affected.

Red Ruffnsore

6 users thanked author for this post.

Elly, HiFlyer, JohnS1606, Noel Carboni, woody, Microfix

Reply | Quote

Here’s Microsoft’s revised support document: https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365.

There’s a warning against disabling TLS 1.1 and 1.2 for Windows Server 2008 users, but I didn’t see anything said about disabling TLS 1.0.

Reply | Quote

? says:

If anyone wants to look:

https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

1 user thanked author for this post.

PKCano

Reply | Quote

I am glad that I am still holding off from installing the October and November security only rollups.

Reply | Quote

I have not noticed anyone saying anything, but immediately after we reached Defcon 4, I had Windows Update do its thing. It seemed uneventful, but as soon as I opened Outlook 2010, images were no longer being downloaded along with their messages — image placeholders are all I see, and in order to view each email, I am forced to view it via one of my browsers (it doesn’t matter which one).

Since I have been using Outlook 2010 since it was released and I never experienced this before, I can only attribute it to the updates.

Anyone?

Reply | Quote

I don’t use Outlook. But there is a security setting (option) in most mail programs to allow automatic download of external pictures/objects (or not). I wonder if the option was reset by one of the latest Outlook/Office updates.
You might look through the options (probably security) and see if you can find the setting.

Another approach would be to uninstall the Outlook updates one by one to see which caused the change, then reinstall all but the culprit.

Reply | Quote

I doubt if an Outlook update is responsible. I always install all the Office security patches and am up-to-date now including October’s, but I still have the right-click option to download pictures on my Outlook emails – and it works! However, being in Group B, I do not install rollups.

Reply | Quote

Yes. Microsoft also warned that there would be issues with Outlook 2010 after TLS 1.0 would be abandoned. This should not be a surprise to corporate admins.

Red Ruffnsore

Reply | Quote

I’m not sure the image thing is TLS-related.

As I recall that was a “step up in security” (with a step down in functionality) specifically done to reduce the automatic interpretation of message contents.

I use Outlook 2010 myself, and as I recall that change came in stages, and this was quite a while ago… I remember at one point being able to right-click on image placeholders and seeing the images, then later not being able to get it to load images at all (the placeholders just change from “right click to download” to “The linked image cannot be displayed”).

At this point I have simply stopped expecting eMail messages to be rich with image content. Life goes on. The important parts are almost always in the text anyway, and most eMail originators (e.g., the government) will include a “view in browser” link in mail that matters.

It’s mildly interesting that the product has become literally much less functional and yet we all just accept that, as though it’s inevitable in the name of security and progress. They have our brains washed well…

-Noel

6 users thanked author for this post.

Myst, MarkAtHome, wdburt1, Karlston, JohnS1606, Sessh

Reply | Quote

I can’t promise this trick will work for all, but it did work for me with Outlook 2010 on both Windows 7 and 8.1. It’s simple enought to try and then reverse if you wish. Go to Internet Options via either Control Panel or I.E. In the Advanced tab, scroll down to the Security subsection. One of the options is “Do not save encrypted pages to disk”. If the box is checked, uncheck it, apply, and close out of it. Now see if the problem is fixed. I’d had this problem for quite a while, but after this fix, never again. Not exactly an intuitive place to look, huh!

2 users thanked author for this post.

HiFlyer, Noel Carboni

Reply | Quote

Yep, that works. Thank you!

Notably I seem to have to hover over the image placeholders to get them to load now, at least from existing eMail messages.

I need to do some research on what (intrusion? infection?) doing that might make possible that the setting presumably prevents…

Edit: I found a Microsoft article that claims, “The checkbox was slated to be retitled ‘Clear HTTPS cache when browser is closed’ but we unfortunately ran out of time.”

Clearly there’s a secondary implication to it when HTML content is being rendered in Outlook.

-Noel

1 user thanked author for this post.

HiFlyer

Reply | Quote

I have just come to the conclusion that the picture content in Outlook 2010 emails is decidedly temperamental. As I wrote above, I had no problem on 10/11/18; but yesterday I had reason to re-install Firefox, my default browser. Lo, the pictures dropped out of my Outlook emails and no amount of clicking would get them back. I thought Oh no you don’t and have spent a large part of this evening twiddling with the settings in Outlook’s Trust Centre. Got my pictures back in the end, but I still can’t imagine why re-installing Firefox blocked them anyway……………….I had retained the same settings……………………..and of course if I have to re-install again, presumably the problem will recur………………………..It is these unaswered questions that keep us glued to the monitor…………………………………

Reply | Quote

Given the headline at the top of this thread, can someone please develop a post for more advanced users to see just what setting they have with respect to TLS 1.0 on their client (non server and non domain-joined) computer(s), and just maybe how to change it to at least a default of TLS 1.0 disabled and a minimum of TLS 1.1 enabled as the go-to protocol?

Something tells me this entails a setting deep within the registry to check and/or change.

The link in Anonymous’ post (#231822) above is of some help, but not much, in that it makes it seem as if the only way to truly disable TLS 1.0 and enable the higher protocols, like 1.1, 1.2 and 1.3, is to create some very specific registry entries in a somewhat “obscure” location. I’m not convinced that’s the only way; there’s got to be a setting already within the registry we can check and/or modify to produce the expected results as I describe above.

@abbodi86 , and @GoneToPlaid , (or any other MVP’s) any thoughts on this concept? Use Group Policy, perhaps, for those of us who have Win 7 Pro and above?

Reply | Quote

Hopefully this only affects corporate systems using Server 2008r2 for smtp directly to Office 365 servers. With the notation that Outlook 2010 users may experience issues.

Red Ruffnsore

Reply | Quote

Re KB 4462923 – October 2018 updates —

On 2018-11-03 I did a TRIAL INSTALL  on my home computer — see #230112

There is something very wrong with this update —

I found that Windows media player was no longer my default video player so I set VLC player as default (should have done it long ago)

I find that Firefox Browser (my default) now seems to be having difficulties in accessing websites and flashing when moving from one website to another.

I suspected my Internet connection first but it checked out ok.

Today, after reading of further problems reported above, I decided to revert back to my previous image before installing KB 4462923 (Using Macrium Reflect image).

I did so, and all the odd behavioral things disappeared. I installed the Dot Net updates offered —
KB 4054530 and Reboot computer / KB 4457918, and KB 4459922 and Reboot computer.

All is now smooth and functioning as it should.

My Computer is now updated to December 2017 (as are the other seven I am responsible for)

It has been a terrible year for Microsoft Updates !!!!!!!!!!

~~~~~~~~~~~~~~~~~~~~

Regarding Windows 10 — I was talking to an IT friend of mine this morning, here in Australia. He works in a company of over 7000 spread around the world. He parted with this piece of info —

They are no longer allowed to use Windows 7, and have all been upgraded to Windows 10 (He suspects that a deal has been done with Microsoft but is not sure who made the decision). When I asked how he deals with the updating problems, he said that when something goes wrong, then he has to have his computer re-imaged. he is running into problems already. I referred him to this site.

MS are just rolling out a broken OS to get the numbers on the board.

Incidentally, he uses an Apple at home!!!!!!!!!!!!!!!!!

~~~~~~~~~~~~

mbhelwig

3 users thanked author for this post.

Karlston, BobbyB, johnf

Reply | Quote

Interestingly, MS downloaded both TLS 1.0 and Windows Essentials installer on my home computer November 8.

Is Windows Essentials the same as Microsoft Security Essentials?  Has this downloaded on anyone else’s computer?  Does it cause problems?

Thanks in advance for your help.

Charles

Dell Latitude D630: Windows 7 34 bit SP1, MS Office 2010 Pro SP 2. Intel Core 2 Duo T7100

Reply | Quote

Windows Essentials is obsolete and no longer supported:  https://support.microsoft.com/en-us/help/18614/windows-essentials

Possibly M/S thought you might like a copy for its antiquarian interest to go with the outdated TLS 1.0? I wonder whether more Windows 7 users are going to be offered retro software?

1 user thanked author for this post.

cesmart4125

Reply | Quote

Windows Essentials 2012 was a useful suite of five or six programs. Although support ended January 10, 2017, the software remains useful. It is unlike that you will be able to use the installer, as any installation now requires an offline installer.

Microsoft Security Essentials is an anti-virus program with a small footprint and remains robust.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

1 user thanked author for this post.

cesmart4125

Reply | Quote

Addendum:  Since installing kb4462923, I can no longer add attachments to my replies on AskWoody.  (The current attachment was originally attached to the previous message.)  kb 4462923 is now uninstalled, and I just reverted to an image saved with Macrium Reflect.

2 users thanked author for this post.

HiFlyer, Microfix

Reply | Quote

I had an issue yesterday whereby I could not upload an attachment (59kb jpeg) but, THAT was using linux. Just tried it today, and it works fine…go figure?!

Windows - commercial by definition and now function...

1 user thanked author for this post.

cesmart4125

Reply | Quote

The continuing saga of kb4462923 continues to unfold.  MS on its own decided to load several updates this morning.  Windows Update also wants me to install kb4054518, the quality roll up from 12/2017, along with several updates from March and April of 2018.

All this while WU  is set to “never check for updates.”  Truly amazing!

Reply | Quote

Was there a maintenance task performed? Or some other identifiable selfhealing process triggered? This could be automatic, by scheduled task, or manual request such as the System File Checker command. Do you run scripts to address certain concerns, that may have also done this as an associated task within the script?

I’m ready to be outraged by Microsoft overreach, but want to clarify first.

1 user thanked author for this post.

cesmart4125

Reply | Quote

Anonymous, the answer is no for all your questions.  Until I installed the update mentioned, my experience with group A had been uneventful.

Windows 7 Pro SP1, Office Pro 2010 SP2, Intel Core 2 Duo T7100, 4 MB RAM

Reply | Quote

That surprises me. The two occasions that I saw something similar were a result of uninstalling a cumulative rollup. This action removed all the parts of the rollup, including pieces from earlier patches. Subsequent checks for updates, when the removed rollup is hidden, would list for important installation those required parts removed by the uninstall. My thought was you may have done something similar in the course of maintenance.

I have not seen Windows Update offer repeats of earlier patches, except as described above. I was hoping to read others posting similar experiences by now. I am unable to explain your report, and hope to learn more.

1 user thanked author for this post.

cesmart4125

Reply | Quote

So what else is new?  I applied KB4462923 to my Windows 7 laptop when Woody gave the go ahead.  So what should I do now? I don t seem to be having any problems.  Should I remove the Update or just leave it alone?

Reply | Quote

This has not been verified as yet.
If you are not having any problems. leave it alone.

3 users thanked author for this post.

jburk07, geekdom, Myst

Reply | Quote

I installed KB446293 when Woody gave the go ahead at DEFCON 4.  No problems encountered. I don’t use Outlook; does the glitch apply to my machine? Win 7 Pro, SP1, Grp. A, i-7core Haswell, HP ZBook.

Reply | Quote

If everything seems dandy, I wouldn’t worry about it.  If this does become a bigger issue you’ll see more posts on AskWoody.

Reply | Quote

Win 7 Pro 64-bit machine at home (SOHO).  I installed the October updates at Defcon 4 (Group A).

In Internet Options – Advanced, I see that SSL 2.0 and 3.0 are UNchecked and that TLS 1.0, 1.1 and 1.2 are checked.  There is no box for TLS 1.3.

I don’t remember whether or not I had UNchecked TLS 1.0 in the past.  But it is checked now.

I don’t YET have an email client on this machine, but I will in the next few months

What should I do?  (AFTER coffee please.)

Thanks.

Reply | Quote

I find TLS 1.0 checked for Internet Explorer in Internet Options\Advanced on my Win7 machines as well. I suspect it is the MS default at the moment and they have not addressed it.

Reply | Quote

FYI – Two more Win 7 Pro 64-bit machines (Group A) are the same as mine.

Question – If I UNcheck TLS 1.0, what problems might that cause?

Among other things, I access all these Win 7 Pro 64-bit machines remotely with TeamViewer 13 – does it need TLS 1.0?

Reply | Quote

If you uncheck it, and there are some sites you cannot access using IE11, you can always recheck it.

Reply | Quote

IMO only box that should be checked is TLS 1.2. I would guess that IE11 will never have a TLS 1.3 option since M$ focuses on EDGE.

In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020.

Reply | Quote

https://support.microsoft.com/en-us/help/4462927

Has he tried installing KB4462927?

Addresses an issue that makes it impossible to disable TLS 1.0 and TLS 1.1 when the Federal Information Processing Standard (FIPS) mode is enabled.

I’m not seeing side effects in my Win7’s.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

cesmart4125

Reply | Quote

Group A here, I was thinking of finally updating my win7 machines after months so I’m in doubt, what exactly does this hit if it does hit me, will it just cause problems with attachments?

Reply | Quote

Hi to you, TheSuffering. I am being presumptuous when I read you to mean that you follow GroupA directions when you choose to update. Other GroupA adherents did so after reading Woody’s blogpost or associated Computerworld article from November 2nd.

General questions about October updates could be asked and reviewed in that AskWoody blog comment section. For more specific help on the unique trouble of a neglected update, you may want to start a question topic here:
https://www.askwoody.com/forums/forum/askwoody-support/windows/windows-7/ask-windows-7-questions-here/
There is space below the list of topics to give a title and write the Original Post for a new Question Topic. This can help isolate a dialogue for your conditions and reduce confusion.

A quick response here would be to recognize that the new MS-DEFCON 2 rating is in response to the expected troubles come Tuesday, November 13th. It is reasonable to follow the advice Woody gave in the Computerworld article and links he referenced there. Just do not accept any Windows Update offering published in November 2018. (Previews are already forbidden in GroupA standards)

Reply | Quote

PKCano wrote:

I don’t use Outlook. But there is a security setting (option) in most mail programs to allow automatic download of external pictures/objects (or not). I wonder if the option was reset by one of the latest Outlook/Office updates. You might look through the options (probably security) and see if you can find the setting. Another approach would be to uninstall the Outlook updates one by one to see which caused the change, then reinstall all but the culprit.

Thanks to you and everyone else, but I tried all of the offered suggestions prior to posting here, with no success. It appears that unless I trip over a solution, I will have to live with it.

Reply | Quote

I am running Windows 7  in Group B mode and I use Outlook.

From my “Network and Sharing Center” page I clicked on Internet Options and then Advanced.

From there I found “use TLS 1.0”  ticked. I removed this tick and ticked 1.2 but not 1.1.

Am I good to go? And since I have experienced any problems.

Thanks

Reply | Quote

“Have not experienced any problems” that should be.

If I have problems I might try ticking tls 1.1 also

Reply | Quote

I am not seeing issues here, either, but we haven’t disabled TLS 1.0 completely.

Comparing patched & unpatched machines, I haven’t been able to find any setting changed by KB4462923, but client settings are controlled by group policy. I’d like to see more detail (ex. version of Outlook affected, whether KB3140245 is installed, any visible change, exact symptoms/messages etc.)

Two articles that seem relevant:

https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/

https://docs.nexcess.net/article/how-to-allow-outlook-to-connect-over-tls-1-1-1-2.html

The registry entries recommended in the second article already exist by default in our Win7/Office 2016 MSI machines, including fresh loads.

Reply | Quote