The usual non-security update previews are out, along with three non-security patches for Server 2008

Topic

New Reply

More of the usual. KB 4034670 – Preview of the non-security part of next month’s Win 7 Monthly Rollup KB 4034663 – Preview of the non-security part of
[See the full post at: The usual non-security update previews are out, along with three non-security patches for Server 2008]

1 user thanked author for this post.

ch100

Reply | Quote

Replies

I think the articles were too generic (i.e. does not list the changes), thus temporary down for revising

or they are waiting for the .NET blog post to be ready

2 users thanked author for this post.

ch100, woody

Reply | Quote

Yep

https://blogs.msdn.microsoft.com/dotnet/2017/08/16/net-framework-august-2017-preview-of-quality-rollup/

and Windows 10 1607 / Server 2016 got new cumulative too

4 users thanked author for this post.

ch100, woody, MrBrian, PKCano

Reply | Quote

Well, let’s start here… they have this list of issues to fix, some of which have been on this list since .NET 4.7 was first released.

https://support.microsoft.com/en-us/help/4015088/known-issues-in-the-net-framework-4-7

Most of those issues were recently fixed on Windows 10 1703 by a 1703 rollup. As .NET 4.7 is considered part of 1703, it gets patched by Windows only rollups, outside of and in addition to (I’m assuming) the usual .NET rollups. Annoyed yet?

Now, MS is trying to bring those fixes (if not more) to all the other supported platforms. To date, this list of known issues, and lack of reasonable fixes, is the reason I have not deployed .NET 4.7 yet.

My guess, they are trying to get the .NET releases right, so people finally start deploying .NET 4.7 in the enterprise…

1 user thanked author for this post.

woody

Reply | Quote

FYI, since July 2017 Preview, 4.6/4.6.1/4.6.2/4.7 updates had been reconciled (Microsoft wording) into one rollup update for all of them, and it’s based on 4.7 version

so even if you don’t install 4.7, you still get its updates on top of your downlevel version starting 4.6

4.5.2 is still separate

2 users thanked author for this post.

ch100, MrBrian

Reply | Quote

I don’t “think?” the .NET 4.7 bits apply if you are on an older .NET, say 4.6.2 for example. I know when I run ngen.exe it still outputs the version code for 4.6.2…

Then on machines where 1703 has been installed, I am seeing the newer version code for .NET 4.7 when executing ngen.exe.

Not sure if that means the 4.7 specific changes in the 4.7 tagged rollups sit and wait until 4.7 is installed, or, if those rollups would reappear in WU after a fresh 4.7 upgrade, to be reapplied… and probably won’t find out till the end of this month.

Reply | Quote

Well, i’m not saying this as analysis or opinion, it’s a fact

the rollup updates part of the installed Framework, not all of it, and the changes and installed 4.7 files will become active

for Windows 8.1 (CBS), installing 4.7 later will not need to reinstall the rollup
but for Windows 7 (MSI), the rollup needs reinstallation after 4.7

1 user thanked author for this post.

ch100

Reply | Quote

The way I read your post, it sounded like you were saying the 4.7 bits install and become active, even if you don’t install the 4.7 update itself. Thank you for clarifying ?

1 user thanked author for this post.

ch100

Reply | Quote

Revision 101 of https://support.microsoft.com/en-us/help/894199/software-update-services-and-windows-server-update-services-changes-in doesn’t mention the .NET monthly preview rollups. Revision 99 that was current earlier today did mention the .NET monthly preview rollups.

Reply | Quote

The August 2017 .NET monthly preview rollups have reappeared at  https://support.microsoft.com/en-us/help/894199/software-update-services-and-windows-server-update-services-changes-in.

1 user thanked author for this post.

ch100

Reply | Quote

I would say that KB4019276 to add TLS 1.1 and 1.2 on Win 2008 SP2 is interesting.

It is not categorized as security by MS, nor is it a security patch in the usual sense. More like a feature add.

But I would say that this feature add once installed (and configured!) improves security for schannel dependent communications. Arguably to a great extent depending on what the services are.
-Jim

1 user thanked author for this post.

PerthMike

Reply | Quote

Does Windows 8.1 suffer from this wordpad crash?

Reply | Quote

I have been declining “Preview” updates in WSUS as, from what I understand, these are beta/test versions of updates to be realised in the future.

Is this the correct thing to do?

Reply | Quote

The “Previews” are the pre-release of the Rollup.
For example, the “Preview” of the August 2017 Security Monthly Quality Rollup will contain the August Rollup + the non-security patches for September. In Sept, it will be combined with the security updates to make the September Rollup.

Although it supposedly contains the finished next month’s non-security updates, it is really for testing for those who need to be sure it is “going to work.” So, unless you are in the testing mode, let someone else be the Guinea Pig.

It is usually a rule not to install unchecked updates anyway.

Reply | Quote

I never understood the whole “Don’t install unchecked updates” philosophy. I never install the preview rollups, but anything else I do check off and never had a problem. I’ve never had a reason not to install them unless it was some Windows 10 upgrade thing or preview rollup.

Reply | Quote

Group A guinea pig.  Win 7 SP1 X64 home premium.  Took the full updates. So far nothing happened out of the ordinary.

1 user thanked author for this post.

ch100

Reply | Quote

No sign of block for Skylake in Windows 8.1 :). According to this one:

https://blogs.windows.com/windowsexperience/2016/01/15/windows-10-embracing-silicon-innovation/

they should be already starting to get us cut off :). Is anybody following the situation with Kaby Lake? Is the block present in the latest rollups?

Fractal Design Pop Air * Thermaltake Toughpower GF3 750W * ASUS TUF GAMING B560M-PLUS * Intel Core i9-11900K * 4 x 8 GB G.Skill Aegis DDR4 3600 MHz CL16 * ASRock RX 6800 XT Phantom Gaming 16GB OC * XPG GAMMIX S70 BLADE 1TB * SanDisk Ultra 3D 1TB * Samsung EVO 840 250GB * DVD RW Lite-ON iHAS 124 * Windows 10 Pro 22H2 64-bit Insider * Windows 11 Pro Beta Insider

Reply | Quote

Can anyone familiar enough with the code chime in here? Is the function that detects “newer” CPU’s something variable that can be coded once and just keep working, or is it more of a static list that MS will have to actively add newer gen CPU’s to, until software EoL?

Reply | Quote

You could ask at https://github.com/zeffy/wufuc.

1 user thanked author for this post.

ky41083

Reply | Quote

Ick, hate reading decompiled code… especially hate reading assembly code, makes my head hurt.

Based on what’s there, it would appear to be a static list that needs updating for marking additional CPU’s as “unsupported”. Unless I missed it, the actual list isn’t in the posted Github code, being that the Github code is just overriding the result returned from the function that looks at the list, not the actual list itself.

Based on the way the evaluation is written, it defaults the CPU type to “supported”, and only changes it to “unsupported” if the function that references the list returns a hit from said list.

Basically, all CPU’s default to supported, until they are added to a blacklist check MS clearly went out of the way to add, as this whole “IsCpuSupported” function did not exist in the code until very recently.

Which we more or less already knew. It is nice to see the code though. And going forward, know that CPU’s will default to supported, until MS gets around to adding them to the blacklist, and updating the blacklist via Windows updates.

So, to finally answer my own question, lol… newer CPU’s MS deems “unsupported” will in fact work, until they are cut off by a future update.

My big *** here and now is, what about hypervisors that pass through the CPU ID, rather than emulate it, like VMware. This blacklist check means you HAVE to run the Github posted memory patch referenced above, especially in an enterprise environment, in order to test future updates on Win 7/8.1 VM’s, hosted on systems using any blacklisted CPU.

1 user thanked author for this post.

MrBrian

Reply | Quote

ky41083 wrote:

what about hypervisors that pass through the CPU ID, rather than emulate it, like VMware.

As far as I know, none of the hypervisors emulate CPU or RAM resources. They are managed, scheduled, but not emulated.

Reply | Quote

That’s how I meant it, and it’s too late to edit above now…

I meant, that hypervisors like VMware, don’t emulate the CPU to the guest, they use passthrough instead, because it’s more efficient.

Hypervisors like QEMU, do emulate the CPU to the guest, at an increase in overhead.

Hence, old VM’s migrated to new hardware will be immediately effected by all this, on the more efficient hypervisors enterprises are using.

Reply | Quote

ky41083 wrote:

Hypervisors like QEMU, do emulate the CPU to the guest, at an increase in overhead.

XenServer hypervisor which uses QEMU emulation for I/O (without XenServer Tools installed) does passthrough of the CPU resources and RAM.
I don’t know of any hypervisor emulating CPU.
Maybe KVM?

Reply | Quote

From: https://en.wikipedia.org/wiki/QEMU

“QEMU is a hosted virtual machine monitor: it emulates CPUs through dynamic binary translation and provides a set of device models, enabling it to run a variety of unmodified guest operating systems.”

You have to mix QEMU with things like Xen or KVM to remove the CPU emulation overhead. For example, using only QEMU’s I/O emulation layer on top of Xen, as you cited. From same source:

“QEMU is involved only in the emulation of hardware; the execution of the guest is done within Xen and is totally hidden from QEMU.”

KVM definitely doesn’t do CPU emulation, and can interact similarly with QEMU like Xen does.

Basically, the CPU passthrough you are seeing on Xen, is the Xen layer, not the QEMU layer.

1 user thanked author for this post.

ch100

Reply | Quote

For you testers: Here’s how to spoof a Kaby Lake processor inside a VirtualBox Win7 VM

Reply | Quote

.NET 4.7 (involve 4.6.x) got OOB updates

https://support.microsoft.com/en-us/help/4038923/
https://support.microsoft.com/en-us/help/4038922/
https://support.microsoft.com/en-us/help/4038921/

3 users thanked author for this post.

woody, ch100, MrBrian

Reply | Quote

anonymous wrote:

I would say that KB4019276 to add TLS 1.1 and 1.2 on Win 2008 SP2 is interesting. It is not categorized as security by MS, nor is it a security patch in the usual sense. More like a feature add. But I would say that this feature add once installed (and configured!) improves security for schannel dependent communications. Arguably to a great extent depending on what the services are. -Jim

Indeed, I find this VERY interesting, since it really does qualify as a security patch if you run any sort of web server (in our case, our OWA) on a 2008 non-R2 server. Suddenly adding TLS 1.2 support to an internet-facing web server is a bit security fix for us.

Looks like there’s already been reports that installing this patch breaks FTP functionality (somehow messes up the ftp protocol packets), but I can live with that.

No matter where you go, there you are.

Reply | Quote

Anyone faces any issue on the patch KB4019276 for supporting TLS 1.2 client? We installed the patch in our Windows Server 2008 SP2, and even though the TLS 1.2 server works, but the client does not, meaning we cannot connect to our client’s web API successfully because the client’s web API only supports TLS 1.2 which are not supported by sChannel in Windows Server 2008 SP2.

Anyone is aware of whether Microsoft plans to come out with the updated cipher suites for TLS 1.2 for Windows Server 2008 SP2?

Reply | Quote

It seems .NET is going to get new Rollups soon (tonight?), and they are Security ones

https://support.microsoft.com/en-us/help/4035038

Notice

Previously, the .NET Framework Preview of Quality Rollup (KB 4035038) was released as an optional update. The improvements that were delivered in the Preview of Quality Rollup are now available in a Security and Quality Rollup (KB 4039114) as a recommended update. No new improvements were added since the Preview of Quality Rollup was released.

Reply | Quote

Oh man. What a mess this month has been!

Reply | Quote

Well, nothing out yet (too early KB revision?)

but it’s interesting to see that KB4035038 article description itself and all sub-articles changed from “August 2017 Preview Rollups” to “Security and Quality Rollups”

this only applies to Windows 8.1 articles, Windows 7 still have the old description
https://support.microsoft.com/en-us/help/4035036

Reply | Quote

This one would be catalog only, at least for now.
It should not be of most readers concern.

Reply | Quote