Replies

Final notes:  Updating through Windows Update works better than downloading the patch manually.  If you have WSUS, just approve the patch and apply it.  It can be installed while the server is running.  Then, pick a reboot time and you will be golden.

If you do decide to use the manual patch, follow the directions explicitly.

To answer my own question …… I guess I thought I was admin……I had better double check on the next attempt.  According to the article:
When you try to manually install this security update by double-clicking the update file (.msp) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated.
When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working.

This issue occurs on servers that are using user account control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services.

****Caution Exchange 2016 Installs *****

Exchange 2016 CU15 applied fine.  The patch KB4536987 broke OWA and killed search across the boards in the web client and desktop client.  Uninstalling the KB brought OWA back.  Stopping the search services and deleting the indexes brought the search back.

Exchange 2016 users should test before installing on production servers.

Please let me know how your update went.

[dportenlanger]

I am confused.  I added a couple of 1903 machines to my domain last month for testing.  In WSUS, I only have Windows 10 checked in Products and Classifications, not every specific version.  When the sync would run, it would get the updates required for every version of Windows through 1809

Last month, none of the 1903 updates were listed.  I thought that was odd, so I checked Windows 1903 in WSUS and Windows 10 in Products and Classifications.  No other versions were checked.  WSUS listed all the updates for every version including 1903.  Then I went and unchecked the specific 1903 option.

This morning I checked what updates were synchronized.  Again, every version of Windows except 1903 is listed in updates.

Do we now have to explicitly check 1903 in Products and Classifications to get the 1903 updates?  Is this a requirement I missed?

Thank you in advance.

• This reply was modified 3 years, 6 months ago by dportenlanger.
• This reply was modified 3 years, 6 months ago by dportenlanger.

Regardless of in or out of band, maybe it is just me, but I am failing to understand the Windows 10 1903 update settings.  I have one Pause Update setting that I enabled after updating a test machine.  Then I disabled the Pause and it is installing the same updates it already installed.  Does it not know what it already installed?

 

I have three freshly installed Windows 7 machines.  I cannot get any of the monthly rollups on any of the three systems to install.  They get to 15% and then roll back.

They have KB3177467 v2 installed.  If I try to get it from the Microsoft Update catalog and install it, it says it already exists.

Existing machines have the rollups applied with no issues.

What am I doing wrong on the three fresh machines?  I appreciate any help.

Susan,

Now list for me all the security exceptions, disabled security features etc. required to make customer’s applications run.

 

1 user thanked author for this post.

rc primak

Our corporate WSUS servers were exhibiting the same behavior.  I tried the Office check/uncheck manual sync process and it didn’t solve the problem, so I turned Office back on and left it alone.

Waiting a couple of days fixed the issue.  Literally, I did nothing but watch it for a couple of days and it started working.

Go figure!

I don’t know that we should panic about the exploit, but the poster to github appears to be unstable.

I recommend trying Linux and keep your money in your pocket.  You can install Chrome on Linux.  You can install Chrome’s apps basically making a Chromebook.

Give it a try.

Stardock’s Groupy as discussed is the sets equivalent, or vice versa.  I purchased Groupy and I have to admit, using it is addicting and makes many tasks more efficient.  Stardock’s applications are especially great for Win 8.1 users.  There are merits to running Windows 8.1 and Stardock.  As mentioned on this site, Win 8.1 is a way to skip the Windows 10 Feature Update plan (or should I say pain) until 2023.

Highly recommended.

2 users thanked author for this post.

HiFlyer, Karlston

So, to clarify, if there is a deferral policy, Windows bypasses the WSUS policy in favor of WU.  I did find a deferral policy for CBB and 365 and disabled it.  Now behavior appears to be normal again.  I will discuss the policy with the customer.  Thank you for the information.

 

Woody had commented on the topic of a virtual patch in a previous post.  I am a contractor and have many customers with different security suites.  One customer had a license for Vulnerability Protection that was included with their Enterprise Security Suite.  I used the experience to write a simple document for  our peers to understand the technology.

The document uses the flash player exploit as an example.  If you recall, there was a flash player update that broke VMware.  There was also a Windows patch that broke virtual network cards.  It is my opinion that those patch issues caused business critical failures.

1 user thanked author for this post.

SueW

With upgrades we didn’t ask for, apps we didn’t want, administrative capability that was removed and telemetry we can’t see, here is an extreme example.

https://techcrunch.com/2018/04/25/how-microsoft-helped-imprison-a-man-for-counterfeiting-software-it-gives-away-for-free/

Feel free to comment.

3 users thanked author for this post.

Norio, Elly, satrow

All of you are correct.  Intel will not be patching older CPUs per the list linked by BillC.  I expected CVE-2017-5715 to always be vulnerable as it is on the many Windows machines my team is flashing.  If I run Inspectre from Gibson research on Windows, it always shows CVE-2017-5715 is vulnerable.  Then, I flash the BIOS and rerun Inspectre again at it says the PC is mitigated.

Because I was able to run the Linux checker linked in various portions of this thread on machines that will not be patched, imagine my dismay when it reported a machine that is surely vulnerable to CVE-2017-5715 is flagged as Not Vulnerable.  How is this possible?  I started looking for potential reasons.

Further research on Intel’s documents indicated that legacy processors (that BillC listed) were included as part of the Linux microcode fixes when, in fact, they are not at all.

It appears CVE-2017-5715 is vulnerable to elderly computers or computers that manufacturers won’t patch.

However, it appears on the surface that Linux developers are doing all they can to protect users of legacy machines or machines manufacturers have decided not to patch.  I can find no evidence that Microsoft is employing similar techniques, though maybe another expert here has more information.

The man hours lost updating firmware can never be recovered.  Despite the lack of malware so far, I would be negligent if I didn’t flash every computer I am responsible for.  I also feel Intel and Microsoft are being negligent by refusing to mitigate every vulnerable computer.

Therefore, I am inclined to advise users to run Linux if your PC cannot be mitigated or replaced.

Microsoft/Intel:  Please feel free to chime in with facts as everything that started this thread was speculative, but for good reason.

 

1 user thanked author for this post.

Bill C.