Replies

Susan – Is the deferral period counted from the initial release day (April 30) or from the day they convert it from Targeted to Semi-Annual (June 14)?

Also, here’s another bug I haven’t seen mentioned here: 1803 breaks AppData folder redirection (could be a deal-breaker in some domain environments):

https://support.microsoft.com/en-us/help/4294935/folder-redirection-not-available-for-appdata-roaming-folder-win-10

Ooh I like that reverse.it service! I assume you didn’t _open_ the PDF (as that could itself activate malware if there is an unknown/unpatched Adobe vulnerabity), you just uploaded the attachment to reverse.it and let them open it in their sandbox? That’s so much easier than having to maintain an in-house VM for testing this kind of stuff…

4 users thanked author for this post.

SueW, Microfix, Elly, columbia2011

I didn’t lose any NICs but sometimes they seemed to appear as new NICs, where Windows is asking you to choose Public or Private. I think the default is Public, so if you’re trying to connect through RDP and that’s only allowed on a Private/Domain firewall profile, it could appear that the card is offline. So: work at the physical console or have a secondary access method available (TeamViewer etc.).

Or you can change your firewall rules to all RDP on Public.

Or you can hunt down the group policy setting that changes the default for new NICs to Private, but I actually prefer a (potentially rogue) new NIC to _not_ be Private.

At the end of the day, I always like to have a secondary access method for key systems anyway.

I wrote a PowerShell script awhile back to report some detailed info about an update. The script connects directly to Windows Update servers so it must be run on a machine where the patch is applicable, in this case a Windows 7 machine. At the moment, it is telling me that LastDeploymentChangeTime for 4103718 is still 5/8/2018.

The script is available here:

https://www.mcbsys.com/blog/2015/11/print-detailed-windows-update-info/

7 users thanked author for this post.

abbodi86, Nibbled To Death By Ducks, jelson, Microfix, HiFlyer, columbia2011, Cybertooth

Add me to the list. I had Win10 Pro 32-bit on 1709 with deferral set in group policy, but still got updated. Deferrals are working on other, 64-bit machines in the same domain. Pretty sure I left telemetry at default for all.

I wondered if I could go back in some logs to figure out why it decided an upgrade was okay. MS partner support send me a list from MS China of about 20 log files to check:

https://support.microsoft.com/zh-cn/help/928901/log-files-that-are-created-when-you-upgrade-to-a-new-version-of-window

I’d like to understand patching better but I’m not sure I can spend the time to dig through all that, especially since I have doubts about actually finding the root cause.

BTW after installing KB4103723 on one Server 2016 virtual machine that runs SQL server, after the reboot, the server was basically unusable for about half an hour as the Windows Modules Installer Worker process consumed nearly all CPU. Also saw a .NET process then Antimalware with high CPU. Not sure if this was a recompilation of .NET or what.

It seems this has not been included in the Ask Woody master patch list yet.

I started seeing this on some 2016 servers starting 5/21. Up to a 1.2GB download, although the KB promises, “If you installed earlier updates, only the new fixes contained in this package will be downloaded and installed on your device.”

Thanks for pointing out the supersedence. How does one figure out what has changed since the May 8 update so as to make a judgment about whether to install it?

Would really like to come up with a strategy that only requires applying cumulative updates once per month. If the first release is frequently superseded, is this a good example of how long it takes to fix the patch? I.e. wait 11 days for the new version, then another 4-7 days to find out if it is also broken? So basically, apply updates about three weeks after release? Not trying to be cynical, but I need a sensible patching strategy.

“Why would I?”

Maybe you would like to know that your RDP communications are secure.

Maybe you would like to report the problem to the vendor who can fix it, not just in a user-to-user community.

Maybe they could either confirm that it’s a bug or perhaps identify what is different in your environment that is causing the issue. Seems like if this were a common issue even on non-English versions, we would be hearing more about it. Have you found others who are reporting this?

Wish I had suggestions other than opening a support case.

Allowing May-patched clients to connect to April-patched servers should have addressed the patching scenario you described, but if that doesn’t work as documented, yeah that’s a problem.

Thanks for creating an account.

AFAIK, the registry entry will never be created by applying a patch. It’s only created manually or by group policy for overriding default behavior.

Since you were reporting that RDP does not work between patched machines, i.e. the default behavior is not working properly, I was just checking whether somehow the registry entries had been created and were interfering. Apparently not.

What message do you get when you try an RDP connection? Does it specifically refer to CredSSP? In my domain, for example, RDP fails when Network Level Authentication (NLA)  is enabled but the server does not properly detect that it is on a domain (instead the network shows as Public or Private). This is a  network location awareness issue not directly related to CredSSP.

I tried (from the only machine I have with a Microsoft account, running Win10 Home):

That’s a pretty hot fiddle!

Remember, Microsoft recommends deferring broad deployment of Windows 10 feature updates for 120 days, or 180 days for critical systems:

https://docs.microsoft.com/en-us/windows/deployment/update/waas-deployment-rings-windows-10-updates

Still 114 days to go until 1803 should be broadly deployed (September 5, 2018).

anonymous, I’d be curious whether the registry entry described in the KB article exists on servers and/or clients and if so, what is its value? But really I’m out of ideas. Please post back on your progress and solution to benefit the community.

Are the clients also patched? Does the Interoperability Matrix in KB4093942 shed any light on which combination of servers, clients, and settings are giving you the Blocked behavior?