Replies

Okay Google DNS 8.8.8.8 is now resolving the three subdomains.

OpenDNS 208.67.222.222 hasn’t caught up yet.

Tested three subdomains of remotewebaccess.com. None are resolving DNS as of 1:35pm PST.

Thanks Susan. Does that mean that actual security updates to .NET would be flagged as “important” and installed automatically (after any scheduled deferral period)?

If you’re managing Office 365 in a domain, you can use Group Policy to switch to Semi-Annual:  Computer Configuration > Policies > Administrative Templates > Microsoft Office 2016 (Machine) > Updates > Update Channel. You’ll need the Office .admx templates.

I also recently discovered on a new install that if you use the offline installer, you can start with semi-annual, which avoids each machine having to “downgrade” to semi-annual. (Another helpful option with the Offiline Installer is the ability to exclude Teams, which may not be useful in some environments.)

Details on both of these options in this post.

“Microsoft officially started pushing Win10 1803 machines onto version 1903 two days ago. Apparently the push doesn’t respect your Pro settings to “defer feature updates.” At least, that’s what’s been promised.”

I found the announcement of pushing the update here. Where is the “promise” that it will ignore deferrals?

“– with 58 days or less deferral, 1903 is offered
– with 59 days or more deferral, 1809 is offered”

According to the official release doc, 1903 went semi-annual on May 21, 2019, 58 days ago. So deferrals are working exactly as expected.

Seems like the news is that Microsoft has lifted a forced deferral of 1903? Sort of like it used to do when it declared a release “ready for business”?

3 users thanked author for this post.

Great Lake Bunyip, WildBill, woody

FWIW, when I tried to connect yesterday, I got an nginx Bad Gateway error (I think with a 503 code). Load balancer wonky?

Today, it looks like I can change the resolution status on threads linked to blog articles. Is that normal?

2 users thanked author for this post.

Woody Lounger, Cybertooth

Two notes on KB4023057:

– It seems on Win10 Pro machines with Defer Quality Updates set, this update ignores the deferral. (It was released on the 15th, deferral is set to 4 days but it’s already trying to install on the 17th).

– Besides the 0x80070643 error mentioned on the Born City post, in the Application event log, we have MsInstaller Event ID 1005, “Product: Update for Windows 10 for x64-based Systems (KB4023057) — A later version of Update for Windows 10 for x64-based Systems (KB4023057) is already installed. Setup will now exit.”

So maybe uninstalling the version that is already installed is not the right approach, since it is newer than the one that is now being installed? I am inclined to just wait, let it keep failing, until Microsoft fixes the new update.

 

@jabeattyauditor, point taken. Definitely want to patch eventually even if you only run DNS locally. It’s more urgent if your DNS is public.

Interesting that the CVE refers to KB4471321 for Server 2016, but the KB doesn’t mention this vulnerability.

Most people using a router run a DNS server in the router. Anyone running a Windows domain controller (including via the Essentials role) role is running a Windows DNS server. But if the question could be narrowed to, “Are you running a Windows DNS server that is open to the Internet?”–THAT is truly a tiny minority.

2 users thanked author for this post.

fk5353, woody

Keep in mind that if the update you hide is re-released, it will have a new update ID (though likely the same KB number) and will be re-queued unless you hide it again. I have in the past used a script to uninstall and hide certain updates every day. This dates back to when I was blocking the updates that nagged users to upgrade Windows 7 to 10:

https://www.mcbsys.com/blog/2015/11/uninstall-and-hide-windows-updates/

Trying to understand the original problem here. Reading KB4471218, it looks like mapped drives work, they are just “unavailable” after logoff and logon? The PowerShell script re-connects unavailable mapped drives:
Get-SmbMapping |where -property Status -Value Unavailable

That does sound like a fixable bug as opposed to a intentional “feature.” It’s just disturbing that persistence of mapped drives after logging off and on is not part of their testing.

Edit to remove HTML

But don’t be surprised if you don’t find a program listed. Some ad-hoc remote control programs run without being installed. That’s actually a good thing–it means it doesn’t install and stay permanently active and listening. If they asked you to download and run an exe file (e.g. for LogMeIn Rescue, Splashtop, etc.), you can delete that downloaded file when your session is over.

1 user thanked author for this post.

OscarCP

This seems to be behaving better now, not getting stuck. I wonder if the recent servicing stack update for Win10 1803 (KB4456655) helped. Although that was installed Sept. 20 and I wrote the above on Oct. 1…

I agree that having a separate guest network is a good thing. Not only to keep your buddies out of your LAN but also for less-secure devices (Alexa, TV, etc.). Further discussion:

https://www.askwoody.com/forums/topic/patch-lady-31-days-of-paranoia-day-16/#post-225327

Good advice. One simple way to isolate wireless IoT devices would be to only connect them to your guest Wi-Fi. That should keep them off your main LAN and (depending on how guest Wi-Fi is implemented on your router) probably even keep them from talking directly to each other. I’m assuming that, for example, Alexa can still talk to the Samsung hub in the cloud. Need to do some testing here…

Oh and remember to treat your TV, Roku, etc. and any Wi-Fi connected appliances as part of your separate Internet of Things.