-
With all due respect, Gunter’s article is inaccurate: the Catalog “Last Updated” date disparity (12 Nov for Win8.1/10 and 13 Nov for Win7/Server 2008/R2) has nothing to do with the issue and it certainly does NOT mean that (quoting) “Microsoft has updated the package for Windows 7 and Server 2008/r2 and replaced the faulty certificate.“: the binaries are exactly the same (digitally signed November 7, 2019).
There was no “faulty certificate”, nor was it replaced: the root cause of the issues IS the [lack of] SHA-2 support (and probably some metadata glitches on WU) – as I explained here. -
@Anonymous: The 2 machines with errors had the September KB4474419 update (SHA-2 support) installed?
Last month’s MSRT (v5.76, Oct, 2019) was still SHA-256 and SHA-1 signed, but this month’s MSRT (v5.77, Nov, 2019) is NOT SHA-1 signed (only SHA-256 signed) – and that seems to be the core reason for the reported errors…
As stated in KB4472027, Windows 7/Server 2008 updates are NOT being SHA-1 signed anymore and, therefore, a couple of mandatory updates (better take the September [2019-09] ones as the baseline, to be safe) became minimum pre-requisites:
- For Windows 7 SP1: KB4474419 and KB4516655 (or KB4523206, the latest SSU [2019-11], if you’re beta testing)
- For Windows Server 2008 R2 SP1: KB4474419 and KB4516655 (or KB4523206, the latest SSU [2019-11], if you’re beta testing)
- For Windows Server 2008 SP2: KB4474419 and KB4517134 (or KB4525478, the latest SSU [2019-11], if you’re beta testing)
Meanwhile, WU might have (had?) a conflict issue (metadata?) with that, since it was offering MSRT on Tuesday but not yesterday (Nov 13, 2019)… don’t know if Microsoft fixed it already but, whatever the reason is, MSRT may be manually downloaded from the Catalog (here) and, for sure, it will execute properly if BOTH the SHA-2 support and SSU updates have been installed.
-
-
Current Status…
…We’re analyzing authentication logs to isolate the cause of the issue.
…We’ve confirmed via telemetry and reports from some of the affected customers that service has recovered for a majority of impacted users. We’re continuing to investigate log data to better understand what caused this issue and to validate which recovery measures we took restored service functionality. Additionally, our telemetry indicates that this issue was specific to users located in the North America region.
…We performed a manual restart of a backend service and performed a configuration change to mitigate the issue. We’re continuing to monitor the environment to validate that service has fully recovered.
…Our telemetry indicates that service has largely recovered. We’re monitoring the environment to ensure it remains stable while we continue our investigation into the root cause of the problem.
…Our services remain healthy, and we’ve confirmed via continuous service monitoring that all of the previously affected scenarios are working as expected. Additionally, we’re progressing through our investigation to isolate the underlying problem.
-
Woddy, I’ve updated my ancient post regarding KB4493132 metadata changes (basically, how the nagging screen look has been slightly changing), with additional information posted by abbodi86 and wsntls. Nothing new, really – just for the sake of consistency. 😉
1 user thanked author for this post.
-
Lars220,
Please check the STABLE BETA TEST (Win7) section at my previous post: I’ve corrected it to clarify that KB4515854 (4.6.2) is actually installed by the KB4524102 update package… Sorry, my bad.
Thank you! 🙂 -
Reporting from a managed set of Virtual Machines (VMs) and physical systems (including a couple of Win7 legacy dual core workhorses) backed up and updated as described below.
Previous notes:
1. I skipped August updates (moved from July to September).
2. For those systems where .NET Framework is required (not all do) I stick with v4.6.2 on Win7 (had issues in the past with v4.7.x) and I’m currently using (when needed) v4.7.1 on Win8.1 (v4.7.2 might be OK but I haven’t had time and opportunity yet to assess that properly) as I find these versions to be the most stable ones for my particular needs (third-party software being used and how/what these systems are used for). Other users might have different needs (or no need for .NET Framework at all): Microsoft has helpful information here and here.
3. All systems appear to be “stable” (as in “no noticeable/obvious bugs or negative impacts so far”) – meaning that, overall, everything seems to be working just fine and normally, as expected. That assumption is further confirmed by executing the SFC /VERIFYONLY and DISM /Online /Cleanup-Image /CheckHealth commands (both successful, no errors returned).
4. The three sum-ups below refer to
4.1) my previous stable “BASELINE” (Jul 13);
4.2) a “baseline candidate” (stable update) I was preparing a few days back (Oct 3) while we got caught up between the MS-DEFCON 1 and MS-DEFCON 3 change (this might be yet another helpful feedback report for worried, confused users out there) and
4.3) a currently, apparently “stable” BETA TESTING (Oct 10) – which, incidentally, is NOT yet endorsed by Woody or by any of the other MVPs here: it’s just *my* particular feedback (one, adding to many others). Things worked well for me, but be warned: proceed at your own risk (we’re at MS-DEFCON 1, which means: ***WAIT!***).Windows 7 x64 SP1 (Group A)
DATE INSTALLED UPDATES DESCRIPTION/NOTES -------- ----------------------------------------- ----------------- 20190713 KB4490628 (2019-03 SSU) Stable BASELINE KB4474419 (2019-03 SHA-2) (Jul 13, 2019) KB4507449 (2019-07 Monthly Rollup) ->Includes KB4507434 (IE11 Rollup) KB4507420 (2019-07 .NET Framework Rollup) ->KB4507004 (3.5.1) + KB4506997 (4.6.2) -------- ----------------------------------------- ----------------- 20191003 KB4516655 (2019-09 SSU) Stable UPDATE KB4474419 (2019-09 SHA-2 v3) (Oct 3, 2019) KB4516065 (2019-09 Monthly Rollup) ->Includes KB4516046 (IE11 Rollup) KB4514602 (2019-09 .NET Framework Rollup) ->KB4507004 (3.5.1) + KB4511516 (4.6.2) -------- ----------------------------------------- ----------------- 20191010 KB4524102 (2019-10 .NET Framework Rollup) Stable BETA TEST* ->KB4507004 (3.5.1) + KB4515854 (4.6.2) (Oct 10, 2019) KB4519976 (2019-10 Monthly Rollup) ->Includes KB4519974 (IE11 Rollup) -------- ----------------------------------------- -----------------
*No observable bugs so far.
Windows 8.1 x64 (Group A)
DATE INSTALLED UPDATES DESCRIPTION/NOTES -------- ----------------------------------------- ----------------- 20190713 KB4504418 (2019-07 SSU) Stable BASELINE KB4507448 (2019-07 Monthly Rollup) (Jul 13, 2019) ->Includes KB4507434 (IE11 Rollup) KB4507422 (2019-07 .NET Framework Rollup) -------- ----------------------------------------- ----------------- 20191003 KB4512938 (2019-09 SSU) Stable UPDATE KB4516067 (2019-09 Monthly Rollup) (Oct 3, 2019) ->Includes KB4516046 (IE11 Rollup) KB4514604 (2019-09 .NET Framework Rollup) -------- ----------------------------------------- ----------------- 20191010 KB4521864 (2019-10 SSU) Stable BETA TEST* KB4524104 (2019-10 .NET Framework Rollup) (Oct 10, 2019) KB4520005 (2019-10 Monthly Rollup) ->Includes KB4519974 (IE11 Rollup) -------- ----------------------------------------- -----------------
*After reboot, KB4521864 (2019-10 SSU) came up again (a second time) on WU as an Important update: just clicked ‘Check for Updates’ to make it go away (no need to re-install it).
Windows 10 x64 (Version 1803)
DATE INSTALLED UPDATES DESCRIPTION/NOTES -------- ----------------------------------------- ----------------- 20190713 KB4509094 (2019-07 SSU) Stable BASELINE KB4507435 (2019-07 Monthly Rollup) b885 (Jul 13, 2019) -------- ----------------------------------------- ----------------- 20191003 KB4512576 (2019-09 SSU) Stable UPDATE KB4516058 (2019-09 Monthly Rollup) b1006 (Oct 3, 2019) -------- ----------------------------------------- ----------------- 20191010 KB4521861 (2019-10 SSU) Stable BETA TEST* KB4520008 (2019-10 Monthly Rollup) b1069 (Oct 10, 2019) -------- ----------------------------------------- -----------------
*No observable bugs so far.
-
This reply was modified 3 years, 8 months ago by
.
-
This reply was modified 3 years, 8 months ago by
4 users thanked author for this post.
-
This reply was modified 3 years, 8 months ago by
-
Karen,
Keep calm. You’ve been there already, remember? 🙂
If you’re still stuck with the same message after a couple of hours or so, re-read and follow GTP’s advice on that thread to get you back in control. 😉Now, if you’re still having issues afterwards, a list of the latest (2019) Windows / .NET Framework updates that have been installed on your system could help us here to figure out if you need to (un)install anything: open Control Panel > Programs and Features, follow the ‘View Installed Updates‘ link, click on the ‘Installed On‘ column to sort down the items (most recent ones at the top) and take a screenshot -or-, alternatively, open a command line window (Windows key+R, type ‘cmd’ and press Enter) and type
wmic qfe list brief|findstr 2019>%USERPROFILE%\Desktop\wu.txt
Press Enter and wait a few seconds while a ‘wu.txt‘ text file is being created on your desktop. Once you see the blinking cursor again, type
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Updates /s /f InstalledDate|findstr /c:KB /c:2019>>%USERPROFILE%\Desktop\wu.txt
and press Enter again. Once the blinking cursor is back, type
exit
and press Enter one last time to close the command line window. Reply back with the attached ‘wu.txt‘ file or copy&paste its contents back here.
-
My 2 cents: if you were caught between DEFCON 3 and DEFCON 1 while updating and everything looks good, keep calm. Don’t blame yourself. Have a nice cup of tea, don’t touch anything and keep fingers crossed: you might be just fine (reporting: I’ve been beta testing some of these latest “out-of-band” updates on a few VM/live Win7/8.1/10(1803) systems and they don’t look terrible… hope is not lost… had no observable, relevant issues so far. However, I noticed that the Windows 10 (1803) out-of-band KB4524149 rollup hanged on the first installation attempt: had to cancel the installation, reboot the machine and then at the second attempt it installed fine, flawlessly. Printing is okay).
But if you haven’t installed any of these recent IE/Windows “out-of-date” cumulative/rollup updates yet: we’re at DEFCON 1, best advice right now is to <u>wait</u>.
It might be worth pointing out that both these “out-of-band” updates include updated libraries (jscript.dll, ieframe.dll…) that have been historically related with frequent issues (often arising from unexpected conflicts with third-party applications that, essentially, rely on the IE engine for rendering web content).
Woody and the pros are overwhelmed with people posting and reporting bugs and issues, gathering information from multiple sources and trying to figure all this out and sort things up. Patch Tuesday is just around the corner and… the “awkward” CVE-2019-1367 security hole seems to be just the latest entry of a lengthy list of scripting-related vulnerabilities in the IE libraries that have been repeatedly updated, patched and fixed (and causing problems):
CVE-2019-1221, CVE-2019-1194, CVE-2019-1133, CVE-2019-1059, CVE-2019-1056, CVE-2019-1004, CVE-2019-1001, CVE-2019-1080, CVE-2019-1055, CVE-2019-1005, CVE-2019-0988, CVE-2019-0920, CVE-2019-0918, CVE-2019-0911, CVE-2019-0884, CVE-2019-0862, CVE-2019-0835, CVE-2019-0753, CVE-2019-0752, CVE-2019-0783, CVE-2019-0746, CVE-2019-0680, CVE-2019-0609, CVE-2018-8653, CVE-2018-8643 (…)
and also on VBScript (worth reading):
CVE-2019-1208, CVE-2019-0768, CVE-2019-0667, CVE-2019-0666, CVE-2019-0665 (…)
Thus: we’re at DEFCON 1, wait.
-
-
-
-
Woody, you probably need to truncate your posted a reprieve link. 😉
1 user thanked author for this post.
-
Downloaded it and did a binary file compare with the one released earlier this month (Sep 10 or so):
fc /b windows6.1-kb4516655-x64_[20190910].msu windows6.1-kb4516655-x64_[20190930].msu Comparing files windows6.1-kb4516655-x64_[20190910].msu and windows6.1-kb4516655-x64_[20190930].msu FC: no differences encountered
It’s the same file (digitally signed August 19, 2019). MS just probably re-released it but (adding to the ongoing mess) also “updated” the date/time stamp in the catalog…
Author
