By Susan Bradley

We’re nearly halfway through the 2023 patching year, almost to the end of the road for Windows 10 21H2.

But before we delve into that: Patch Tuesday is just around the corner, so it’s time to get conservative and defer patches. Accordingly, I’m raising the MS-DEFCON level to 2.

Microsoft is indicating that it will “force” 21H2 machines to 22H2, but I have news for them — if you don’t have 22H2 and you are not using one of the methods to hold off on feature releases (Group Policy, registry key, etc.), chances are you have some sort of issue that is blocking the install. Some of the blocks may be driver-related, and some may be the result of underlying corruption in the code that handles patching.

If you are having issues, the best method to fix any misbehaving Windows 10 system is to do an in-place reinstall over the top. If you still have Windows 10 21H2, ensure that you use one of these methods to upgrade, and let us know in the forums whether you have any issues.

Patching highlights:

We are still working through bugs, as noted in Microsoft’s May 24 support post about the OS Build 22621.1778 preview (KB5026446). The fixes in this preview update will appear in the June security update and will include solutions for such things as installation issues for multifunction label printers plus problems with audio playback failing on systems with certain processors. The update also fixes an issue that affects devices joined to Azure Active Directory (Azure AD), in which the Windows Firewall cannot apply the correct domain and profile.

It’s time to ensure that your computers are set to pause or defer updates. I’m often asked which deferral tool I recommend from my blockapatch.com website. I’ve included some of the pros and cons for each tool, but ultimately it comes down to what you feel comfortable with.

Windows 10 and 11 computers use the cumulative update model; that is, all updates come down in one bundle. Typically, there are very few updates you can skip without jeopardizing the installation of those all-important security updates. So if you want the least amount of “touching” of the computer, I’d recommend using the wushowhide.diagcab tool and hiding the Secure Boot updates and the other deferrals listed on the Master Patch List. Be aware that downloading of this tool is flagged by several browsers as dangerous. I’d argue that sometimes patches could be just as dangerous.

I strongly recommend that you at least go into the Windows Update settings and defer the patches until the end of the month.

For business users, investigate the impact of an upcoming change that Microsoft is testing.

If you’ve been around Microsoft networks for a while, you may be aware of a setting for SMB signing that I first became aware of over 20 years ago. As Microsoft notes,

SMB signing (also known as security signatures) is a security mechanism in the SMB protocol. SMB signing means that every SMB message contains a signature that is generated by using the session key. The client puts a hash of the entire message into the signature field of the SMB header.

Years ago, you would disable SMB signing on a small network in order to speed up file saving over the network. But as networks got so much faster, the need to disable SMB signing went away.

Now, as explained in the Microsoft Tech Community post SMB signing required by default in Windows Insider, it appears we are headed for mandatory SMB signing for Windows 11 editions. It showcases that security settings often must be deployed slowly to ensure that there are no side effects. You may want to deploy an Insider build to test your network to determine whether there are any speed bumps. You’ll want to test copying files from your test workstation to your file server. You may want to review whether your network already enables SMB signing by default. The Tech Community post Configure SMB Signing with Confidence may help you determine your exact situation.

While we are thinking about SMB, it would be wise to also check whether you are using newer SMB protocols such as SMB v2 and v3 and have disabled, or are not using, SMB v1. In a home setting, older network-attached storage systems often still use SMB v1, but it’s insecure and can be easily attacked.

I’m concerned when I see home users re-enabling SMB v1 just so they can continue using older devices. This happens when installing a new Windows 10 or 11 PC. In a business setting, this older technology can also expose your network to easy attacks. In short, you must know where your PCs or workstations stand with respect to SMB signing, which is easily done with a couple of PowerShell commands.

In the Windows Search box, enter PowerShell and right-click to Run as administrator. Type in the following commands:

You’ll be able to see what is enabled on the workstation you have installed, as shown in Figure 1.

Figure 1. PowerShell commands to determine SMB settings

Be proactive and see what your SMB signing settings are. As noted, this is not critically important for home networks, even though I recommend moving away from SMB v1. If you’re still running Windows 10, it’s a good idea to prepare for Windows 11 by evolving to newer SMB versions.

For business networks, however, you’ll want to have this already enabled or be planning on its enforcement.

Lest you think this is only a Windows concern, Apple’s Ventura is also making the same move to mandate SMB v2/v3.

Resources

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.