alert banner

ISSUE 20.27.1 • 2023-07-06

MS-DEFCON 2: Last call for 22H2


By Susan Bradley

Starting next week, you will not receive security updates for any version of Windows 10 except 22H2.

If your PC has not received 22H2 via Windows Update, chances are that your PC has a setting keeping Windows on the version you have installed — or corruption in the operating system is preventing the update from being accepted. But Patch Tuesday is just around the corner, so it’s time to become cautious again by raising the MS-DEFCON level to 2.

How can you fix operating-system corruption? One of the best ways is to do an in-place upgrade, what we refer to as “reinstalling over the top.” This fixes most — if not all — Windows patching issues.

I’ve seen some posts in the forum from folks who have tried various upgrading techniques, only to discover that the problem points to a driver not behaving. For these machines you have two choices, neither of which is ideal:

  • Leave the machine as is, and know that you are unpatched. I recommend this only if you are planning to replace that computer soon.
  • Do a clean install, which will bypass the driver causing the block.

The second option can be tricky, especially if you’re installing from a USB stick or other external media. You must change the boot order so that the PC boots from the external medium; if you’ve never done that before, it can take some searching to learn how to make that change on a specific PC. It seems as if every vendor has a different way of handling boot order. As with the first option, you may want to consider retiring the recalcitrant PC.

If you do choose a clean install, consider upgrading the PC with a new and larger boot drive, especially an SSD. That allows you to hold on to the old drive so you can access its data. But make a full backup anyway.


  • You are now out of support if you are still running Windows 10 21H2 for Home and Professional versions.
  • Ensure that you have deferred updates, using your preferred method.
  • For business patchers, I still do not recommend that you set any special registry keys to deal with CVE-2023-32019 (more on this below).
Consumer and home users

I hope Plus members enjoyed our summer bonus issue this past Monday, in which a group of our esteemed contributors offered its varied opinions on Windows 11. One reader wrote to tell us:

The latest issue of AskWoody Plus has been very useful to help me decide to keep Windows 10 22H2 for the next 20 months. I do not need new features. What I need is to avoid all the computer problems that I can not solve just by myself.

His remark points out that, with a little more than two years to go in Windows 10’s lifecycle, the biggest reason to upgrade to Windows 11 is Windows 10 falling out of support.

For those of you with Windows 11 machines, I am now recommending 22H2 for Home and Consumer machines. Note that if you are a gamer, you might still see issues — because Windows 11’s security settings will often interact with games, overclocking, and other software used in the gaming industry. As long as you are a nice, normal, ordinary Windows user, you should be fine with upgrading to Windows 11 22H2. Remember: If you’ve used InControl to keep your machine on Windows 11 21H2, you can merely change the setting to 22H2 and Windows update should promptly offer 22H2.

But act now, because I want you to update to 22H2 between now and next Monday. We want to ensure you have updates set to defer before the upcoming Patch Tuesday. Thus the updating window is closing soon. (Don’t worry though; Windows 11 21H2 is supported through October 10, 2023, so there is time to get you on 22H2).

Business users

For the past two weeks, I’ve been testing the registry entries that will enable the additional protection needed for CVE-2023-32019. If you recall, this is the update that mandates the manual addition of registry keys, including the hives. Several days after Microsoft released the security bulletin, it has now issued the following statement:

The resolution described in this article introduces a potential breaking change. Therefore, we are releasing the change disabled by default with the option to enable it. In a future release, this resolution will be enabled by default. We recommend that you validate this resolution in your environment. Then, as soon as it is validated, enable the resolution as soon as possible.

I have been testing both a Windows 10 and 11 PC with these registry keys in place and have not seen a single “breaking change.” I’m hoping Microsoft will be much clearer when it finally enables this by default. Until then, skip it.

For those of you who use Windows Hello and have recently upgraded to Windows 10 22H2, your users might hit a prompt to reapprove the permissions. As noted in KB5028763, the user is asked to “Choose if you want to keep signing in with your face or fingerprint.” The KB indicates that the acceptance screen will pop up if you have recently updated or upgraded your device to a later version of Windows 10 or Windows 11; or if you have not signed in to your Windows device in over one year (365 days) with Windows Hello face or fingerprint recognition and have installed updates released June 13, 2023 or later.



Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2023 AskWoody Tech LLC. All rights reserved.