alert banner

ISSUE 20.14.1 • 2023-04-06
MS-DEFCON 2: Prepare for April showers


By Susan Bradley

The next round of updates is coming soon and may be confusing.

For one thing, it now appears that Windows 10 and Windows 11 updates will diverge. That is reason enough for me to raise the MS-DEFCON level to 2.

Any confusion instantly causes me to recommend deferring updates.

It does not appear that the forthcoming updates for Windows 10 will introduce any changes. They will include only security patches. Microsoft stated:

After March 2023, there are no more optional, non-security preview releases for the supported editions of Windows 10, version 20H2 and Windows 10, version 21H2. Only monthly security update releases will continue for these versions.

This means we’ve reached an important milestone. With all support for Windows 10 ending in October 2025, we’re facing 30 months of security-only patches for Win10.

We’re 18 months downstream from the release of Windows 11, and there is another milestone to report. Microsoft stated:

Starting next month, non-security releases will now target the fourth week of the month to ensure that our monthly patches are more effective than ever.

I’m not quite sure I understand that argument, because the security updates should be effective no matter what. In any case, these are the ones I recommend not installing. It’s confusing.

The optional updates do give us a hint of the changes Microsoft is making to Windows 11 22H2. For example, April’s updates include:

… notifications for Microsoft accounts in the Start menu. This is only available to a small audience right now. It will deploy more broadly in the coming months. Some devices might notice different visual treatments as we gather feedback.

Translation: Work in progress. Still. (Will Windows 11 ever be “done”?)

On March 21, Microsoft posted Windows monthly updates explained in the Windows IT Pro Blog. Well, Microsoft has its update policies and deployment strategies — and I have mine:

  • Don’t install the security updates immediately. Pause or block updates and wait until the testing process is done.
  • Install only the monthly security updates. Keep an eye on the optional updates, but don’t install until I can confirm their safety.
  • Don’t panic if you see patching headlines. There is usually more to the story — you may learn that the issue is not widespread, or it has unrelated root causes.
  • Don’t avoid updates. Just apply them when you’re confident about your readiness.
Consumer and home users

March 31 was World Backup Day. I suppose that’s a nice reminder, but you should probably back up more often than yearly. Yes, that’s a joke — you should back up frequently. Given the milestones I mentioned above and the uncertainty that often accompanies such changes, I urge you to backup before April’s Patch Tuesday.

I always recommend that everyone have a backup protocol. My favorite is several external hard drives (or SSDs) used in rotation. If you have any questions or need help with backup, don’t forget our dedicated forum on the topic.

A headline bug last week involved Windows’ Snipping tool. The bug involves a “leak” of image data. After cropping a snipped image (screen capture) and saving it, the new image retains some parts of the original image. That’s the leak. The concern is that the parts of the image that leaked might contain information that the person editing the image wanted to remove, such as a credit-card number or other personally identifiable information.

The bug has been corrected in versions 10.2008.3001.0 (Win10) and 11.2302.4.0 (Win11). You can check your version of Snipping Tool in Settings | Apps, searching for “snip,” and then clicking Advanced Options.

The quickest way to get the update is to visit the Microsoft Store and search for “snip.” The store will usually detect that your version needs an update, and it will present an Update button, which you can click. If you don’t see the Update button, click the Get button instead.

Here’s the problem. If the Microsoft store is blocked on your PC, you can’t get the update. My policy for the PCs I supervise in my business is not to block the store. You may deem that an unacceptable risk. If that’s your situation, you can temporarily enable the store, get the update, and then disable it again. If you don’t wish to do that, drop a note in the forum and I’ll describe the more complicated steps you must take to get the update.

I think this is a tempest in a teapot. The failure of the Snip and Sketch tool to properly save edits to an image can be avoided by pasting the result of the capture into a different graphics program, then editing and saving with it. Still, it’s alarming that this seemingly innocuous bug results in a security problem.

In our March 28 MS-DEFCON 4 Alert, I discussed a bogus Local Security Authority (LSA) behavior, suggesting that LSA was turned off after rebooting Windows 11. LSA is, in fact, functional. So this is primarily a cosmetic bug that remains unfixed.

Nonetheless, this cosmetic bug is a bigger issue because it represents a false alert. Every time I see it, I must go through the mental process of thinking, “Oh, yeah — that’s a Windows 11 machine with a bogus alert, and I can ignore it.” But that’s a problem, because if the Security Center is not providing accurate information and alerts, I may miss something or, worse, dismiss it as bogus. Security tools must provide precise, accurate information, which simply means Microsoft must get this problem addressed sooner rather than later.

Business users

For business patchers, I’m more concerned about two security headlines that came out in the news this week.

First, Microsoft is planning to throttle email sent from older, out-of-date, unpatched Exchange Servers and not let them send email to online Exchange servers, such as those running in Microsoft 365 plans. Microsoft posted Throttling and Blocking Email from Persistently Vulnerable Exchange Servers to Exchange Online, which included this:

We are enabling a transport-based enforcement system in Exchange Online that has three primary functions: reporting, throttling, and blocking. The system is designed to alert an admin about unsupported or unpatched Exchange servers in their on-premises environment that need remediation (upgrading or patching). The system also has throttling and blocking capabilities, so if a server is not remediated, mail flow from that server will be throttled (delayed) and eventually blocked.

We don’t want to delay or block legitimate email, but we do want to reduce the risk of malicious email entering Exchange Online by putting in place safeguards and standards for email entering our cloud service. We also want to get the attention of customers who have unsupported or unpatched Exchange servers and encourage them to secure their on-premises environments.

Considering the many, obvious phishing emails that got past my Microsoft 365 defenses in just the past week, I think this is merely an effort on Microsoft’s part to make it easier for them to detect malicious traffic by blocking known sources. Of course, that could block legitimate email, but perhaps that’s Microsoft’s not-so-subtle way of “persuading” the owners of those blocked mail servers to update Exchange.

But why stop with unpatched and out-of-date Microsoft servers? There are many more out-of-date and unpatched third-party email servers that could be blocked for the same reason. That may be a step too far, though. Microsoft would undoubtedly be roundly criticized for such a move.

The truth is that the receiving mail server is the endpoint. I think Microsoft needs to up its game with respect to detecting malicious material and not foist the responsibility off onto other servers, whether its own Exchange software or or those from third parties. I speak with authority here — I’m a customer, in multiple ways, of Microsoft’s mail services, and I think the company’s filtering is, to say the least, lacking.

If your company uses the 3Cx software-based PBX system, there’s a bigger headline. The company posted Security Incident Update Saturday 1 April 2023 on its blog, describing how its software was a victim of an attack. The post has full details, but the gist of the company’s recommendations is to uninstall the desktop version of the Electron app (from both Windows and Mac computers) and instead use the Web-based app, which was not affected. The company has already produced an updated version of the desktop app that is not affected, which should be available to customers very soon.

In the meantime, 3Cx recommends conducting antivirus and malware scans on any PCs running the desktop app.

I’m a broken record on this — anything can be affected, at any time. Stay on your toes.



Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2023 AskWoody Tech LLC. All rights reserved.