alert banner

ISSUE 19.21.1 • 2022-05-24

MS-DEFCON 4: A mixed bag for May


By Susan Bradley

Good news! Most consumer and home users should be just fine after installing this month’s updates.

I’m not seeing any major, trending issues with patches for the bulk of users, so I’m lowering the MS-DEFCON level to 4.

But there’s a “but”: I’m still seeing some corner-case oddities and just can’t quite put my finger on the root cause. For example, reader Ray G reports:

… after the updates are installed, I still have a black screen and have to wait for about 5 minutes for the desktop to appear.

Symptoms such as the one Ray is experiencing showed up after the May updates. Even after video drivers are updated, this lag in refreshing the screen doesn’t go away. So for now, Ray is uninstalling the May update and hoping that Microsoft will get the hint in the telemetry he’s probably sending them — and hoping it will be fixed in June.

And there’s good news for business users, too. For those who use certificates to authenticate workstations to the domain, the authentication issues introduced by the May Active Directory security patches have been repaired with out-of-band updates released on May 19. Those of you in charge of Active Directory domains will need to do more than merely patch this month, however. More details are in the business section below.

Consumer and home users

Anyone using Firefox will want to ensure that version 100.0.2 is installed. Released on May 20, it includes several updates discovered during Trend Micro’s Zero Day Initiative contest, called Pwn2Own. The multiday event also showcased a bug found by Marcin Wiązowski, who was able to execute an out-of-bounds elevation of privilege on Microsoft Windows 11 (among other such exploits demonstrated at the event). These bugs will be delivered to Microsoft, and then we will see how long it takes to get the fixes. However, because most of the Windows 11 bugs found involve elevation-of-privilege attacks, they will be most used inside domains, not on a workstation.

If you have read about the authentication problems introduced by this month’s security updates, know that these specific bugs apply only to networks and domains using Active Directory. If you are on a peer-to-peer network or are a standalone user, not only are you not impacted by the vulnerability in question, you won’t be impacted by the side effects, either.

Lately, Microsoft has been in “dribble” mode. If you suddenly found images of horses in your search box, you aren’t alone. In fact, even ex-Microsoft employees were wondering what had occurred and why. And if you were left out of the fun, it’s just because you haven’t yet been “dribbled” to. But don’t fear — you can get rid of it either by clicking in the task bar, using Group Policy, or by using a registry key method. These are all explained in our Knowledge Base post. For those of you hanging on to Windows 8.1 or Windows 7, Microsoft doesn’t care about you and thus won’t annoy you like this. If only it would do the same for us on Windows 10 — and annoy only those users on Windows 11.

At this time, I recommend installing the May updates for Windows 7, Windows 8.1, Windows 10, and Windows 11, as listed in the Master Patch List. If you are running Apple devices, ensure that you have installed updates for Safari 15.5 as well as all the other Apple updates.

Business users

If you are patching a network that includes an Active Directory domain, merely installing updates this month isn’t enough. In fact, there are additional recommendations to make you more secure. Be aware that you will want to install the out-of-band updates on your domain controllers released on May 19 rather than the ones released on May 10. This includes the following.

Cumulative updates — These can be installed instead of the May 10 updates:

Standalone updates — These must be installed in addition to the May 10 updates:

If you use public key infrastructure (PKI), you’ll need to watch your timing.

First, update your Certificate Authorities servers. The patch adds a new OID to the templates used for authentication. The OID is then populated by the AD object SID, which further identifies the specific device in the certificate. Once Certificate authorities are updated and the OID is present in the certificates offered to the computers (be sure to test this), you can revoke older certificates without the OID and issue new certificates through auto-enrollment. Then you can patch your domain controllers, and authentication will work — because the domain controllers will now understand the new identifier.

But note that these updates also add additional auditing because there will be a change in enforcement in May 2023, a year from now. Once you have installed the May 10, 2022, Windows updates, devices will be in Compatibility Mode. If a certificate can be strongly mapped to a user, authentication will occur as expected. If a certificate can be only weakly mapped to a user, authentication will occur as expected — except that a warning will be logged, unless the certificate is older than the user. If it is older than the user, authentication will fail and an error will be logged. Find more on this upcoming change in this Microsoft Knowledge Base article.

I recommend an additional mitigation for future attacks. Microsoft has long left a setting allowing nonadministrators to add computers to the domain. But this allowance is being abused by attackers. Disabling the setting is now recommended (follow the guidance in this blog post).



Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2022 AskWoody Tech LLC. All rights reserved.