AskWoody Plus Alert Logo
ISSUE 19.14.1 • 2022-01-25
MS-DEFCON 4: A very complicated patching month


By Susan Bradley

Thanks, Microsoft, for a very messy January.

This month will be somewhat convoluted for patching, due to the high number of side effects. To make it worse and more complicated, Microsoft has left it up to us to figure out what to install — rather than pushing out the fixed updates via Windows Update or WSUS. The side effects for those with servers are extreme. In some cases, you’ll need to install two updates before rebooting the servers you manage to successfully patch this month.

I’m lowering the MS-DEFCON level to 4 in spite of these difficulties, but business users must be cautious.

Consumer and home users — patching should be safe

Here’s an important clarification for home users. If you run consumer-class VPN software, the side effects mentioned later in this alert do not impact you. I know of no problems with such VPN software. So if you have a standalone computer or even a peer-to-peer network, now is the time to proceed with any January updates that you may have deferred.

Count yourself lucky that you haven’t been impacted by the slew of side effects that business users saw this month.

Business users — patching is complicated

This is going to be a difficult month to patch. And in a very unusual twist, I have different recommendations for servers and workstations.

For those of you using business-class virtual private network (VPN) software to connect workstations to your network, and if you are patching Windows 10 or 11 machines, you’ll need to skip over the normal Windows 10 releases and install the optional updates. If you use Windows software update services (WSUS) to deploy updates, this means manually importing KB5010795 for Windows 11 and KB5010793 for Windows 10 Versions 21H2, 21H1, and 20H2. Both of these updates are deemed out-of-band, so your options are limited for some deployment methods and nonexistent in others.

For those without an update-management mechanism, your users will need to go to Settings,  Update and Security, and Windows Update. Under View optional updates, you’ll find the link to download and install the update for the feature release of Windows 10 running on that PC.

For those who update using the Group policy/Update for Windows methodology, the only option is to manually download the update for the feature release of Windows 10. You can either download the update and place it into a location from which all users can run it, or each user can download and run the update on individual PCs.

To get the update, visit the Microsoft catalog site and find the appropriate download, the one that matches your feature release. Click the download button on the far right. The file will be downloaded and placed into your Downloads folder. You may get a warning that the file cannot be downloaded, in which case you’ll need to click the three dots next to the file name in your browser’s download list and select the “Keep” option. See Figure 1.

Use the keep option in the download dialog
Figure 1. If there is an error downloading an update file, use the Keep option on the downloads dialog to force the download.

Those using business-class VPN can manually install the updates as shown below:

If you do not use business-class VPN, you can install the regular updates released on January 11, which include the following:

For server installations, skip over the normal Windows updates and install only the out-of-band releases for Windows Server 2016, 2019, and 2022. For these, choose from the following:

As a reminder, the side effects on servers are not trivial:

  • Addresses a known issue that might cause IP Security (IPSEC) connections that contain a vendor ID to fail. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP Security Internet Key Exchange (IPSEC IKE) might also be affected.
  • Addresses a known issue that might cause Windows Servers to restart unexpectedly after the January 11, 2022, update on domain controllers (DCs) is installed.
  • Addresses an issue that prevents Active Directory (AD) attributes from being written properly during a Lightweight Directory Access Protocol (LDAP) modify operation when you make multiple attribute changes.
  • Addresses an issue that might prevent removable media formatted using the Resilient File System (ReFS) from mounting, or might cause the removable media to mount in the RAW file format. This issue occurs after installing the January 11, 2022 Windows update.

For those patching Hyper-V servers using Server 2012 R2 as the underlying platform, there is yet another side effect. In addition to the notice that “Windows Servers might restart unexpectedly after installing the January 11, 2022, Windows update on domain controllers (DCs)” on the Server 2012 R2 platform, you will face this: “Virtual machines (VMs) located on a server that has Unified Extensible Firmware Interface (UEFI) enabled fail to start after installing the January 11, 2022, Windows update.”

Now comes the fly in the ointment. In order to properly patch Server 2012 R2, you must install both the original patch released in January (choose either KB5009610 monthly rollup or the KB5009621 security-only update) and then install the out-of-band update KB5010794. This ensures that you reboot only after the installation of the out-of-band update, not after the initial install of the monthly rollup or the security-only patch. On these older platforms, you choose monthly rollup or security-only; they are not cumulative updates, as the Windows 10/11 patches are.

I warned you this was going to be confusing! If you have any questions, join us in the forums, where we will either help you or commiserate with your patching troubles this month!

(Edited on 1-25-2022 – I had the wrong KB number listed for 2012 R2 – apologies!)



Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2022 AskWoody Tech LLC. All rights reserved.