By Susan Bradley

I’m ready to approve the April updates.

Accordingly, I’ve lowered the MS-DEFCON level to 4. This is not to say there are not a few oddities out there, but they will not affect many users.

Most of the unusual behavior in updates this month is due to slow changes that will lead to future enforcement changes.

Microsoft has also pushed off the implementation of the mandatory, number-based, multifactor authentication for Microsoft 365 applications.

Reminders:

Sometimes there are bugs that are not related to updates but may be released due to the timing of a problem. For example, Microsoft’s dictation feature is built into the operating system but relies on servers and resources outside the operating system. Right before Patch Tuesday, dictation started to fail on Windows 10. Microsoft is tracking the issue; hopefully, by the time you read this alert the problem will be fixed. It’s a reminder that sometimes the core patches of Windows and Office are not the root cause of issues seen on our machines.

I’m not tracking any bugs in Windows 10, but Windows 11 is still making changes that trigger side effects, especially if you are using certain games. In my “normal” Windows 11 installs, I’m not seeing these issues. Once again, the problem is not in the Windows update released in April but rather in the Defender change to fix the LSA bug seen earlier. The moral of this story is that side effects may seem to be due to updates, but in reality many changes to the operating system besides the update process may trigger side effects. If you are an everyday user, you shouldn’t see any side effects with either operating system. However, if you are a gamer, you’ll need to be aware of these issues.

Google has been updating several zero days related to its browser. This triggers Edge updates as well, because Edge now piggybacks on the Chromium engine. Thus when Chrome sneezes, the rest of the browser ecosystem tends to either catch the same cold or get similar sniffles.

Business users need to be aware of upcoming patch side effects and start to review event logs. Specifically, look for the following indicators as a result of the following KBs.

KB5021130 — How to manage the Netlogon protocol changes (CVE-2022-38023)

Look in your domain controller log files for the event codes noted in the KB article. If you see the event codes 5838, 5839, 5840, or 5841, it’s a sign that you will see side effects in your network once the mandate of the patch kicks in. There is a registry setting you can use to buy some time to fix the issue.

Timing:

KB5008383 — Active Directory permissions updates (CVE-2021-42291)

Again, look in your domain controller log files for the event codes documented in the KB article. The existence of these codes indicates there are issues to be fixed before patching enforcement that is expected in January 2024. You’ll want to monitor the Directory Service event log for 3044-3056 events on domain controllers that have the November 9, 2021 or later Windows updates released before the programmatic enforcement mode, due in January 2024.

Test now and make sure these side effects don’t occur. If Audit mode does not detect any unexpected privileges for a sufficient length of time, switch to Enforcement mode to ensure that no negative results occur. Let me know if you see any unexpected scenarios or side effects.

If you have any third-party devices such as NetApp storage, it is especially important to change the setting to Test Enforcement mode as soon as possible. Microsoft itself is concerned that things may not go as smoothly as is hoped. (NetApp has its own guidance.)

Resources

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.