alert banner

ISSUE 20.17.1 • 2023-04-25

MS-DEFCON 4: Major April issue, but not from updates


By Susan Bradley

I’m ready to approve the April updates.

Accordingly, I’ve lowered the MS-DEFCON level to 4. This is not to say there are not a few oddities out there, but they will not affect many users.

Most of the unusual behavior in updates this month is due to slow changes that will lead to future enforcement changes.

Microsoft has also pushed off the implementation of the mandatory, number-based, multifactor authentication for Microsoft 365 applications.


  • Windows 10 21H2 drops out of support in June. Make sure your machine is on 22H2.
  • I am not tracking any major issues with updating Windows 10 for consumers.
  • For Business patchers, be aware of upcoming changes that may impact the use of older operating systems. You’ll need to review your event logs for more details.
  • Both Windows and Apple are patching zero days this month. Ensure your iOS and macOS devices are up to date.
Consumer and home users

Sometimes there are bugs that are not related to updates but may be released due to the timing of a problem. For example, Microsoft’s dictation feature is built into the operating system but relies on servers and resources outside the operating system. Right before Patch Tuesday, dictation started to fail on Windows 10. Microsoft is tracking the issue; hopefully, by the time you read this alert the problem will be fixed. It’s a reminder that sometimes the core patches of Windows and Office are not the root cause of issues seen on our machines.

I’m not tracking any bugs in Windows 10, but Windows 11 is still making changes that trigger side effects, especially if you are using certain games. In my “normal” Windows 11 installs, I’m not seeing these issues. Once again, the problem is not in the Windows update released in April but rather in the Defender change to fix the LSA bug seen earlier. The moral of this story is that side effects may seem to be due to updates, but in reality many changes to the operating system besides the update process may trigger side effects. If you are an everyday user, you shouldn’t see any side effects with either operating system. However, if you are a gamer, you’ll need to be aware of these issues.

Google has been updating several zero days related to its browser. This triggers Edge updates as well, because Edge now piggybacks on the Chromium engine. Thus when Chrome sneezes, the rest of the browser ecosystem tends to either catch the same cold or get similar sniffles.

Business users

Business users need to be aware of upcoming patch side effects and start to review event logs. Specifically, look for the following indicators as a result of the following KBs.

KB5021130 — How to manage the Netlogon protocol changes (CVE-2022-38023)

Look in your domain controller log files for the event codes noted in the KB article. If you see the event codes 5838, 5839, 5840, or 5841, it’s a sign that you will see side effects in your network once the mandate of the patch kicks in. There is a registry setting you can use to buy some time to fix the issue.


  • June 13, 2023: Enforcement by default will begin to occur with the ability to remove the impact with a registry key.
  • July 11, 2023: Enforcement phase begins and you must remove the patch if you are impacted by this update. The registry key will no longer work.

KB5008383 — Active Directory permissions updates (CVE-2021-42291)

Again, look in your domain controller log files for the event codes documented in the KB article. The existence of these codes indicates there are issues to be fixed before patching enforcement that is expected in January 2024. You’ll want to monitor the Directory Service event log for 3044-3056 events on domain controllers that have the November 9, 2021 or later Windows updates released before the programmatic enforcement mode, due in January 2024.

Test now and make sure these side effects don’t occur. If Audit mode does not detect any unexpected privileges for a sufficient length of time, switch to Enforcement mode to ensure that no negative results occur. Let me know if you see any unexpected scenarios or side effects.

If you have any third-party devices such as NetApp storage, it is especially important to change the setting to Test Enforcement mode as soon as possible. Microsoft itself is concerned that things may not go as smoothly as is hoped. (NetApp has its own guidance.)



Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2023 AskWoody Tech LLC. All rights reserved.