alert banner

ISSUE 20.13.1 • 2023-03-28

MS-DEFCON 4: Win11 22H2 not ready for prime time


By Susan Bradley

March updates are ready. Windows 11 22H2, not so much.

It’s time to install the updates for the March releases, and that’s why I’m lowering the MS-DEFCON level to 4. There are a few issues out there, but most appear to be plain old low-risk bugs — things that used to be caught in Microsoft’s beta testing. As usual, it seems we’re the beta testers.

I have several Windows 11 22H2 deployments in active use. If you are not an advanced user, are relatively new to the Windows platform, or are really into rounded corners and having to click several times to build shortcuts on your desktop, you might be tempted to forgive Microsoft for some of these cosmetic bugs.

But here’s the thing: Windows 11 is now — or rather, should be — beginning its teenage years, leaving childish things behind. Instead, we find ourselves dealing with bugs that should never have made it into a released patch.

The latest bug was introduced by the update for the Microsoft Defender antivirus/antimalware platform (KB5007651, version 1.0.2302.21002). The bug introduces an error on Windows 11 22H2, stating that “Local Security Authority protection is off. Your device may be vulnerable.” (See Figure 1).

Bogus Local Security protection message
Figure 1. Erroneous Local Security Authority protection message

Once protections are enabled, Windows might persistently prompt that a restart is required. As noted in our forums, the computer is then flagged as having a security issue. If you attempt to turn on Local Security Authority Protection, it will prompt you to restart — but upon reboot, nothing is fixed.

There is a workaround using several registry keys. It gets rid of the error, but it’s not recommended by Microsoft on its release health dashboard. I’d prefer to have Microsoft fix the issue rather than deal with a workaround. Note that this is not a problem triggered by using unsupported hardware — the problem occurs on officially supported Windows 11 hardware, so there should be no alerts or warnings.

Special note: Although there are many sources on the Web regarding KB5007651, Microsoft does not seem to have its usual dedicated page. Accordingly, we have not provided a link.

Here’s a slightly bizarre bug. As described in this Tweet by Will Dormann, following a very basic set of steps to edit, crop, and save an image results in — nothing. The saved file is the same as the original. That bug is certainly of concern, and it appears that Microsoft will be fixing it soon.

However, I’d rather see Microsoft fix another issue — where Snip and Sketch doesn’t recognize the desktop version of Outlook as a platform that one can send the image to for emailing. I kid you not — we upgraded from Windows 7 to Windows 10 just because we loved the feature enhancements to the snipping tool in Windows 10. I am disappointed with the Snip and Sketch release in Windows 11 and do not feel that it is comparable. I’m hoping that one of these days Microsoft will fix that issue as well.

Consumer and home users

When I say the March updates are safe, that means what it always means — it’s safe for the majority of users. If you have experienced any performance issues, and especially if you see any blue screens of death, it’s a sign that you need an updated driver. Most often, investigating available updates for a motherboard or graphics card is the best place to start. For graphics cards, launch Device Manager and click on the Display Adapters section. You’ll find the graphics-card brand and, usually, its model. Armed with that information, you can go to the manufacturer’s site (e.g., Nvidia) and search for an updated driver.

We are no longer in the “install drivers once and never revisit them again” era. We now need to consider drivers to be as patchable as our operating systems. Unless it’s called out on the Windows release health dashboard as a widespread problem, your issue may be limited to a small group or even be unique to you, in which case Microsoft — unfortunately — won’t acknowledge it.

Look for an upcoming article about how best to investigate which applications are memory hogs and how best to track down performance issues, plus other tips about Windows 10. There is still a lot of life left in what is now a — mostly — stable platform. Windows 10 will be around for several years, and I am going to ensure that you get the best advice to keep it running well — and patched!

Samsung/Pixel bug starting to get patched

We’re starting to see patches released for the recent bug on certain Samsung and Google phones, in which the attacker could take root control of a phone merely by knowing the phone number and silently calling it. Google updated its March 2023 Security Bulletin to show that all four Internet-to-baseband remote code execution vulnerabilities were fixed for Pixel 6 and Pixel 7. You may have to check with your phone manufacturer to see whether a patch has been released. I’ll be tracking the models that I know have received an update in the Master Patch list.

Business users

For those of you in business who have installed the March updates, the major things to look out for are side effects due to the DCOM hardening changes. (See my Patch Watch column from last June.) March brings the final changes to deal with the security-bypass vulnerability.

Because of the impact to line-of-business applications, Microsoft introduced the changes over time and as options. Now, however, the hardening is mandatory. You will no longer be able to use registry keys to bypass the hardening. This means you’ll need to deal with the vendor for line-of-business apps in order to obtain the fix to the underlying problem — as well as to discuss any other advice they might have regarding side effects introduced by the March updates. As Microsoft noted in KB5004442:

We are now in the Phase 3 Release — Hardening changes enabled by default with no ability to disable them. By this point, you must resolve any compatibility issues with the hardening changes and applications in your environment.

By this time, vendors should have fixes in place. This matter has been understood for years. For example, vendors such as Check Point long ago released guidance on how to reconfigure services to work with the new hardening settings. If you find yourself with an application that suddenly doesn’t work, remove the March updates and then test. If the app works, turn off updates and get with the vendor for resolution.

And if the app is no longer available or supported? You’re out of time — either find another solution, or carefully isolate the machine running the old app. A risk analysis may be required.

Bugs for every flavor

The recent Pwn2Own exploit fest in Vancouver proves that nothing is immune from bugs. In a recent bugfest, exploits abounded in countless cases including Teams applications, Tesla cars, Ubuntu desktops, MacOS, and — as expected — Windows 11 22H2.

Nothing is immune, and everything will need a patch sooner or later.



Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.

The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody,, Windows Secrets Newsletter,, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2023 AskWoody Tech LLC. All rights reserved.