Newsletter Archives

  • No, Microsoft hasn’t issued a “Windows 10 update warning”

    Fool me once, shame on you. This time the shame’s on me.

    I click through on clickbaity things from time to time, and I decided to see if the breathless report from one of the major online publications had picked up something that slipped under my radar.

    Nope. I need to rap my own knuckles here.

    Here’s the fact. The “optional,  non-security, C/D Week” patch for Win10 version 1903 and 1909, KB 4535996, has a bunch of problems. Mayank Parmar first wrote about them on March 5 in Windows Latest. Lawrence Abrams repeated that list and added a few more the next day in BleepingComputer.

    We’re seeing a handful of common installation bugs:

    • The patch won’t install, or rolls back
    • There are blue screens or black screens after installation
    • Complaints of slowness from various sources

    We’re also seeing one novel problem, first reported (to the best of my knowledge) by Rafael Rivera. The tool used by Visual Studio to self-sign code, signtool.exe, triggers “Failed to sign” errors after installing the update:

    If you’re having trouble with signtool.exe, check if you have KB4535996 (optional 2020-02 CU) installed. Looks like WTLogConfigCiScriptEvent got removed from wldp.dll without sufficient testing.

    Microsoft has listened to Rivera (for a change!) and a Visual Studio community post from a Microsoft engineer now says:

    We’re aware of issues with signtool.exe after installing the latest optional update for Windows 10, version 1903 or Windows 10, version 1909 (KB4535996). If you are encountering issues or receiving errors related to signtool.exe, you can uninstall the optional update KB4535996. We are working on a resolution and estimate a solution will be available in mid-March.

    Of course, neither the Knowledge Base article nor the official Windows Release Information page say squat.

    I haven’t talked much about these bugs here because I rarely talk about bugs in beta software — and, make no mistake, the monthly “optional, non-security, C/D Week” patches are beta versions. Maybe even alpha, depending on your definitions. The changes in those patches graduate to full, living, breathing cumulative updates on the following Patch Tuesday.

    Neither Susan nor I ever, ever, ever recommend that you install the monthly optional updates. There’s too much downside, and almost no upside. This is a case in point.

    This month, though, things are a little different. With nearly all of Microsoft’s employees now working from home, it isn’t clear if all the known bugs (much less the unknown ones!) will get fixed in time for Tuesday. But I’ll have more about that tomorrow in Computerworld.

  • Looks like the temporary profile “lost desktop” bug is hitting Server 2012 R2, too

    Günter Born has a couple of posts about our favorite unacknowledged February bug, the one that causes machines to reboot into a temporary profile, attacking Server 2012 R2.

    Even though the patchday February 11, 2020 is long gone, user comments are still arriving on my blogs reporting the problem with a temporary user profile in the Windows Server 2012 area… It is interesting to note that the temporary user profile only affects the user account that was active during the update installation.

    Here’s the scary part:

    There is no confirmation from Microsoft that this error is known. It also doesn’t look to me like the bug will be fixed on patchday in March 2020.

  • MS-DEFCON 3: Get the February patches installed

    The “disappearing desktop” temporary profile bug is still in the February cumulative update for Win10 version 1903 and 1909. Looks like the bug’s in the “optional, non-security, C/D Week” update, too. Nonetheless, we’ve seen a lot of reports of problems, and they all appear to be solvable.

    So it’s with some trepidation that I’m moving us to MS-DEFCON 3. You should get the Feb patches installed. (NOT the “optional, non-security, C/D Week patch, of course.)

    As an added surprise… I’m moving my production machines to Win10 version 1909. It looks like the File Explorer Search bug was fixed in the regular Cumulative Update — and I don’t see any persistent bugs in 1909 that aren’t also in 1903.

    Details in Computerworld Woody on Windows.

  • Late February optional update, KB 4535996, released for Windows 10 1903 and 1909

    The latest cumulative non-security update for the latest Windows 10 releases. See [url=]February 27, 2020—KB4535996 (OS Builds 18362.693 and 18363.693)[/url] for a long list of changes and fixes.

  • Where we stand with the Feb 2020 Microsoft patches

    I’ve lost hope that we’ll see a fix for the “lost profile” bug in the Win10 version 1903 and 1909 February patch, but other details seem on track.

    Let’s see what other problems crawl out of the woodwork.

    Details in Computerworld Woody on Windows.

  • The late Feb “optional, non-security, C/D Week” patch is out but only for Win10 version 1809 and 1709. Win8.1 preview is also out.

    I take this as a good sign – that Microsoft’s spending more time on testing the Win10 1903 and 1909 patches, but then again the Win10 1903 and 1909 “optional, non-security, C/D Week” patches have lagged behind 1809 for almost a year. Fat lot of good that’s done us.

    Just out:

    • Win10 version 1809 “February 25, 2020—KB 4537818 (OS Build 17763.1075)” with dozens of minor patches
    • Win10 version 1709 “February 25, 2020—KB 4537816 (OS Build 16299.1717)” with a handful of patches
    • Win8.1 “February 25, 2020—KB 4537819 (Preview of Monthly Rollup)” with two tiny patches

    Of course, most people shouldn’t install them.

  • Microsoft says the usual “C Week” previews/non-security patches are on their way

    Go away kid, ya bother me…

    We don’t have official acknowledgment of the widespread “missing profile” bug in this month’s Win10 version 1903 and 1909 cumulative updates. But we do have this:

    Status of February 2020 “C” release

    The optional monthly “C” release for February 2020 for all supported versions of Windows and Windows Server prior to Windows 10, version 1903 and Windows Server, version 1903 will be available in the near term

    Do I detect a scent of fear and/or trepidation? This should be a pretty straightforward collection of “optional, non-security” patches.

  • No fix for the Feb cumulative update “lost profile” bug in sight. I suggest you Win10 1903 and 1909 customers make sure Pause Updates is engaged.

    Microsoft hasn’t yet publicly acknowledged the bug that we’ve known about for nine days: Installing the February cumulative update for Win10 version 1903 and 1909,  KB 4532693, can be hazardous to your machine’s health.

    (See, for example, Susan Bradley’s post below.)

    If you’re relying on Pause Updates to keep your machine protected from Microsoft’s buggy spittle (I’m being generous here), now would be an excellent time to make sure your Pause Update setting goes out for at least a few more days. I’m setting mine to March 9, in the hope that MS will fix (or at least acknowledge!) the bug before next Patch Tuesday.

    I was shocked to discover that, yes, you can extend the “Resume updates” date beyond its current setting without installing all of the outstanding patches. That’s a major shift — undocumented I believe — that you should use to your advantage.

    Details in Computerworld Woody on Windows.

    UPDATE: We have an interesting discussion underway on a different thread about extending Paused Updates, and whether you’re locked out of extending them even more if, at some point in the past, you ran the pause up to its maximum of 35 days. Thx @PKCano, @DriftyDonN, @Alex5723, @Brockton. Can anyone replicate their results?

  • The mess behind Microsoft’s yanked UEFI patch KB 4524244

    Yes, Microsoft signed the buggy Kaspersky bootloader/rootkit. But there’s a good reason why. And Kaspersky is quite justified in saying the problems with the KB 4524244 patch aren’t their fault.

    Here’s how the sausage was made — and how it turned to tripe.

    Details in Computerworld Woody on Windows.

  • Running a SQL Server? Heads up! You need to install this month’s patches quickly

    I just saw a notification that the SQL Server security hole known as CVE-2020-0618 has been cracked. Per Kevin Beaumont:

    Ah bums, there’s an exploit for CVE-2020-0618 (Feb 2020 SQL vuln). The good news: it’s not yet point and click. The bad news: it will be, this will be a big enterprise vuln.

    CVSS score 9.7, very easy to exploit but depends on SQL Reporting Services being installed. Some ICS solutions install it, as does Microsoft EPM (Project Server). I’ll keep thread updated if I see any scanning in the wild.

    One thing if it helps people, although the MS advisory says it only impacts SQL Server 2012+, it appears to also impact SQL Server 2008 too (which is out of support).

    He points to Jin Wook Kim’s Proof of Concept code on Github. In the comments, you can find reference to the original PoC on

    If you aren’t running a SQL Server, or don’t know SQL Server from a hole in the ground, no need to sweat it. But if your company has SQL Server, somebody better let the admins know.

  • Microsoft pulls KB 4524244, the infamous UEFI patch, from the Catalog

    The count of “2020-02” patches in the Catalog went down by eight overnight.

    One of them is KB 4524244, the UEFI patch that we’ve all been wondering about. As I said on Feb. 12 in Computerworld,

    The UEFI mystery of KB 4524244

    Microsoft seems to have a specific UEFI manufacturer in its sites. KB 4524244, the “Security update for Windows 10, version 1607, 1703, 1709, 1803, 1809, and 1903: February 11, 2020” is being offered, independently of the usual Cumulative Updates, on all versions of Windows 10.

    By the way, if you think Win10 version 1909 was immune from the KB 4524244 malaise, think again. Microsoft forgot to include 1909 on its master list, but KB 4524244 is included in the 1909 MS Update Catalog listing and in the WSUS listing. (Thx, PKCano.) The KB article – even its title – is clearly wrong.

    According to PKCano, one of the UEFI patches, KB 4502496, still appears in Windows Update – but it isn’t in the Catalog. Likely its appearance in Windows Update is a phantom, and in fact it won’t be installed. Do you have better info?
    Update: KB 4502496 has also been pulled.

    The KB article has been updated to say:

    Another Microsoft Friday night massacre? On a three day (US) weekend?



    Patch lady edit:  Spotted this interaction on twitter  —   So now I know that it was a Kaspersky bootloader

    Brian in Pittsburgh (@arekfurt)
    This has gone surprisingly little attention. Microsoft signed a Kaspersky bootloader that could be used to bypass Secure Boot on any PC (!), then revoked it last Tuesday (that was what took two reboots if you had Cred Guard enabled). Now there are in turn issues with that fix.


    Alex Ionescu
    1. Sign Kaspersky UEFI Rootkit (oops, “loader”) even though this wasn’t what the program was meant for, putting *everyone* at risk thanks to the DB policy.
    2. Finally release revocation (thanks

    ) 3. Pull back the release and indicate you won’t offer it anymore…

  • February Win10 1903 and 1909 cumulative update, KB 4532693, causing desktops to disappear

    Excellent overnight analysis from Lawrence Abrams and a surprising observation from Günter Born point at a possible smoking gun.

    Microsoft should be paying you to beta test their buggy patches.

    Details in Computerworld Woody on Windows.

    If you installed this month’s patch (NOT recommended – see MS-DEFCON 2 above) or know someone who did and got bit by this specific bug, please let me know if they’re using Avira or AVG antivirus and, if possible, which version.