Newsletter Archives

  • Attack surface reduction rule triggers a mess on Friday the 13

    #Fridaythethirteenthmess

    Microsoft 365 Status on Twitter: “The revert is in progress and may take several hours to complete. We recommend placing the offending ASR rule into Audit Mode to prevent further impact until the deployment has completed. For more details and instructions, please follow the SI MO497128 in your admin center.” / Twitter

    If you set up the Attack surface reduction rule to check Office macros, you have woken up to missing shortcuts. It appears to have been triggered after a defender update. Note this will only occur IF you have attack surface reduction rule enabled. On machines where this is not set, no issues will be seen using Defender.  It is just those with ASR rules enabled.

    The specific rule causing this is

    Block Win32 API calls from Office macros

    Rule-ID 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b

    In Intune or group policy set the rule to audit if Microsoft hasn’t done it for you already.  Now how to deal with the missing shortcuts?

    Emin reports that “If you’ve volume shadow copy enabled, you can find these shorcuts in a VSS snapshot. I still use nowadays this code whenever I’ve to mount/dismount VSS snapshots. https://p0w3rsh3ll.wordpress.com/2014/06/21/mount-and-dismount-volume-shadow-copies/

    Alternatively you can get the shortcuts from Onedrive if the Desktop synchronization was enabled.

    Microsoft’s guidance here:

    I’ll also note this on the Master Patch list – but it’s NOT exactly patch related side effect.

  • Master Patch list updated as of January 10, 2023

    #PatchTuesday #DeadBodyWedneday #KeepaneyeoutforissuesThursday

    Consumers:  Defer updates at this time.

    I’ve updated the Master Patch List for Tuesday’s releases.

    It’s too soon at this time for consumers to be making recommendations, I’m still watching for issues.

    For businesses, the impact to look out for and keep an eye on are any Exchange on premises server you are still patching.

    As a reminder

    • Windows 11 22H2: Not recommended
    • Windows 11 21H2: If you have a Windows 11 PC, recommended
    • Windows 10 22H2: Recommended
    • Windows 10 21H2: Recommended (if a vendor won’t support 22H2)
    • Apple Ventura – tentative. Check with the applications you rely on if they recommend this release.

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Master Patch List as of December 13, 2022

    MS-DEFCON 2

    #PatchTuesday

    Business patchers:  Microsoft has indicated that they fixed the memory issue with the LSASS patch but still waiting for community confirmation.

    Consumers:  Defer updates at this time.  The secure boot patch KB5012170 has been released to apply to Windows 10 and 11 22H2 so be sure to defer it as well.

    I’ve updated the Master Patch List for Tuesday’s releases.

    It’s too soon at this time for consumers to be making recommendations, I’m still watching for issues.

    For businesses, the impact to look out for and keep an eye on are the Kerberos related patches.  Microsoft has indicated that the memory leak issues introduced in last month’s Kerberos updates have been fixed but I am still waiting for community confirmation.

    As a reminder

    • Windows 11 22H2: Not recommended
    • Windows 11 21H2: If you have a Windows 11 PC, recommended
    • Windows 10 22H2: Recommended
    • Windows 10 21H2: Recommended (if a vendor won’t support 22H2)

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • MS-DEFCON 3: Side effect with Domain patch

    alert banner

    Special alert

    MS-DEFCON 3

    By Susan Bradley

    November Domain controller update leads to memory leak

    Business patchers only:  Microsoft has posted up a known side effect introduced by the November updates applied to domain controllers.

    As they note in their health release: (with my slight edits for clarification)

    After installing November or later updates on Domain Controllers (DCs), you might experience a memory leak with Local Security Authority Subsystem Service (LSASS,exe). Depending on the workload of your DCs and the amount of time since the last restart of the server, LSASS might continually increase memory usage with the up time of your server and the server might become unresponsive or automatically restart. Note: The out-of-band updates for DCs released November 17, 2022 and November 18, 2022 do not fix the issue and are also affected by this issue.

    Workaround one if you can remove the patch: Uninstall the November 8th updates and out of band updates that are listed here.

    Workaround two if you are mandated to keep the patch installed: To mitigate this issue, open Command Prompt as Administrator and use the following command to set the registry key KrbtgtFullPacSignature to 0:

    • reg add “HKLM\System\CurrentControlSet\services\KDC” -v “KrbtgtFullPacSignature” -d 0 -t REG_DWORD

    Note that this ONLY impacts business patchers and does NOT impact consumers.

  • Business patchers alert: Out of band patch expected to fix Domain controller issues

    What is it?  A heads up to business patchers.

    Does it impact consumers?  No. This is only an issue being seen on domain controllers 

    What is it about?  In the November 8th updates (which I haven’t approved yet) installing the updates on your domain controllers could cause authentication issues.

    There will be an out of band update released later on this week to fix issues caused by the November updates on domain controllers.

    If you have been impacted by these updates and have had to roll back the patches on your domain controllers, hang tight.  Help is on the way.  I will update the Master Patch list once this update has been released.

    See also KB5021131 and KB5020805

    Update: Out of band released

    Microsoft is releasing Out-of-band (OOB) security updates today, November 17, 2022 for installation on all the Domain Controllers (DCs) in affected environments. This update addresses a known issue which might cause sign in failures or other Kerberos authentication issues. You do not need to install any update or make any changes to other servers or client devices in your environment to resolve this issue. If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them.
    To get the standalone package for these out-of-band updates, search for the KB number in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update CatalogNote The below updates are not available from Windows Update and will not install automatically.
    Cumulative updates:
    Note: You do not need to apply any previous update before installing these cumulative updates. If you have already installed updates released November 8, 2022, you do not need to uninstall the affected updates before installing any later updates including the updates listed above.
    Standalone Updates:
    Note: If you are using security only updates for these versions of Windows Server, you only need to install these standalone updates for the month of November 2022. Security only updates are not cumulative, and you will also need to install all previous Security only updates to be fully up to date. Monthly rollup updates are cumulative and include security and all quality updates. If you are using Monthly rollup updates, you will need to install both the standalone updates listed above to resolve this issue, and install the Monthly rollups released November 8, 2022 to receive the quality updates for November 2022. If you have already installed updates released November 8, 2022, you do not need to uninstall the affected updates before installing any later updates including the updates listed above.
  • Master Patch List as of November 8, 2022

    #PatchTuesday

    I’ve updated the Master Patch List for Tuesday’s releases.

    It’s too soon at this time for consumers to be making recommendations, I’m still watching for issues.

    For businesses, the impact to look out for and keep an eye on are the Kerberos related patches.  Already seeing potential issues reported “but we’re seeing reports where certain auths are failing when users have their msDS-SupportedEncryptionTypes attribute explicitly being set to AES only (decimal 24, hex 0x18).”  You may want to do a specific query on your domain controllers to see if you will see impacted — see this KB. Bottom line, be sure you do tests and be aware of authentication issues.

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Master patch list updated for out of band

    Patch Lady Master patch list is being updated AGAIN for an “out of band” release for Windows 10 21H2 to fix an issue with OneDrive. KB5020953 for Windows 10 was released as an “out of band” to fix the issue.  It’s unclear if there will be additional out of band releases for the other platforms to fix this issue. It does not appear to be occuring on Windows 11 platform, only Windows 10.  You’ll need to go to the catalog site to find the exact version you’ll need for your Windows 10 versions.

    • It addresses an issue that causes Microsoft OneDrive to stop working. This occurs after you unlink your device, stop syncing, or sign out of your account.

    Also be aware of an issue that some might see in business deployments where you reuse computer accounts.  See KB5020276. Note this does NOT impact home users.

  • Master Patch List as of October 25, 2022

    #PatchTuesday

    I’ve updated the Master Patch List which now matches the guidance in the alert released today.

    You will note that I recommend that you defer at least temporarily the big releases that Apple came out with yesterday. You’ll want to hold off a bit and ensure there are no major issues.

    I have given the “install” for the major updates released on October 11.  I do not recommend either the Windows 10 22H2 (minor update) or Windows 11 22H2 (larger upgrade).

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Windows 10 22H2 is out along with “Moments” for Windows 11

    Microsoft has just posted that Windows 10 22H2 is now out for “seekers” who manually “check for updates”  Remember if you want to stay at a certain feature release you can use group policy or registry keys here.  Folks behind WSUS or other managed patching won’t be pushed this.

    Next the first “Moment” release is out for Windows 11.  Tabbed file explorer is included.  As I suspected these are included in the optional non security releases and will be rolled out to all next month in the cumulative patches

    “These new features and experiences will start to become available today in an optional non-security preview release and a phased rollout via our servicing technology and new apps via Microsoft Store updates5, ensuring you can take advantage of the latest Windows experiences as these new features are ready. The new features will be made broadly available to all editions of Windows 11, version 22H2 in the November 2022 security update release.”

    What isn’t detailed is how you can control these – especially if you are a business other than not installing the patch?  I’ll be asking around to see what’s up.

    AND updating the Master patch list AGAIN tonight.

  • Master patch list as of October 17, 2022

    #PatchTuesday

    I’ve updated the Master Patch List for today’s out of band release

    Microsoft released an “out of band” that is on the Microsoft Catalog site for Windows 10 and 11 releases only for issues with SSL and TLS.  It’s due to new behavior introduced after the September optional updates rolled into the October cumulative/security updates. See https://support.microsoft.com/en-us/topic/kb5017811-manage-transport-layer-security-tls-1-0-and-1-1-after-default-behavior-change-on-september-20-2022-e95b1b47-9c7c-4d64-9baf-610604a64c3e 

    I noted in the newsletter that side effects may be seen on older applications (for example Citrix Workspace does not connect after October 2022 update) so you may wish to see if this out of band update will help.

    Consumer impact:  Not seeing issues with this on consumer devices.

    Business impact:  May see issues with older applications.

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Master Patch List as of October 11, 2022

    #PatchTuesday

    I’ve updated the Master Patch List for yesterday’s releases

    I’ll be keeping an eye out for issues and will be updating that page and spreadsheet should I seen anything trending.

    Not seeing anything in my personal home testing for consumer/home issues

    Business impact only:  Group policy issue after the install of October releases (same issue as last month).  See master patch list page.

    2012 R2 server OS only – seeing Internet explorer/access is denied in the event log

    TLS1.0/1.1 is only disabled on Windows 10 and Server 2019 this patch. 2016 retains it and Windows 11/ Server 2022 already have it disabled by default.

    As always, thank you all for supporting the cause! Remember a donation will give you access and if you donate $50 or more you’ll get a special code to enable text messages sent to your phone each time the Master Patch List gets updated and when I change the MS-DEFCON level.

  • Microsoft email zero day

    What is it?  Microsoft is investigating targeted attacks on their on premises Email servers.  Attackers have found a way into servers that are already fully patched.

    If we have online email with Microsoft, are we at risk?  No.

    Is this disturbing that EVERY time there is a zero day in Microsoft on premises email servers, Microsoft can conveniently scramble and get their online servers patched and meanwhile those that purchase on premises software are stuck holding the bag.

    If you are an Exchange admin and need help, pile on here

    (note I am sending this out as a defcon text alert but not an email alert)

    Follow the guidance in the MSRC post to protect your on premise email servers:

    The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns

    Note:

    If you don’t run Microsoft Exchange on premise, and don’t have Outlook Web App facing the internet, you are not impacted.