Newsletter Archives

• MS-DEFCON 3: Issues with domains

  Posted on November 22, 2022 at 02:45 CST by Susan Bradley • Comment in the Forums

  

  ISSUE 19.47.1 • 2022-11-22

  

  By Susan Bradley

  November updates lead to side effects

  My usual advice regarding updates with known side effects is to wait until the problems are resolved. But every so often, the risk of waiting is greater than the risks associated with the side effects.

  That’s the way I see the situation now. The November updates require you to slog through the issues and deal with the side effects. For that reason, I’m lowering the MS-DEFCON level to 3. I’d really like to go to 4, but I think greater caution is required.

  Anyone can read the full MS-DEFCON Alert (19.47.1, 2022-11-22).

  AskWoody Plus Alert, MS-DEFCON Alerts, Domain Controllers, MS-DEFCON, MS-DEFCON 3, Newsletters, Patch Lady Posts

• MS-DEFCON 3: Issues with bootloader patches

  Posted on August 23, 2022 at 02:45 CDT by Susan Bradley • Comment in the Forums

  

  ISSUE 19.34.1 • 2022-08-23

  

  By Susan Bradley

  This month’s updates are a great example of why my patching advice differs for consumers and businesses.

  For consumer patchers, whether using Windows 10 Home or Professional, I’m not convinced that you need to install KB5012170, Microsoft’s security update for Secure Boot DBX (the Secure Boot Forbidden Signature Database). Unless, that is, you think you will be targeted by an overseas attacker with a malicious bootloader installer. If your computer holds the keys to the nuclear codes, then by all means install this update instantly. The fact that this isn’t clear-cut is the reason I can lower the MS-DEFCON only to 3 this time around.

  But if you are a normal user, with normal levels of paranoia to get you through the normal security risks of daily life, I’m not convinced that this update is mandatory. In fact, I think it often causes more pain than benefit. Just read through the threads of many a forum poster trying to get this update installed.

  Anyone can read the full MS-DEFCON Alert (19.34.1, 2022-08-23).

  AskWoody Plus Alert, MS-DEFCON AskWoody Alert, bootloader, MS-DEFCON, MS-DEFCON 3, Patch Lady Posts

• MS-DEFCON 3: Should we patch?

  Posted on June 28, 2022 at 02:45 CDT by Susan Bradley • Comment in the Forums

  

  ISSUE 19.26.1 • 2022-06-28

  

  By Susan Bradley

  I have good news and bad news.

  Some of you will install the June updates and see absolutely no issues whatsoever. Others have tried to install the June updates and experienced side effects. Microsoft has acknowledged some, but not all, of the issues. This makes it a hard month. I don’t like to let people get to the end of the month and not install updates, but at the same time there are some bugs that are deeply impactful to both consumers and businesses.

  Based upon my recommendations below, I am lowering the MS-DEFCON level to 3. I commonly set the level to 4 after giving the month’s updates a chance to settle, but this time greater caution is warranted.

  Anyone can read the full MS-DEFCON Alert (19.26.1, 2022-06-28).

  AskWoody Plus Newsletter, MS-DEFCON AskWoody Plus Alerts, MS-DEFCON, MS-DEFCON 3, Patch Lady Posts

• MS-DEFCON 3: We’re not out of the printing woods yet

  Posted on November 23, 2021 at 02:45 CST by Susan Bradley • Comment in the Forums

  ISSUE 18.45.1 • 2021-11-22 By Susan Bradley The big news last week was Microsoft’s finally releasing Windows 10 version 21H2 and aligning the Windows 10 and Windows 11 annual feature release cadence. Changing the feature release cadence for Windows to an annual schedule is long overdue. From the first moment Microsoft announced that Windows 10 feature updates would be released on a semiannual basis, I’ve felt that the constant release process was too often, too fast. It’s good to see Microsoft finally listening to the feedback. Granted, it was pushed into this decision by the release of Windows 11, but I’ll take the win nonetheless. Now that 21H2 is officially out, I recommend sticking with 21H1 for the moment. That said, 21H2 will be a relatively easy and fast update with very few side effects. But I’m a cautious patcher and never install feature releases during the first week they are out. As November comes to a close, it’s again time to evaluate whether you can perform the basic process we all call “printing.” I discussed the annoyance of these constant and seemingly intractable printing problems in yesterday’s On Security column. The ongoing issues with printing force me, once again, to set our MS-DEFCON status at level 3. Exercise caution. Consumer and home users If you install the updates for November and can still print, pat yourself on the back and relax until next month. If you are still having issues with printing, I recommend installing the preview updates listed in the Master Patch list. For certain shared printers in peer-to-peer networks, we are still seeing issues triggered by the November 9 updates. While Microsoft has released out-of-band updates for authentication issues, they have not put the same priority on printing issues triggered by the updates. Business users Already, we’ve seen the out-of-band update KB5008602 to fix a known issue triggered on domain controllers and single sign-on that might cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self). This issue occurs after you install the November 9, 2021, security updates on domain controllers (DCs) that are running Windows Server, and you need to install this update on your domain controllers to fix this issue. References AskWoody Master Patch List Read the full story in the AskWoody Plus Alert 18.45.1 (2021-11-22).

  AskWoody Plus Alert, Patch Watch AskWoody Plus Newsletter, MS-DEFCON, MS-DEFCON 3, Patch Lady Posts, printing

• MS-DEFCON 3: Ready or not, it’s time to update

  Posted on October 26, 2021 at 02:45 CDT by Susan Bradley • Comment in the Forums

  ISSUE 18.41.1 • 2021-10-26 By Susan Bradley It’s not exactly an all-clear. Normally, this is the time in the update cycle when I give an all-clear. It’s when most, if not all, of the side effects of patches have been identified. This month, unfortunately, there are still issues. However, that doesn’t mean I don’t want you to install updates. Even though there are documented problems with network printing after the October updates, they are not widespread. Many system administrators report that printing problems most often occur when the operating system of the server hosting the print server is older — and possibly unpatched — while the workstations are newer platforms that are patched. Therefore, after installing the updates in your peer-to-peer network, Make testing printing your first step. If you can print, leave the updates installed and pat yourself on the back — you survived October. If you are impacted by the October updates and do have printing issues, consider your situation carefully before you uninstall and block updates. There are several vulnerabilities included in the October updates, one of which, CVE-2021-40449, has been used in targeted malware attacks to elevate privileges on a system. My ongoing philosophy is that when the risk of being unpatched is higher than the risk of applying a patch, it’s time to install updates. I also don’t want to go a month without installing an update unless the reasons for doing so are very clear. I’ve installed the October updates at my home and office, including a collection of Ricoh network printers as well as stand-alone Brother, HP, Lexmark, and Canon printers (black-and-white as well as color printers). I’ve had no issues printing after installing the October updates, whether at home or office. I have mixtures of server operating systems including Server 2019, Server 2016, and Server 2012 R2 as well as Windows 10, plus a Windows 7 system under extended security patches. In short, just because you read in the headlines that we’re seeing printing issues doesn’t mean that you will have issues. Consumer and home users For those of you in a home setting, install updates now and immediately test for printing issues. My best guess is that you’ll be fine, with no problems. As mentioned above, everything is good at my house. Business users I’m sorry to say that business users must not be so sanguine — you are more likely to experience problems. If you do, there are several options. The first (which I’d rather you not do) is to uninstall the updates and block them (pause updates) until next month. The second is to install one of the preview updates that Microsoft will be releasing soon, especially if you are having issues deploying printers using Internet Printing Protocol. Microsoft has already released KB5006744 for Windows 10 1809, which includes a fix for: Addresses a known issue that might prevent the successful installation of printers using the Internet Printing Protocol (IPP). This month, there’s no clear resolution. You may have no issues at all with the October updates. You may have issues printing. If you are required to patch, and you end up having issues printing, I’d urge you to install the preview updates that I’ll be listing in the Master Patch List. If that doesn’t work, ensure that you understand the risks involved in not being patched this month. *Edit 10/26/2021 – Microsoft released KB5006738 for 21H1, 20H2 and 2004. It includes printing fixes that may help the issue. If you are impacted, install it and see if it helps. Bottom line: install the updates, see whether you can print. If you can, pat yourself on the back. If you can’t, prepare yourself for a bit of testing and hassle. References AskWoody Master Patch List Read the full story in the AskWoody Plus Alert 18.41.1 (2021-10-26).

  AskWoody Plus Alert, AskWoody Plus Newsletter, MS-DEFCON AskWoody Plus Newsletter, MS-DEFCON, MS-DEFCON 3, Patch Lady Posts

• The ides of March

  Posted on March 29, 2021 at 06:09 CDT by Susan Bradley • Comment in the Forums

  To patch or not to patch this month…. that is the question I attempt to answer this week in ComputerWorld.

  Printers side effects were the big issue (and still are) this month.

  (note that I’m going to have to reach out to the ComputerWorld editors… they missed part of the post I sent them…)

  It’s supposed to read:

  So for Windows 10 2004 or 20H2 you need to skip the updates released on March 9^th and instead jump over to the March 18^th update of KB5001649. It should be offered up to you as an optional update, or you can download it from the Catalog site. Because Windows 10 updates are cumulative you only need the one update (the third and final update Microsoft released this month).

  For Windows 10 1909, you need KB5001648. Once again it should be offered up to you as an optional update if you go to the Windows update interface or you can download it from the Catalog site like 2004/20H2 handles it’s updating, 1909 is cumulative.

  For Windows 8.1 the process is slightly different as the fixing patches are not cumulative. This time the updates are not documented on the Windows 8.1 history page but can be found if you dig into the 8.1 health release dashboard. On Windows 8.1 you need to install both the original update from March 9^th of KB5000848 AND the fix up patch of KB5001640. These are not offered up as optional updates and you must download KB5001640 from the catalog site.

  Windows 7 is similar to Windows 8.1 in not having a cumulative update patch to fix it’s printing issues. After you install the original security only update of KB5000851 or the monthly rollup of KB5000841 (which includes security updates) is fixed by KB5001639 which is only available from the Catalog site.  So for these platforms you need to install two updates just like 8.1.

  Windows Patches/Security March 2021 Black Tuesday, MS-DEFCON 3, Patch Lady Posts

• MS-DEFCON 3: Patching is unclear

  Posted on March 26, 2021 at 01:00 CDT by Susan Bradley • Comment in the Forums

  ISSUE 18.11.1 • 2021-03-26

  

  By Susan Bradley

  Proceed with caution.

  I’m separating my patching guidance into two categories: one for business users and one for consumer or home users. And I’m lowering our MS-DEFCON level to 3. We’re not out of the March woods yet, but things are a bit better.

  Read the full story in the AskWoody Plus Alert 18.11.1 (2021-03-26).

  AskWoody Plus Newsletter, MS-DEFCON AskWoody Plus Newsletter, MS-DEFCON, MS-DEFCON 3, Patch Lady Posts

• MS-DEFCON 3: Get the October patches installed

  Posted on October 29, 2020 at 23:49 CDT by woody • Comment in the Forums

  We’re seeing some funny business with the ancillary patches this month, but the mainstream Windows cumulative updates and Office patches look good to go.

  Big question is whether you want to upgrade from Win10 version 1909 to version 2004. I have a few observations. Bottom line: Susan Bradley has upgraded her 1909 machines to 2004. I’m still sitting on a fence. Really, there’s exactly nothing in 2004 that most people will want.

  Step-by-step details in Computerworld Woody on Windows.

  Windows Patches/Security MS-DEFCON 3, October 2020 Black Tuesday

• MS-DEFCON 3: There are some oddities, but it’s time to install the July 2020 patches

  Posted on July 31, 2020 at 10:23 CDT by woody • Comment in the Forums

  Looks like Microsoft’s fixed the bugs that it introduced this month. It’s time to get the July patches installed.

  There’s one potential oddity — you may get the .NET Framework Preview installed on Windows 10 version 1903 or 1909 — but I don’t see any reported bugs in that (unwanted!) patch.

  Step-by-step details in Computerworld Woody on Windows.

  Windows Patches/Security July 2020 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 3: Time to get the June patches installed

  Posted on July 8, 2020 at 08:19 CDT by woody • Comment in the Forums

  Looks like the patching scene has stabilized sufficiently to go ahead with the June patches.

  Some of the bugs have been ironed out. Others can be fixed if you know what happened, and how to get the antidotes installed.

  I’m moving to MS-DEFCON 3: Get Windows and Office patches installed, but watch out for the bugs.

  (No, that doesn’t include yesterday’s Office non-security patches. Nobody needs those. They’ll come back around soon enough.)

  Step-by-step details in Computerworld Woody on Windows.

  Windows Patches/Security June 2020 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 3: Time to get Windows and Office patches up-to-date

  Posted on May 7, 2020 at 08:56 CDT by woody • Comment in the Forums

  For those of you new to this particular piece of AskWoody arcana…

  Every month, I recommend that people pause Windows updating long enough to make sure there aren’t any real stinkers in the Patch Tuesday bunch. That sets up an ongoing tug-of-war. On the one hand, there are inevitable problems with all of the patches. Every month. On the other hand, there’s an ongoing threat that some miscreant will use the patched security holes to make new malware.

  I watch both sides incessantly and try to come up with solid patching recommendations. Been doing it for 14 years.

  You can read about my general approach in a Computerworld article, The case against knee-jerk installation of Windows patches. The AskWoody site has details about the MS-DEFCON system, which I’ve used for years to give normal Windows users a red-light/green-light signal about installing patches. (Very advanced Windows users and admins in charge of many systems are better off following Susan Bradley’s Master Patch List.) Whenever there’s a change in the MS-DEFCON level, I publish detailed, step-by-step instructions in Computerworld.

  Every month, there comes a time when – in my opinion – it’s better to install the (possibly modified) patches than leave the month’s round of patches uninstalled. We’ve just reached such a point. I figure we know enough about the problems at hand to help people who get socked by this month’s patches — and the malware cretins are close enough that it’s time to put the shields up.

  We’re now at MS-DEFCON 3: Go ahead and patch, but watch out for potential problems.

  Details in Computerworld Woody on Windows.

  (Yes, it’s true, my main machines are all on Win10 version 1909. Test machines run other versions and, of course, the Seven Semper Fi machine runs bone-stock Win7. See the Computerworld article.)

  Windows Patches/Security April 2020 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 3: Get the March 2020 patches installed

  Posted on April 1, 2020 at 09:32 CDT by woody • Comment in the Forums

  It’s been a strange patching month, with a Patch Tuesday, a Patch Thursday, the usual buggy “optional, non-security C/D Week” patch, a bonus fix for a bug introduced in late February’s patch, and a warning (with no patch) about yet another bad-font fallibility.

  There are several known bugs, but they all have reasonably well-known workarounds.

  Anyway, now’s a good time to make sure you have the March patches installed. Full instructions in Computerworld Woody on Windows.

  Windows Patches/Security March 2020 Black Tuesday, MS-DEFCON 3
• « Older Entries