Newsletter Archives

• MS-DEFCON 3: We’re not out of the printing woods yet

  Posted on November 23rd, 2021 at 02:45 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.45.1 • 2021-11-22 By Susan Bradley The big news last week was Microsoft’s finally releasing Windows 10 version 21H2 and aligning the Windows 10 and Windows 11 annual feature release cadence. Changing the feature release cadence for Windows to an annual schedule is long overdue. From the first moment Microsoft announced that Windows 10 feature updates would be released on a semiannual basis, I’ve felt that the constant release process was too often, too fast. It’s good to see Microsoft finally listening to the feedback. Granted, it was pushed into this decision by the release of Windows 11, but I’ll take the win nonetheless. Now that 21H2 is officially out, I recommend sticking with 21H1 for the moment. That said, 21H2 will be a relatively easy and fast update with very few side effects. But I’m a cautious patcher and never install feature releases during the first week they are out. As November comes to a close, it’s again time to evaluate whether you can perform the basic process we all call “printing.” I discussed the annoyance of these constant and seemingly intractable printing problems in yesterday’s On Security column. The ongoing issues with printing force me, once again, to set our MS-DEFCON status at level 3. Exercise caution. Consumer and home users If you install the updates for November and can still print, pat yourself on the back and relax until next month. If you are still having issues with printing, I recommend installing the preview updates listed in the Master Patch list. For certain shared printers in peer-to-peer networks, we are still seeing issues triggered by the November 9 updates. While Microsoft has released out-of-band updates for authentication issues, they have not put the same priority on printing issues triggered by the updates. Business users Already, we’ve seen the out-of-band update KB5008602 to fix a known issue triggered on domain controllers and single sign-on that might cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self). This issue occurs after you install the November 9, 2021, security updates on domain controllers (DCs) that are running Windows Server, and you need to install this update on your domain controllers to fix this issue. References AskWoody Master Patch List Read the full story in the AskWoody Plus Alert 18.45.1 (2021-11-22).

  AskWoody Plus Alert, Patch Watch AskWoody Plus Newsletter, MS-DEFCON, MS-DEFCON 3, Patch Lady Posts, printing

• MS-DEFCON 3: Ready or not, it’s time to update

  Posted on October 26th, 2021 at 02:45 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.41.1 • 2021-10-26 By Susan Bradley It’s not exactly an all-clear. Normally, this is the time in the update cycle when I give an all-clear. It’s when most, if not all, of the side effects of patches have been identified. This month, unfortunately, there are still issues. However, that doesn’t mean I don’t want you to install updates. Even though there are documented problems with network printing after the October updates, they are not widespread. Many system administrators report that printing problems most often occur when the operating system of the server hosting the print server is older — and possibly unpatched — while the workstations are newer platforms that are patched. Therefore, after installing the updates in your peer-to-peer network, Make testing printing your first step. If you can print, leave the updates installed and pat yourself on the back — you survived October. If you are impacted by the October updates and do have printing issues, consider your situation carefully before you uninstall and block updates. There are several vulnerabilities included in the October updates, one of which, CVE-2021-40449, has been used in targeted malware attacks to elevate privileges on a system. My ongoing philosophy is that when the risk of being unpatched is higher than the risk of applying a patch, it’s time to install updates. I also don’t want to go a month without installing an update unless the reasons for doing so are very clear. I’ve installed the October updates at my home and office, including a collection of Ricoh network printers as well as stand-alone Brother, HP, Lexmark, and Canon printers (black-and-white as well as color printers). I’ve had no issues printing after installing the October updates, whether at home or office. I have mixtures of server operating systems including Server 2019, Server 2016, and Server 2012 R2 as well as Windows 10, plus a Windows 7 system under extended security patches. In short, just because you read in the headlines that we’re seeing printing issues doesn’t mean that you will have issues. Consumer and home users For those of you in a home setting, install updates now and immediately test for printing issues. My best guess is that you’ll be fine, with no problems. As mentioned above, everything is good at my house. Business users I’m sorry to say that business users must not be so sanguine — you are more likely to experience problems. If you do, there are several options. The first (which I’d rather you not do) is to uninstall the updates and block them (pause updates) until next month. The second is to install one of the preview updates that Microsoft will be releasing soon, especially if you are having issues deploying printers using Internet Printing Protocol. Microsoft has already released KB5006744 for Windows 10 1809, which includes a fix for: Addresses a known issue that might prevent the successful installation of printers using the Internet Printing Protocol (IPP). This month, there’s no clear resolution. You may have no issues at all with the October updates. You may have issues printing. If you are required to patch, and you end up having issues printing, I’d urge you to install the preview updates that I’ll be listing in the Master Patch List. If that doesn’t work, ensure that you understand the risks involved in not being patched this month. *Edit 10/26/2021 – Microsoft released KB5006738 for 21H1, 20H2 and 2004. It includes printing fixes that may help the issue. If you are impacted, install it and see if it helps. Bottom line: install the updates, see whether you can print. If you can, pat yourself on the back. If you can’t, prepare yourself for a bit of testing and hassle. References AskWoody Master Patch List Read the full story in the AskWoody Plus Alert 18.41.1 (2021-10-26).

  AskWoody Plus Alert, AskWoody Plus Newsletter, MS-DEFCON AskWoody Plus Newsletter, MS-DEFCON, MS-DEFCON 3, Patch Lady Posts

• The ides of March

  Posted on March 29th, 2021 at 06:09 Susan Bradley Comment on the AskWoody Lounge

  To patch or not to patch this month…. that is the question I attempt to answer this week in ComputerWorld.

  Printers side effects were the big issue (and still are) this month.

  (note that I’m going to have to reach out to the ComputerWorld editors… they missed part of the post I sent them…)

  It’s supposed to read:

  So for Windows 10 2004 or 20H2 you need to skip the updates released on March 9^th and instead jump over to the March 18^th update of KB5001649. It should be offered up to you as an optional update, or you can download it from the Catalog site. Because Windows 10 updates are cumulative you only need the one update (the third and final update Microsoft released this month).

  For Windows 10 1909, you need KB5001648. Once again it should be offered up to you as an optional update if you go to the Windows update interface or you can download it from the Catalog site like 2004/20H2 handles it’s updating, 1909 is cumulative.

  For Windows 8.1 the process is slightly different as the fixing patches are not cumulative. This time the updates are not documented on the Windows 8.1 history page but can be found if you dig into the 8.1 health release dashboard. On Windows 8.1 you need to install both the original update from March 9^th of KB5000848 AND the fix up patch of KB5001640. These are not offered up as optional updates and you must download KB5001640 from the catalog site.

  Windows 7 is similar to Windows 8.1 in not having a cumulative update patch to fix it’s printing issues. After you install the original security only update of KB5000851 or the monthly rollup of KB5000841 (which includes security updates) is fixed by KB5001639 which is only available from the Catalog site.  So for these platforms you need to install two updates just like 8.1.

  Windows Patches/Security March 2021 Black Tuesday, MS-DEFCON 3, Patch Lady Posts

• MS-DEFCON 3: Patching is unclear

  Posted on March 26th, 2021 at 01:00 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.11.1 • 2021-03-26

  

  By Susan Bradley

  Proceed with caution.

  I’m separating my patching guidance into two categories: one for business users and one for consumer or home users. And I’m lowering our MS-DEFCON level to 3. We’re not out of the March woods yet, but things are a bit better.

  Read the full story in the AskWoody Plus Alert 18.11.1 (2021-03-26).

  AskWoody Plus Newsletter, MS-DEFCON AskWoody Plus Newsletter, MS-DEFCON, MS-DEFCON 3, Patch Lady Posts

• MS-DEFCON 3: Get the October patches installed

  Posted on October 29th, 2020 at 23:49 woody Comment on the AskWoody Lounge

  We’re seeing some funny business with the ancillary patches this month, but the mainstream Windows cumulative updates and Office patches look good to go.

  Big question is whether you want to upgrade from Win10 version 1909 to version 2004. I have a few observations. Bottom line: Susan Bradley has upgraded her 1909 machines to 2004. I’m still sitting on a fence. Really, there’s exactly nothing in 2004 that most people will want.

  Step-by-step details in Computerworld Woody on Windows.

  Windows Patches/Security MS-DEFCON 3, October 2020 Black Tuesday

• MS-DEFCON 3: There are some oddities, but it’s time to install the July 2020 patches

  Posted on July 31st, 2020 at 10:23 woody Comment on the AskWoody Lounge

  Looks like Microsoft’s fixed the bugs that it introduced this month. It’s time to get the July patches installed.

  There’s one potential oddity — you may get the .NET Framework Preview installed on Windows 10 version 1903 or 1909 — but I don’t see any reported bugs in that (unwanted!) patch.

  Step-by-step details in Computerworld Woody on Windows.

  Windows Patches/Security July 2020 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 3: Time to get the June patches installed

  Posted on July 8th, 2020 at 08:19 woody Comment on the AskWoody Lounge

  Looks like the patching scene has stabilized sufficiently to go ahead with the June patches.

  Some of the bugs have been ironed out. Others can be fixed if you know what happened, and how to get the antidotes installed.

  I’m moving to MS-DEFCON 3: Get Windows and Office patches installed, but watch out for the bugs.

  (No, that doesn’t include yesterday’s Office non-security patches. Nobody needs those. They’ll come back around soon enough.)

  Step-by-step details in Computerworld Woody on Windows.

  Windows Patches/Security June 2020 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 3: Time to get Windows and Office patches up-to-date

  Posted on May 7th, 2020 at 08:56 woody Comment on the AskWoody Lounge

  For those of you new to this particular piece of AskWoody arcana…

  Every month, I recommend that people pause Windows updating long enough to make sure there aren’t any real stinkers in the Patch Tuesday bunch. That sets up an ongoing tug-of-war. On the one hand, there are inevitable problems with all of the patches. Every month. On the other hand, there’s an ongoing threat that some miscreant will use the patched security holes to make new malware.

  I watch both sides incessantly and try to come up with solid patching recommendations. Been doing it for 14 years.

  You can read about my general approach in a Computerworld article, The case against knee-jerk installation of Windows patches. The AskWoody site has details about the MS-DEFCON system, which I’ve used for years to give normal Windows users a red-light/green-light signal about installing patches. (Very advanced Windows users and admins in charge of many systems are better off following Susan Bradley’s Master Patch List.) Whenever there’s a change in the MS-DEFCON level, I publish detailed, step-by-step instructions in Computerworld.

  Every month, there comes a time when – in my opinion – it’s better to install the (possibly modified) patches than leave the month’s round of patches uninstalled. We’ve just reached such a point. I figure we know enough about the problems at hand to help people who get socked by this month’s patches — and the malware cretins are close enough that it’s time to put the shields up.

  We’re now at MS-DEFCON 3: Go ahead and patch, but watch out for potential problems.

  Details in Computerworld Woody on Windows.

  (Yes, it’s true, my main machines are all on Win10 version 1909. Test machines run other versions and, of course, the Seven Semper Fi machine runs bone-stock Win7. See the Computerworld article.)

  Windows Patches/Security April 2020 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 3: Get the March 2020 patches installed

  Posted on April 1st, 2020 at 09:32 woody Comment on the AskWoody Lounge

  It’s been a strange patching month, with a Patch Tuesday, a Patch Thursday, the usual buggy “optional, non-security C/D Week” patch, a bonus fix for a bug introduced in late February’s patch, and a warning (with no patch) about yet another bad-font fallibility.

  There are several known bugs, but they all have reasonably well-known workarounds.

  Anyway, now’s a good time to make sure you have the March patches installed. Full instructions in Computerworld Woody on Windows.

  Windows Patches/Security March 2020 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 3: Get the February patches installed

  Posted on February 28th, 2020 at 13:49 woody Comment on the AskWoody Lounge

  The “disappearing desktop” temporary profile bug is still in the February cumulative update for Win10 version 1903 and 1909. Looks like the bug’s in the “optional, non-security, C/D Week” update, too. Nonetheless, we’ve seen a lot of reports of problems, and they all appear to be solvable.

  So it’s with some trepidation that I’m moving us to MS-DEFCON 3. You should get the Feb patches installed. (NOT the “optional, non-security, C/D Week patch, of course.)

  As an added surprise… I’m moving my production machines to Win10 version 1909. It looks like the File Explorer Search bug was fixed in the regular Cumulative Update — and I don’t see any persistent bugs in 1909 that aren’t also in 1903.

  Details in Computerworld Woody on Windows.

  Windows Patches/Security February 2020 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 3: No rush, but you should get the January Patch Tuesday patches installed

  Posted on January 24th, 2020 at 14:55 woody Comment on the AskWoody Lounge

  Usually I wait until near the end of the month before giving the all-clear to install Microsoft’s Patch Tuesday patches.

  This month’s different.

  On the one hand, this month’s patches look pretty darn clean. Part of the reason for our good fortune, I’m convinced, is that we haven’t had any non-security patches since October.

  On the other hand, there’s the looming threat of CurveBall — the CVE-2020-0601 security hole advertised by the NSA. I don’t think CurveBall will hit the mainstream any time soon, but ya never know.

  Putting those together, and I figure now’s a good time for normal folks to get their machines patched.

  I’m only moving to MS-DEFCON 3 this month because it’s still very early in the crowdsourced bug catching phase. If you hit a problem with a patch, let us know loud and clear! But get patched.

  Full step-by-step details in Computerworld Woody on Windows.

  UPDATE: If you’re having installation problems with the Win10 1903 and 1909 cumulative updates, it may be caused by a missing Connect app. See Günter Born’s post.

  Windows Patches/Security January 2020 Black Tuesday, MS-DEFCON 3

• MS-DEFCON 3: Get your September patches installed — but stick to the mainstream patches

  Posted on October 2nd, 2019 at 11:28 woody Comment on the AskWoody Lounge

  Lots of people will tell you that you need to install strange (very strange!) patches to protect yourself from the “Exploited: Yes” zero day patch for CVE-2019-1367. I say meh. Stick to this month’s normally distributed patches and you’ll be OK.

  Details and step-by-step instructions in Computerworld Woody on Windows.

  Windows Patches/Security MS-DEFCON 3, September 2019 Black Tuesday
• « Older Entries