Newsletter Archives

  • MS-DEFCON 3: Issues with domains

    alert banner

    ISSUE 19.47.1 • 2022-11-22

    MS-DEFCON 3

    By Susan Bradley

    November updates lead to side effects

    My usual advice regarding updates with known side effects is to wait until the problems are resolved. But every so often, the risk of waiting is greater than the risks associated with the side effects.

    That’s the way I see the situation now. The November updates require you to slog through the issues and deal with the side effects. For that reason, I’m lowering the MS-DEFCON level to 3. I’d really like to go to 4, but I think greater caution is required.

    Anyone can read the full MS-DEFCON Alert (19.47.1, 2022-11-22).

  • MS-DEFCON 3: Issues with bootloader patches

    alert banner

    ISSUE 19.34.1 • 2022-08-23

    MS-DEFCON 3

    By Susan Bradley

    This month’s updates are a great example of why my patching advice differs for consumers and businesses.

    For consumer patchers, whether using Windows 10 Home or Professional, I’m not convinced that you need to install KB5012170, Microsoft’s security update for Secure Boot DBX (the Secure Boot Forbidden Signature Database). Unless, that is, you think you will be targeted by an overseas attacker with a malicious bootloader installer. If your computer holds the keys to the nuclear codes, then by all means install this update instantly. The fact that this isn’t clear-cut is the reason I can lower the MS-DEFCON only to 3 this time around.

    But if you are a normal user, with normal levels of paranoia to get you through the normal security risks of daily life, I’m not convinced that this update is mandatory. In fact, I think it often causes more pain than benefit. Just read through the threads of many a forum poster trying to get this update installed.

    Anyone can read the full MS-DEFCON Alert (19.34.1, 2022-08-23).

  • MS-DEFCON 3: Should we patch?

    alert banner

    ISSUE 19.26.1 • 2022-06-28

    MS-DEFCON 3

    By Susan Bradley

    I have good news and bad news.

    Some of you will install the June updates and see absolutely no issues whatsoever. Others have tried to install the June updates and experienced side effects. Microsoft has acknowledged some, but not all, of the issues. This makes it a hard month. I don’t like to let people get to the end of the month and not install updates, but at the same time there are some bugs that are deeply impactful to both consumers and businesses.

    Based upon my recommendations below, I am lowering the MS-DEFCON level to 3. I commonly set the level to 4 after giving the month’s updates a chance to settle, but this time greater caution is warranted.

    Anyone can read the full MS-DEFCON Alert (19.26.1, 2022-06-28).

  • MS-DEFCON 3: We’re not out of the printing woods yet

    AskWoody Plus Alert Logo
    ISSUE 18.45.1 • 2021-11-22

    MS-DEFCON 3

    By Susan Bradley

    The big news last week was Microsoft’s finally releasing Windows 10 version 21H2 and aligning the Windows 10 and Windows 11 annual feature release cadence.

    Changing the feature release cadence for Windows to an annual schedule is long overdue. From the first moment Microsoft announced that Windows 10 feature updates would be released on a semiannual basis, I’ve felt that the constant release process was too often, too fast. It’s good to see Microsoft finally listening to the feedback. Granted, it was pushed into this decision by the release of Windows 11, but I’ll take the win nonetheless.

    Now that 21H2 is officially out, I recommend sticking with 21H1 for the moment. That said, 21H2 will be a relatively easy and fast update with very few side effects. But I’m a cautious patcher and never install feature releases during the first week they are out.

    As November comes to a close, it’s again time to evaluate whether you can perform the basic process we all call “printing.” I discussed the annoyance of these constant and seemingly intractable printing problems in yesterday’s On Security column. The ongoing issues with printing force me, once again, to set our MS-DEFCON status at level 3. Exercise caution.

    Consumer and home users

    If you install the updates for November and can still print, pat yourself on the back and relax until next month. If you are still having issues with printing, I recommend installing the preview updates listed in the Master Patch list.

    For certain shared printers in peer-to-peer networks, we are still seeing issues triggered by the November 9 updates. While Microsoft has released out-of-band updates for authentication issues, they have not put the same priority on printing issues triggered by the updates.

    Business users

    Already, we’ve seen the out-of-band update KB5008602 to fix a known issue triggered on domain controllers and single sign-on that might cause authentication failures related to Kerberos tickets you acquired from Service for User to Self (S4U2self). This issue occurs after you install the November 9, 2021, security updates on domain controllers (DCs) that are running Windows Server, and you need to install this update on your domain controllers to fix this issue.

    References

    Read the full story in the AskWoody Plus Alert 18.45.1 (2021-11-22).

  • MS-DEFCON 3: Ready or not, it’s time to update

    AskWoody Plus Alert Logo
    ISSUE 18.41.1 • 2021-10-26

    MS-DEFCON 3

    By Susan Bradley

    It’s not exactly an all-clear.

    Normally, this is the time in the update cycle when I give an all-clear. It’s when most, if not all, of the side effects of patches have been identified.

    This month, unfortunately, there are still issues. However, that doesn’t mean I don’t want you to install updates. Even though there are documented problems with network printing after the October updates, they are not widespread.

    Many system administrators report that printing problems most often occur when the operating system of the server hosting the print server is older — and possibly unpatched — while the workstations are newer platforms that are patched. Therefore, after installing the updates in your peer-to-peer network, Make testing printing your first step. If you can print, leave the updates installed and pat yourself on the back — you survived October.

    If you are impacted by the October updates and do have printing issues, consider your situation carefully before you uninstall and block updates. There are several vulnerabilities included in the October updates, one of which, CVE-2021-40449, has been used in targeted malware attacks to elevate privileges on a system. My ongoing philosophy is that when the risk of being unpatched is higher than the risk of applying a patch, it’s time to install updates. I also don’t want to go a month without installing an update unless the reasons for doing so are very clear.

    I’ve installed the October updates at my home and office, including a collection of Ricoh network printers as well as stand-alone Brother, HP, Lexmark, and Canon printers (black-and-white as well as color printers). I’ve had no issues printing after installing the October updates, whether at home or office. I have mixtures of server operating systems including Server 2019, Server 2016, and Server 2012 R2 as well as Windows 10, plus a Windows 7 system under extended security patches. In short, just because you read in the headlines that we’re seeing printing issues doesn’t mean that you will have issues.

    Consumer and home users

    For those of you in a home setting, install updates now and immediately test for printing issues. My best guess is that you’ll be fine, with no problems. As mentioned above, everything is good at my house.

    Business users

    I’m sorry to say that business users must not be so sanguine — you are more likely to experience problems. If you do, there are several options. The first (which I’d rather you not do) is to uninstall the updates and block them (pause updates) until next month. The second is to install one of the preview updates that Microsoft will be releasing soon, especially if you are having issues deploying printers using Internet Printing Protocol. Microsoft has already released KB5006744 for Windows 10 1809, which includes a fix for:

    Addresses a known issue that might prevent the successful installation of printers using the Internet Printing Protocol (IPP).

    This month, there’s no clear resolution. You may have no issues at all with the October updates. You may have issues printing. If you are required to patch, and you end up having issues printing, I’d urge you to install the preview updates that I’ll be listing in the Master Patch List. If that doesn’t work, ensure that you understand the risks involved in not being patched this month.

    *Edit 10/26/2021 – Microsoft released KB5006738 for 21H1, 20H2 and 2004. It includes printing fixes that may help the issue. If you are impacted, install it and see if it helps.

    Bottom line: install the updates, see whether you can print. If you can, pat yourself on the back. If you can’t, prepare yourself for a bit of testing and hassle.

    References

    Read the full story in the AskWoody Plus Alert 18.41.1 (2021-10-26).

  • The ides of March

    To patch or not to patch this month…. that is the question I attempt to answer this week in ComputerWorld.

    Printers side effects were the big issue (and still are) this month.

    (note that I’m going to have to reach out to the ComputerWorld editors… they missed part of the post I sent them…)

    It’s supposed to read:

    So for Windows 10 2004 or 20H2 you need to skip the updates released on March 9th and instead jump over to the March 18th update of KB5001649. It should be offered up to you as an optional update, or you can download it from the Catalog site. Because Windows 10 updates are cumulative you only need the one update (the third and final update Microsoft released this month).

    For Windows 10 1909, you need KB5001648. Once again it should be offered up to you as an optional update if you go to the Windows update interface or you can download it from the Catalog site like 2004/20H2 handles it’s updating, 1909 is cumulative.

    For Windows 8.1 the process is slightly different as the fixing patches are not cumulative. This time the updates are not documented on the Windows 8.1 history page but can be found if you dig into the 8.1 health release dashboard. On Windows 8.1 you need to install both the original update from March 9th of KB5000848 AND the fix up patch of KB5001640. These are not offered up as optional updates and you must download KB5001640 from the catalog site.

    Windows 7 is similar to Windows 8.1 in not having a cumulative update patch to fix it’s printing issues. After you install the original security only update of KB5000851 or the monthly rollup of KB5000841 (which includes security updates) is fixed by KB5001639 which is only available from the Catalog site.  So for these platforms you need to install two updates just like 8.1.

  • MS-DEFCON 3: Patching is unclear

    AskWoody Plus Alert Logo
    ISSUE 18.11.1 • 2021-03-26
    Susan Bradley

    By Susan Bradley

    Proceed with caution.

    I’m separating my patching guidance into two categories: one for business users and one for consumer or home users. And I’m lowering our MS-DEFCON level to 3. We’re not out of the March woods yet, but things are a bit better.

    Read the full story in the AskWoody Plus Alert 18.11.1 (2021-03-26).

  • MS-DEFCON 3: Get the October patches installed

    We’re seeing some funny business with the ancillary patches this month, but the mainstream Windows cumulative updates and Office patches look good to go.

    Big question is whether you want to upgrade from Win10 version 1909 to version 2004. I have a few observations. Bottom line: Susan Bradley has upgraded her 1909 machines to 2004. I’m still sitting on a fence. Really, there’s exactly nothing in 2004 that most people will want.

    Step-by-step details in Computerworld Woody on Windows.

  • MS-DEFCON 3: There are some oddities, but it’s time to install the July 2020 patches

    Looks like Microsoft’s fixed the bugs that it introduced this month. It’s time to get the July patches installed.

    There’s one potential oddity — you may get the .NET Framework Preview installed on Windows 10 version 1903 or 1909 — but I don’t see any reported bugs in that (unwanted!) patch.

    Step-by-step details in Computerworld Woody on Windows.

  • MS-DEFCON 3: Time to get the June patches installed

    Looks like the patching scene has stabilized sufficiently to go ahead with the June patches.

    Some of the bugs have been ironed out. Others can be fixed if you know what happened, and how to get the antidotes installed.

    I’m moving to MS-DEFCON 3: Get Windows and Office patches installed, but watch out for the bugs.

    (No, that doesn’t include yesterday’s Office non-security patches. Nobody needs those. They’ll come back around soon enough.)

    Step-by-step details in Computerworld Woody on Windows.

  • MS-DEFCON 3: Time to get Windows and Office patches up-to-date

    For those of you new to this particular piece of AskWoody arcana…

    Every month, I recommend that people pause Windows updating long enough to make sure there aren’t any real stinkers in the Patch Tuesday bunch. That sets up an ongoing tug-of-war. On the one hand, there are inevitable problems with all of the patches. Every month. On the other hand, there’s an ongoing threat that some miscreant will use the patched security holes to make new malware.

    I watch both sides incessantly and try to come up with solid patching recommendations. Been doing it for 14 years.

    You can read about my general approach in a Computerworld article, The case against knee-jerk installation of Windows patches. The AskWoody site has details about the MS-DEFCON system, which I’ve used for years to give normal Windows users a red-light/green-light signal about installing patches. (Very advanced Windows users and admins in charge of many systems are better off following Susan Bradley’s Master Patch List.) Whenever there’s a change in the MS-DEFCON level, I publish detailed, step-by-step instructions in Computerworld.

    Every month, there comes a time when – in my opinion – it’s better to install the (possibly modified) patches than leave the month’s round of patches uninstalled. We’ve just reached such a point. I figure we know enough about the problems at hand to help people who get socked by this month’s patches — and the malware cretins are close enough that it’s time to put the shields up.

    We’re now at MS-DEFCON 3: Go ahead and patch, but watch out for potential problems.

    Details in Computerworld Woody on Windows.

    (Yes, it’s true, my main machines are all on Win10 version 1909. Test machines run other versions and, of course, the Seven Semper Fi machine runs bone-stock Win7. See the Computerworld article.)

  • MS-DEFCON 3: Get the March 2020 patches installed

    It’s been a strange patching month, with a Patch Tuesday, a Patch Thursday, the usual buggy “optional, non-security C/D Week” patch, a bonus fix for a bug introduced in late February’s patch, and a warning (with no patch) about yet another bad-font fallibility.

    There are several known bugs, but they all have reasonably well-known workarounds.

    Anyway, now’s a good time to make sure you have the March patches installed. Full instructions in Computerworld Woody on Windows.