Newsletter Archives

• Real-time MS-DEFCON alerts debut!

  Posted on September 20th, 2021 at 02:45 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.36 • 2021-09-20

  MS-DEFCON

  

  By Susan Bradley

  The new AskWoody SMS alert system is now available for Plus members.

  The MS-DEFCON system has been a staple of the AskWoody site for many years now. You know it as a visual system of numbers and colors that provides a quick indicator of the relative safety of applying updates (patching) to Windows and other Microsoft apps and services.

  Read the full story in the AskWoody Plus Newsletter 18.36.0 (2021-09-20).
  This story also appears in the AskWoody Free Newsletter 18.36.F (2021-09-20).

  AskWoody FREE Newsletter, AskWoody Plus Newsletter, MS-DEFCON AskWoody Plus Newsletter, MS-DEFCON, Patch Lady Posts

• MS-DEFCON 2: September – here we go again

  Posted on September 9th, 2021 at 02:45 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.35.1 • 2021-09-09 By Susan Bradley It’s time to start getting ready for Windows 11. The countdown is on to the release of Windows 11 on October 5, and it’s the time of the month when I urge you to take actions to ensure you are ready to install updates when you want to. The security updates this month begin the process of introducing group policy settings to control Windows 11, as well as Intune policy settings. But never fear — we will provide you all the information you need to either avoid or embrace Windows 11, as you see fit. Consumer and home users First, and as I always recommend when we get close to the second Tuesday of the month (now infamously known as Patch Tuesday), make sure that your backup is working properly. Open whatever backup software you use, and review the log of recent actions to confirm that the backup is running and backing up as it should. At a minimum, browse your backup location to see whether the file dates in that location are recent. Next, decide what type of patcher you are. If you have spare machines and know you have a solid backup, you could actually be in the patcher category “Extreme” — because you let Windows install updates on its own terms and you simply review for side effects afterward. There are quite a few AskWoody Plus members who do exactly this, because they know that a good backup allows them to recover from updates, just as it protects them from ransomware. The next patcher category is “Deferral.” Go into Start, Settings, Update &  Security, Advanced options and choose September 28 as your deferral date, the date when you allow Windows to do its thing. Next? “Cautious.” For this group, I recommend the use of WUMgr to control updates. You can review how to use this tool in the forums. Business users I predict that I’ll be urging business patchers to install updates no later than September 21, 2021. For now, I don’t anticipate that Microsoft will be providing solutions to the mess that they introduced with the PrintNightmare patches, so we’re still going to have to deal with the fallout and side effects of the August updates. I’ll be recapping these known issues in the September 13 AskWoody Plus newsletter. We’re soon going to be adding the ability to get text alerts sent to you when the AskWoody MS-DEFCON level changes. You can follow the alert account on Twitter now, but soon you can sign up for text alerts as well. You’ll need to be an AskWoody Plus member in order to receive texts to your phone when we send out alerts; look for more information soon. Read the full story in the AskWoody Plus Alert 18.34.1 (2021-09-09).

  AskWoody Plus Alert, Patch Watch AskWoody Plus Newsletter, MS-DEFCON, MS-DEFCON 2, Patch Lady Posts

• MS-DEFCON 4: All clear for consumers, less so for businesses

  Posted on August 25th, 2021 at 02:45 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.32.1 • 2021-08-25 By Susan Bradley This month has been a bit bumpy for business users needing to print. This month’s change to a technology called “Point and Print” has triggered side effects for information technology professionals who deployed workstations without administrator rights. Although I’m reluctantly recommending installing these updates, because you need to be protected from all the other vulnerabilities this month, I must acknowledge that even after you patch, you still won’t be protected from printer vulnerabilities. There is yet another Print Spooler issue out there. Right now, the only way you can protect yourself from the remote Print Spooler attack described by CVE-2021-36958 is to keep your Print Spooler service disabled unless it is absolutely needed. Consumer and home users Install the August updates. In a change to my past update recommendations regarding .NET, I now recommend installing the .NET updates as well. For the last year, I’ve not experienced any side effects with the nonsecurity .NET updates and feel confident about their safety. I’ve also not been tracking any side effects with Chromebook 92 after its release on August 2. Unlike last month, there’s been no need to roll back this version. Business users For those of you in charge of business patching, there’s no good resolution for the side effects of the August updates, not to mention the risks of the unpatched Print Spooler vulnerability. If you deploy print drivers using group policy and your users do not have administrator rights, they are being prompted to install a printer-driver update even though the printer driver has not changed — the only thing that has occurred is that the patch was installed. You can deploy a registry key to HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint with the name RestrictDriverInstallationToAdministrators and a DWord value of 0, but unfortunately, this opens up your workstations to attack. It’s not a good solution. The root cause appears to be v3 versions of printer drivers. In the short term, I recommend several possible solutions. Temporarily allow administrator rights via group policy to allow your end users to install the updated print driver, and then revert them back to non administrator rights. Use the registry key workaround (above) that will allow printer drivers to be installed, with full knowledge that this opens your machine up to attack. Review the printer drivers you have installed and ensure that they are v4 and not earlier versions. References AskWoody Master Patch List Read the full story in the AskWoody Plus Alert 18.32.1 (2021-08-25).

  AskWoody Plus Alert, MS-DEFCON AskWoody Plus Alerts, MS-DEFCON, MS-DEFCON 4, Patch Lady Posts

• MS-DEFCON 4: Get those June updates installed

  Posted on June 24th, 2021 at 02:50 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.23.1 • 2021-06-24 MS-DEFCON 4: Get those June updates installed By Susan Bradley It’s time to deal with “News and Interests.” Consumer and home users If you’ve been procrastinating with the June updates so you didn’t have to deal with the new “News and Interests” feature and its side effects, the time has come. Microsoft has released KB5003698 to fix issues with blurry images in 1909 for Enterprise. Windows 10 2004/20H2 and 21H1 received KB5003690 to fix the blurry text on the News and Interests button for some screen resolutions. KB5003690 also fixes a problem with search box graphics on the Windows taskbar, which occurs if you right-click the taskbar and turn off News and Interests. This graphics issue is especially visible when using dark mode. If it is a problem for you, install this optional update. There are other issues to work out, such as interactions with the desktop if you are using Classic Shell or other menu programs. AskWoody readers have noted cases in which sign in to customize the news selections did not work. If you have problems with the News and interests feature, try setting it to icons only instead of icons and text. For Office updates, open up any Office software application, click on File, Account, Office Updates, and enable updates. Then click on Update Now to trigger their installation. Business users This month’s releases showcase that timing is everything. If you apply updates to workstations before applying them to servers and then attempt to use remote event-log tools, you will find that you cannot access the event logs. As noted by Microsoft, affected apps are using certain legacy Event Logging APIs. Ensure that you apply the updates for both workstations and servers before attempting to use such software. References AskWoody Master Patch List Read the full story in the AskWoody Plus Alert 18.23.1 (2021-06-24).

  AskWoody Plus Alert, MS-DEFCON AskWoody Plus Alerts, MS-DEFCON, MS-DEFCON 4

• MS-DEFCON 2: Defer Windows & Office updates to June 24

  Posted on June 4th, 2021 at 03:00 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.20.1 • 2021-06-04 By Susan Bradley Consumer and home users Hopefully, you’ve taken the time to get the May updates installed. Before next Tuesday, be sure you are comfortable with your methodology for deferring updates. For Windows updates, I’m still a fan of the method I call “pick the date.” Go to Settings, then to Update and Security; click on Advanced options, and select Pause updates. Then use the Select date drop-down to choose the date when you’d like updates to resume. I’m suggesting June 24. Note that the News and Interests notification will be fully enabled in your task bar this month. For Office updates, open up any Office application, click on File, Office Account, Office Updates; choose Disable Updates. You can resume updates later in the month. While you have Office updates disabled, avoid opening macro-enabled files as a defense against potential ransomware threats. Business users Ransomware has been a big topic in the news this month. While doing your patch testing, continue to educate your end users about the dangers posed by simple tasks done carelessly — opening emails, transferring files, clicking on links, etc. Greater danger requires greater vigilance. References AskWoody Master Patch List Read the full story in the AskWoody Plus Alert 18.20.1 (2021-06-04).

  AskWoody Plus Alert, Patch Watch AskWoody Plus Alerts, MS-DEFCON, MS-DEFCON 2, Patch Lady Posts, Patch Watch

• MS-DEFCON 4: It’s quiet out there

  Posted on May 27th, 2021 at 01:00 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.19.1 • 2021-05-27

  

  By Susan Bradley

  This month has been relatively quiet with respect to patching side effects. It’s now time to install the May updates.

  Consumer and home users

  Most of the issues and complaints have not been about the May update. Instead, there has been dissatisfaction with a new feature called News and Interests. As this feature rolls out, more and more people are asking how to remove it. I have provided a registry update file that will automatically disable News and Interests. The only known side effect is audio issues in some machines; these can be bypassed by using stereo settings.

  More details will be provided in my upcoming Patch Watch article.

  Business users

  For small businesses that still have an on-premises Exchange email server, make sure you install this month’s Exchange patches, as described in KB 5003435.

  Note that some users reported issues if they had manually removed the new version of Edge, proving once again that Microsoft doesn’t test the edge cases (pun intended).

  Read the full story in the AskWoody Plus Alert 18.19.1 (2021-05-27).

  AskWoody Plus Alert, MS-DEFCON, Patch Watch AskWoody Plus Alerts, MS-DEFCON, MS-DEFCON 4

• MS-DEFCON 2: Pause on patching

  Posted on May 10th, 2021 at 12:00 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.17.1 • 2021-05-10 By Susan Bradley It’s time for both business users and consumer or home users to pause Windows updates. Accordingly, I’m changing the AskWoody MS-DEFCON level to 2. Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it. Consumer and home users If you are a home/consumer user, I recommend two actions to ensure you do not get inadvertent updates. First, select Start, Settings, Network & Internet, and then Wi-Fi or Ethernet (whichever connection you are using). Next, click Manage known networks; click on the network that you use, click Properties, and turn on Set as metered connection. This “tricks” the computer into thinking that your Internet connection is not unlimited (i.e., you might incur charges) and thus will download patches only after you approve the process. The second action is picking a deferral date after May 11, when Microsoft will push out the next Patch Tuesday security releases. Click on Start, Settings, Update & Security; then click on Advanced Options. Pick a date far enough in the future to give you comfort. I always wait at least a week, usually more. I’ll be re-evaluating the update situation closer to the end of the month, but for now choosing May 28 should be safe enough. For those of you with an Office click-to-run (CTR) edition, I strongly recommend that you change to the semiannual channel rather than the monthly one because it will keep you from the Autocomplete bug. Business users Coming this month in the May Security releases, Microsoft will be including a new “News and Interests” taskbar item featuring items of interest to your users. Remember, if you want to proactively block it, there are registry keys and group policy to control it. References AskWoody Master Patch List Read the full story in the AskWoody Plus Alert 18.17.1 (2021-05-10).

  AskWoody Plus Alert, MS-DEFCON, Patch Watch AskWoody Plus Alerts, MS-DEFCON, MS-DEFCON 2, Patch Lady Posts, Windows Update

• MS-DEFCON 3: Patching is unclear

  Posted on March 26th, 2021 at 01:00 Susan Bradley Comment on the AskWoody Lounge

  ISSUE 18.11.1 • 2021-03-26

  

  By Susan Bradley

  Proceed with caution.

  I’m separating my patching guidance into two categories: one for business users and one for consumer or home users. And I’m lowering our MS-DEFCON level to 3. We’re not out of the March woods yet, but things are a bit better.

  Read the full story in the AskWoody Plus Alert 18.11.1 (2021-03-26).

  AskWoody Plus Newsletter, MS-DEFCON AskWoody Plus Newsletter, MS-DEFCON, MS-DEFCON 3, Patch Lady Posts

• Is it OK to run patches on 500+ VMs?

  Posted on June 11th, 2018 at 13:40 woody Comment on the AskWoody Lounge

  Just saw this message from ME:

  I haven‘t approved updates since 12/2017 for our infrastructure with 500+ VMs.

  I‘m not new to that topic but your team recently wrote that it is not wise to approve updates when your on patch level 12/2017. I think it was in march. Since then i didn‘t found a topic if to update or not. All thoughts was about if and how to update one single machine. Is there anything related to my problems to read from you?

  Susan Bradley does a great Job but it would be interesting to have a algorithm how to patch when you’re on 12/2017 or similar. Its not something i ask you to do but in those times Microsoft does a horrible job which leads to spectacular ransom attacks in the future. I patch servers for 3 years now – i‘m definitely not a pro but why do i feel like Microsoft always tries to shoot our infrastructure into pieces. :/

  Best regards, and thank you and your team for the great work.

  Since Susan Bradley joined AskWoody several months ago, we have something of a dichotomy. On the one hand, we have people who just want to know when it’s safe to patch their individual (home or business) PCs. On the other hand, we have a widening group of admins who are in charge of hundreds — thousands — of machines.

  As you’ve seen, the expectations and needs of those two groups is related, but still quite different in many respects. More than that, there’s a spectrum of needs — from folks who’d rather be playing mahjong, to folks who have to be concerned about protecting key corporate data.

  One size doesn’t fit all. What’s evolved is kind of a dual system that’s grown out of my background helping individuals and Susan’s long background working with organizations.

  The MS-DEFCON system is geared for people who really just want to get the furshlugginer thing working. I don’t even try to differentiate between a Win7 system running Office 2010

  and a Win10 1803 system running Office 365. There are just too many variables. What I give with MS-DEFCON is a red light/green light system, with warnings about particularly irksome problems.

  The Patch Lady recommendations (and her unique, lengthy Master Patch List) are designed for people who want — or need — to take a closer look at the patches.

  The Patch Lady approach is a scalpel. The MS-DEFCON approach is a sledge hammer.

  That doesn’t answer your question. But it should help you put into perspective the comments that are bound to come from people who have experienced your exact situation.

  Windows Patches/Security Master Patch List, MS-DEFCON

• Should I patch now or wait?

  Posted on February 17th, 2016 at 05:56 woody Comment on the AskWoody Lounge

  Just got a good question from reader IB:

  Woody, I know you’re a busy guy. Thanks for all you do…
  I have a basic question. I have ONE home computer, win7 pro, 64 bit (whatever that means)
  I use GWX control panel, and have ZERO desire to update to win 10. Heck, I just got rid of XP less than a year ago! My windows updates are set to “let me choose” etc.

  As per your advise, I always install DEFENDER updates immediately.

  But my confusion is about “important” updates: I think you have told us that anything with “security” in the title needs to be installed. (I currently have a couple security for “.NET FRAMEWORK” and about 10 for WIN7 64bit…”). But in response to a comment within the last week (I forget which thread) about security updates, you said, “wait”.

  So my question…when I see ‘security’ updates…should I install them immediately, or wait till DEFCON says it’s time?

  Thank you.

  I say, always wait for the MS-DEFCON rating to come down, then follow the specific instructions I give when the number goes down.

  There’s a reason for waiting. Many problems with Microsoft’s patches don’t appear in the first few days, or even the first few weeks, in some cases. For Win7 and 8.1, Microsoft pulls and re-issues the really bad ones. For Win10, well, we’re still not sure exactly what Microsoft will do. In all cases, within a few weeks we have a pretty good idea of what’s going to clobber systems, and what’s benign.

  Not infallible, mind you, but reasonably accurate.

  You also need to keep in mind that very, very few patches cover holes that are being exploited. There are fixes for zero-day problems, but most zero-days these days are directed at very specific targets – government installations, military, financial institutions and the like. For you and I, zero-days are rarely a concern.

  Take a look at the latest SANS Internet Storm Center list. See the column marked “Known Exploits”? There aren’t any known exploits for any of the patches (although there’s one that had a published exploit later). Even when an exploit “Proof of Concept” is published, it takes weeks or months or years for the exploit to become a problem for you and me.

  If you’re carrying a hundred thousand Social Security numbers, or storing nuclear launch codes, it’s a different problem, of course. But for the vast number of people, the vast majority of the time, waiting for patches to show their fangs is a very good idea.

  You need to patch sooner or later. Yes. Definitely. But you don’t need to dance to Microsoft’s tune.

  Windows Patches/Security MS-DEFCON

• What does MS-DEFCON cover?

  Posted on October 22nd, 2015 at 16:53 woody Comment on the AskWoody Lounge

  Another good one, this time from reader MA:

  Greetings Woody,

  I am in IT, and we got a single Windows update pushed to our machines today: KB 3095649.

  One of our laptops is getting stuck on boot up after the encryption log in screen. The user said they rebooted after applying Windows updates.

  They said they also shut down their machine every day, meaning it should have already had all of these latest updates.

  My question is: Your defcon system, how updated do you keep it? I see it’s at level 2 currently. Does that have anything to do with this latest update? Or is it more about all of the October updates?

  Anyway, thanks for your site and your time. I really appreciate it.

  Thanks much, MA

  I started the MS-DEFCON system a decade ago as a short, easy way to give a “go/no-go” decision on Windows and Office patches. Times have really changed since then, but the goal’s the same. I don’t claim to give advice to admins who are in charge of large numbers of machines — Susan Bradley’s patchmanagement.org does a far better job, and her constantly-updated list of available patches and their problems takes each KB to task.

  I still try, very hard, to give a simple “go” signal when one is warranted. Occasionally (and, recently, more frequently) I have to list exceptions – specific KB’s that are spoiling the lot. But the basic idea is to wait until the patches have settled down, then give a green light.

  A large majority of the people who follow the MS-DEFCON system are still using Win7, but many switched to Win8.1, and an increasing number use Win10. Each has different patching needs and screw-ups.

  In the particular case that you mention – four patches released earlier this week – I was at MS-DEFCON 2 when they hit, and I stayed at MS-DEFCON 2. That’s not so much a reflection of known problems with the patches. It’s more of a wait-and-see attitude, in case one of the patches has problems, or someone discovers that one of the patches includes junk that nobody wants, like GWX updates, snooping platform patches, and so on.

  It’s very rare that a really, really important security patch comes down the chute and needs to be installed immediately. People working in sensitive industries need to take those zero-days seriously because they’re often used in various kinds of attacks. But for normal, everyday people (and companies!), widespread attacks aren’t common in the days and weeks following a patch.

  I’ll continue to aim the MS-DEFCON rating at people who don’t want to be dealing with every-blooody-patch as it rolls out. I’ll continue to cover Win7 and 8.1 in depth, Win10 as best I can (Microsoft’s updating policy makes that hard), and Vista a little bit.

  I hope that answers your question! Comments always most welcome…

  Windows Patches/Security MS-DEFCON

• MS-DEFCON as red light/green light

  Posted on October 27th, 2013 at 17:16 woody Comment on the AskWoody Lounge

  I just got a very good message from SW that says:

  Hi Woody,

  I really appreciate your guidance on Windows updates and share it with many friends. I do have one suggestion that would be of value to me and likely others. The current status is Defcon 2. I know it refers to October because I have addressed, with your guidance, previous months. Someone visiting your sight for the first time or one who has not visited for a while might be confused. If you could state which updates are covered by the current Defcon it would be helpful.

  Thank you very much for your guidance through the Microsoft minefields.

  Here’s my reply:

  I try to keep the MS-DEFCON level very, very, very simple. It’s basically a red light/green light (with occasional yellow) sort of warning system: When the light turns green, you should install all outstanding patches, no matter when they were first offered.

  I’ve long thought that the best way to do it is to list each patch, one by one, and make recommendations – but that’s considerably more complicated than most users would like. (Susan Bradley does an excellent job of patch-by-patch analysis.)

  Your approach would group patches by month — and a lot of people would find that too complicated.

  So I’ll stick with red light/green light – and continue to recommend Susan’s analysis for people who want to look at specific patches, or groups of patches…

  People who manage patches for a living — admins are the salt of the earth! — generally can’t afford to run their companies on a red light/green light system like MS-DEFCON. But most home users, and even small businesses, can benefit from some very generalized advice, methinks.

  Other opinions most welcome, of course, in the comments.

  Other MS-DEFCON