Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – Excel KB 4011727 registry keys

    Posted on March 15th, 2018 at 01:28 Susan Bradley Comment on the AskWoody Lounge

    Susan here, in the latest Excel 2016/2013 security update they have added an additional registry key to better protect you from malicious macros.  Note this also impacts Excel click to run versions as well.

    Newly added to the registry is the following settings:

    A new registry key has been added to provide more control over object macros security. The “RestrictObjectMacros” DWORD registry key under HKCU/Software/Microsoft/Office/16.0/Excel/Security supports the following values:

    0 (or not present) – Default behavior
    1 – Strict
    2 – Lenient
    3 – None (not recommended)

    The default – of no value set is what you see on my 2016 click to run install at home.

    It appears this setting is in addition to the normal “don’t trust macros from the web” setting that is already in the Security trust center settings.

    What isn’t clear and isn’t well documented in the KB as to what exactly those registry keys bring to the table in addition to what we already have as macro settings as set in the Office trust center.  I think what the registry keys bring to the table is to granularly adjust Excel’s macro settings unique to Excel so that you can have parts of the Office suite have more restrictive macro settings rather than the security center settings.

    I think.

    Needless to say I’ll be trying to find out more about this setting.  For now just leave it as is.

  • Patch Lady – Networking issues and KB 4088875

    Posted on March 15th, 2018 at 00:11 Susan Bradley Comment on the AskWoody Lounge

    As Woody pointed out earlier today there are some reports of networking issues after the install of this month’s Server 2008 r2 and Windows 7 patch.  The issues are not widespread and they appear to be limited to two scenerios:

    Scenerio 1 – VMware.  As noted on a reddit post a new virtual Ethernet network card is installed/enabled after the update.  The side effect has occurred before with other convenience rollups and a workaround was previously posted to this KB and a script is provided to fix the issue.  It is not impacting all servers, it appears to be impacting virtual machines on VMware.

    You can see more threads here.

    Scenerio 2 – workstations.  This one is a bit more fuzzy and not clear cut.  I’ve seen reports where workstations with static IPs may be impacted with this update.  There are definitely enough credible reports of chipsets being reset and losing their networking IP addresses.

    Note that I’m seeing this more in businesses than in consumer/peer to peer settings.

    On my Windows 7 (my old machine that we keep around for older programs), I’m seeing this update unchecked:

    Which normally means that Microsoft is throttling the patch while they monitor issues.

    What is honestly a bit more concerning is this documented side effect:

    After installing this update, SMB servers may leak memory. Microsoft is working on a resolution and will provide an update in an upcoming release.

    If you run a file server, you may want to run tests and determine if you do see THIS side effect as that one may impact.

    More on this as I see issues.

  • Patch Lady – following up on Office update KB4011730

    Posted on March 14th, 2018 at 20:51 Susan Bradley Comment on the AskWoody Lounge

    Susan here, following up on the Office patch that was talked about here.

    Office 2016 Click to run:  You will not see this issue as you get your updates as a bundle.

    Office 2016 received via volume license are the only folks that receive individual updates these days.  The side effect whereby a Word document can’t be opened directly from Explorer appears to be as a result of only installing Security updates and not installing the non security updates.

    As now noted in the KB4011730

    Known issues in this security update

    • Symptoms
      After you install this security update, you may be unable to open or save a Word document.

      To work around this issue, install the March 6, 2018 update for Office 2016 (KB4018295)

      Microsoft is researching this problem and will post more information in this article when the information becomes available.

    Showcasing that sometimes you do want to install those optional updates.

  • Patch Lady: Tracking some post release issues

    Posted on March 14th, 2018 at 02:04 Susan Bradley Comment on the AskWoody Lounge

    Susan here with early reports from the Tuesday releases (or Wednesday depending on your time zone).  Normally we don’t start seeing issues until tomorrow but already we have a few issues bubbling up.  This issue is actually expected and you’ll need to look for updates for any third party remote desktop software that may be impacted.  The reason for this is a major change in the Credential security support provider.  You’ll probably see this in the news talked about as the CredSSP issue.  In the security portal the issue is called out here:

    To be fully protected against CVE-2018-0886, users must enable Group Policy settings on their systems and update their Remote Desktop clients. The Group Policy settings are disabled by default to prevent connectivity problems and users must follow the instructions documented HERE to be fully protected.

    But I’ll be flat honest, I missed it upon first reviewing the security portal and didn’t realize the impact until later.

    The issue impacts remote desktop protocol. If you’ve ever launched the remote desktop connection application on any of your Windows computers, you’ve used CredSSP in your use to remote into computers.

    The flaw will be demonstrated next week at a BlackHat conference, but that said you can tell from the description that this will be difficult to exploit in a consumer setting:

    Exploiting the flaw requires the attacker to wage a man-in-the-middle attack between the client and server in an RDP or WinRM session. He or she would need WiFi or physical access to the targeted network. A WiFi exploit could be set up using a key reinstallation attack such as KRACK, for example, according to the researchers. Other vectors are Address Resolution Protocol (ARP) poisoning and exploiting vulnerable network devices such as routers, to reach servers inside.

    The security fix is actually going to be phased in over the next several months. This month (as per Microsoft) is phase one.  All supported workstations and servers will get the update this month, next month in April, Microsoft will start phasing in error messages if you rdp from a patched client into an unpatched server and finally in May the registry setting to better protect servers from unpatched system will kick in.

    Bleeping computer even has a video that the researchers have shared discussing the flaw and it’s impact. As is noted, attackers have to have a toe hold into your network before this can be successful, they would have to do a Man in the middle attack to intercept your rdp transmission.  In a peer to peer network that would mean they’d have to have malicious code and be in your router.  Given the complexity, time spent to craft the packets just so, this one is more in the “they really have to target you” and not in what I call “roadkill” variety of vulnerabilities.

    It impacts ALL versions of supported windows, so for anyone in businesses still using Windows XP, and relying on remote desktop protocol, just be aware that this may impact interaction between the platforms as these adjustments roll out over the next several months.

    Initially in March, they are rolling out the new protocol.  Later in April they will make it so that an error message will occur when you attempt to remote from a patched machine to an unpatched machine, and then later in May (tentative at this time) the default will be to enforce that remoting from a patched machine to an unpatched machine will not work.

    If you still need to go between patched and unpatched after May security updates come out, you’ll have to make a manual registry adjustment to lower the security of your system.  Hopefully no one has to do that.

    Consumer recommendations:  

    Actions needed:  Patch [after we wait a bit just to make sure it’s all clear for any other issues]

    I’ve not seen any side effects on Windows machines at this time.  I’ve even patched a workstation and left another workstation unpatched to see if there was any issues.  I personally saw none.  I have seen reports of issues where after installing the update on the Windows based machine, folks couldn’t use the RDP client on a Mac to remote into the Windows machine.  So on a consumer machines, if you only RDP between Windows machines you should be fine.  For a mixed network with Macs or other non Windows machines that use RDP protocol, check with your vendors for updates.

    In May the setting to set the protocol so that clients can’t fall back to using insecure versions of the CredSSP will kick in and thus there is no other action you need to do on standalone peer to peer networks other than to make sure that if you use RDP to remote into computers that all of your remoting still works after you apply the updates.




    Client applications that use CredSSP will not be able to fall back to insecure versions. Services that use CredSSP will accept unpatched clients.

    Domain/Network recommendations:

    If you are in a domain setting whereby you connect to a file server (not peer to peer), but something called a domain controller, here’s where the guidance differs as Microsoft recommends you roll these settings out now.  You actually need to set registry keys or group policy settings to allow for the phase in of this update.

    You can make the registry change/group policy in advance before you roll out the updates.

    In a Windows 10 Pro – when you go into edit group policy you can see the setting there.

    Double click to enable it and then set it to the value of Mitigated.  “Mitigated” whereby “Client applications that use CredSSP will not be able to fall back to insecure versions” will be the default value in May.

    Test.  See if anything breaks.  If it does, set it to vulnerable and then go see about getting an update to the RDP client that doesn’t work.

    Microsoft has stated that

    We recommend that administrators apply the policy and set it to  “Force updated clients” or “Mitigated” on client and server computers as soon as possible.  These changes will require a reboot of the affected systems.

    Hopefully I’ve made this a bit more clearer?  I’ll be working on updating the master patch listing for March and will post it Wednesday and will keep an eye out for any other issues along the way.

  • Patch Lady – getting 1709 TO install

    Posted on March 11th, 2018 at 01:14 Susan Bradley Comment on the AskWoody Lounge

    While everyone else is wanting to keep 1709 at bay, I was wanting to get it to install on a small 32 gig hard drive.

    I had previously tried a usb flash drive, purchased and installed a SD card and neither one worked.  A good (geek) friend of mind recommended that I try using an external usb hard drive during the feature install process. I initially said to him that I had already used a flash drive and he kindly pointed out that he didn’t say to use a flash drive, he said to use an external USB hard drive.


    While everyone historically swears that external usb powered hard drives and flash drives are the same, clearly in this feature release update process it’s not.  When I was attempting to use either the flash drive or the SD card, I would get to a point in the install process where it would say I didn’t have enough room and I would have to prompt the system to use these devices.  When it would attempt to use them, it would fail and roll back the install.

    When I used the usb external hard drive, it never prompted me for the need for additional storage.

    After installing the update it immediately began properly installing unlike all of the previous sessions where it would stop and roll back.

    The moral of this story?  If you are like me and you DO want 1709 to install, you have a hard drive tight on space and you are having issues, go get a usb external hard drive and see if that does the trick.

  • Patch Lady – Microsoft admits the bug (again)

    Posted on March 9th, 2018 at 20:07 Susan Bradley Comment on the AskWoody Lounge

    Susan here… Just spotted the acknowledgement that Woody was right in KB4023814:



    Microsoft is aware that this notification was incorrectly delivered to some Windows 10 Version 1703 devices that had a user-defined feature update deferral period configured. Microsoft mitigated this issue on March 8, 2018.

    Users who were affected by this issue and who upgraded to Windows 10 Version 1709 can revert to an earlier version within 10 days of the upgrade. To do this, open Settings > Update & Security > Recovery, and then select Get started under Go back to the previous version of windows 10.

  • Patch Lady – Defender makes a change

    Posted on March 9th, 2018 at 01:23 Susan Bradley Comment on the AskWoody Lounge

    So earlier I was helping on a thread in the forum about some issues with failing defender updates on Small Business Server 2011 platforms. [For anyone who is interested, SBS 2011 was once a featured small business platform that provide file server and email services for small businesses – this was pre-cloud, you know].  The symptoms that was reported that defender updates were failing.  Well first I was scratching my head because Defender wasn’t installed by default on Server platforms back then. While Server 2016 now ships with Windows Defender enabled, Server 2008 R2 – of which SBS 2011 was based – didn’t have Defender installed.  I realized after doing some searching and confirming with the people in the forum that Defender COULD get on Server 2008 R2 if one enabled the Desktop Experience role.  And that role would be wanted if you wanted to run disk cleanup on Server 2008 R2 (note you also get this on Server 2008 R2 by copying  some files to get it to work as well).

    So the question came up as to what exactly changed in Windows defender to suddenly make the definition updates fail on Server 2008 r2 whereas before it once worked?  And then in the dark recesses of my mind it hit me.  Yes.  Defender HAD made a big change.  And quite recently in fact, thus triggering this failure.

    As noted back in January,

    Starting March 1, 2018, Windows Defender Antivirus and other Microsoft security products will classify programs that display coercive messages as unwanted software, which will be detected and removed. If you’re a software developer and want to validate the detection of your programs, visit the Windows Defender Security Intelligence portal.

    AH HA, that explains the recent change.

    If you happen to be a Small Business Server 2011 admin and notice that defender updates are failing, I would honestly just disable the service and then look for a third party antivirus to install on your server, as I stated in the forum, and I truly mean no disrespect, SBS 2011 is in extended support and defender was not meant in that era to be installed on Server 2008 R2.  Getting a fix would not be what I expect from Microsoft’s support policies for this product.

    For the rest of us on windows 7, 8.1 and 10, be aware that effective March 1, 2018, if you happen to be running Windows defender on Windows 10 or Microsoft Security Essentials, any software that tries to trick you will be detected and removed.

    As defined by Microsoft:

    Software that coerces users may display the following characteristics, among others:

    • Reports errors in an exaggerated or alarming manner about the user’s system and requires the user to pay for fixing the errors or issues monetarily or by performing other actions such as taking a survey, downloading a file, signing up for a newsletter, etc.
    • Suggests that no other actions will correct the reported errors or issues
    • Requires the user to act within a limited period of time to get the purported issue resolved

    So look for more alerts on your system as these software programs get detected.

  • Patch Lady – sounds great until we think about the updates

    Posted on March 8th, 2018 at 02:22 Susan Bradley Comment on the AskWoody Lounge

    Susan here, getting ready for that time of year that makes me for a sleepy Susan… aka Daylight savings.  I just spotted in the news tonight that Florida is considering opting to stay in daylight savings.  So what has that got to do with computers?  Plenty.  Computers are creatures of time.  They have to be on the right time or near it otherwise all sorts of bad things occur.  Like for example.. updating.  You have to be no more than a few minutes off of the real time otherwise Windows update will totally fail.  Because your machine depends on computer certificates, which have date/time stamps and if your computer comes back with the message that the certificate chain is invalid because the date and time is off…well you get the idea.

    In a network a workstation cannot be more than 2 to 5 minutes off of the time set by the domain controller otherwise it will cause Kerberos log in problems.

    On standalone computers your computer is typically sync’d up to time.windows.com.  This is a time server provided by Microsoft.  But you can use an alternative time server.

    NIST.gov provided the definitive list of all of the time servers.  NTP or Network Time protocol is one of those old foundational protocols used in computers.  So foundational that attackers have even found ways to do denial of service attacks on NTP servers.  But on workstations, your machine only goes outbound to get it’s time information and isn’t open to attack.

    Time is so foundational to how our computers talk to one another that it’s one of the reasons the DST updates are pushed out on a regular basis because time is sooo important.  The DST blog showcases how often countries mess with time.  It always amazes me how much countries mess with time.

    By the way, trivia here…. do you know why we have time zones in the first place?  As I understand it you can thank the English and the introduction of trains for the introduction of “Railway time” which was needed to standardize when it was expected that the train would arrive.  Prior to travel everyone just set their own clock.

    With the use of cloud technology I’m seeing some organizations go to a Universal time or UTC and not depend on the local time zone.  One of the key things to establish in computer forensics is what time was set for all devices – that is – was the time set correctly in the firewall/modem/router that is logging events, in the computer event log and so on so the forensic investigator can prepare a timeline of events and correlate activity.

    So many times (get it — a pun on time) we’d skip over that time zone update as being optional because we didn’t live in the area of the time zone change. But we’d often end up with computers that couldn’t handle when we DID have a time zone change.  Everyone here remember when the USA moved the time zone change dates and how much we were running around trying to get things updated?  It’s one of the reasons Windows 10’s updates are all inclusive and those time change updates come automatically.

    So, if Florida opts out of changing it’s clock, a ton of developers in Redmond will be working around the clock to roll out updates.

    Fun to look forward to if the bill goes through.

    And now it’s my bedTIME.