News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Patch Lady – oh yeah, it’s second release time

    Posted on January 23rd, 2020 at 23:01 Susan Bradley Comment on the AskWoody Lounge

    We didn’t have them in December but we’re starting up on the “second” release updates in January.

    So far I see

    https://support.microsoft.com/en-us/help/4534321 January 23 for 1809

    https://support.microsoft.com/en-us/help/4534308 for 1803

    https://support.microsoft.com/en-us/help/4534318 for 1709

    (remember 1703 is no longer supported for anyone)

    https://support.microsoft.com/en-us/help/4534307 for 1607 (LTSB)

    https://support.microsoft.com/en-us/help/4534324 for Windows 8.1

    Remember these are optional updates and include non security fixes only.  In the case of Windows 10, as long as you don’t “check for updates” they won’t be pushed to your machines.

    I expect that we might see a release for 1903 and 1909 at some point in time before next week.

     

  • Patch Lady – Does Woody tell you to not patch?

    Posted on January 22nd, 2020 at 15:02 Susan Bradley Comment on the AskWoody Lounge

    So over on Twitter Dave Kunkle is taking Woody (and I for that matter as I use the same wait to patch philosophy) to task for telling people to not patch.  With all due respect to Dave, Woody doesn’t tell people to not patch ever…. he just says (as I do) to hold back and wait for the dust to settle.  There is a balancing act one has to do with patching.  When the risk of attacks from attackers rises to a level higher than the risk of side effects of updates, that’s the perfect time to patch.  Right now attackers tend to use either zero day (for which we have no patch) browser exploits, Office exploits, or they go after tried and true entry points like email and phishing attacks.  Targeted attackers will do recon on a network and target the system for unpatched entry points and often use older operating systems to wiggle in.

    One of the problems I see in helping people is that they see someone getting hit with side effects of a patch and consider that it’s widespread for all.  It honestly is not.  Just because person X using Computer Y and having Z printer and whatever else installed gets an issue doesn’t mean you will.  Also many times the act of rebooting will expose and issue that was hiding all along.  Patching wasn’t the root cause, rebooting the machine finally exposed the issue.  But time and again I see people skipping over KB whatever because at one point in time it was noted in the news as causing issues for someone.

    Patching your systems should be an exercise in making sure you are ready for recovery of your system.  If you can’t restore from a backup, you can’t not only deal with an update side effect, you can’t deal with the bigger problem of ransomware.

    Woody does not tell people to NEVER patch ever.  He tells people to wait.  He and I realize the reality of the follow up process.  Security Patches are released on the second Tuesday of the month.  By the time people install them and realize there are issues it’s the end of the week.  Enterprises opening up support cases with Microsoft take time to get to the root problem.  So it’s typically the following week that issues are identified and noted on the Windows health release dashboard.  If there is a major problem with a release, whereby the problem is in Microsoft’s code and there’s a major bug,  Microsoft always will pull the update and re-release it.  But here’s the thing.  That honestly and truly rarely happens.

    The reality is that we beat up our Windows machines pretty badly.  We install multiple antivirus programs (please don’t do that), we install third party software that mangles our registries (I am not a fan of CCcleaner because of this) and every time we uninstall and reinstall software, it often doesn’t clean up itself well at all.

    Furthermore, if you look at the articles that have been posted, none of us are recommending browsing from a Windows 7 computer if you don’t get updates for it.  Woody, myself, Amy and Ted have gone out of our way to ensure that small businesses could make sure that IF they wanted to continue to get update after January they could.  This offer is still open and you can still purchase Windows 7 extended support patches by filling out this form.  Even small businesses who need only 1 license can purchase one.  We’re over 200 small businesses (and counting) that will be protected come February’s patch Tuesday.  We do not want you to use Windows 7 for online banking, tax preparation or ANY sensitive info.  I’ve even urged folks to change the DNS settings and take it off the web and isolate it.

    So Dave?  Read those Woody posts again.  He never says to NOT patch ever.  He’s just letting those of us without Technical Account managers, support contracts and extra IT support arms to not be the beta testing process for everyone else.  Just hold back a little bit and truly and honestly those of us that are not nation states, Governmental targets or Jeff Bezos will be (and historically have been) just fine waiting until the dust settles.  And if you have an old old update that you’ve not installed and it’s still in your hold list, by all means list the KB number here and I’ll give you my historical perspective on it.  Unless it’s an optional update like a later .NET release, if it’s security related I’ll urge you to install it.  Because by now it’s fine and we’ve figured out any issues with the update and dealt with it.

  • Patch Lady – BornCity reports issue with 1909 KB4528760

    Posted on January 20th, 2020 at 16:47 Susan Bradley Comment on the AskWoody Lounge

    Windows 10 V1909: Update KB4528760 drops error 0x800F081F

    Over on BornCity he’s reporting tracking some issues with KB4528760.   I’ve already patched several 1909’s with no issues so I’m not seeing this as widespread.  But needless to say we’ll be keeping an eye out as to what’s what.

  • Patch Lady – Windows 10 versus 7 dealing with issues

    Posted on January 20th, 2020 at 15:15 Susan Bradley Comment on the AskWoody Lounge

    In the post Windows 7 era – if you are now dealing with Windows 10 there’s different ways to deal with issues.

    G. Winston Natoli shared this recap of the major ways to fix up 10:

    Windows 10 keeps it’s own local system image (which it uses to operate a variety of Windows functions)

    • It is not a backup of the system volume or boot volume (the system image you would create using Windows or 3rd party imaging utilities)
    • Windows keeps an additional set of files called the component store located in the WinSXS folder. Note: Windows total component store is comprised of those files in WinSXS and other files (via Hard Links external to WinSXS) in various Windows system folders.
    • DISM commands can: Scan, Check, Clean and Restore (repair)any files within the local system image.

    ScanHealth
    CheckHealth
    Cleanup-Image
    RestoreHealth

    • When restoring/repairing using DISM’s RestoreHealth command) it will first look locally for file corruption, then automatically repair, if necessary also to Windows Update for the installed version specific files….once done restoring the local system image (that Win10 uses to operate) – effectively updating and fixing Windows files and ensuring that its component store is sound.
    • SFC needs a clean, updated local system image and component store to function

    Fyi…DISM is not available in Windows 7 and earlier(*).  i.e. the landscape for maintaining and fixing Windows has changed since Windows 7…one of the reasons, SFC in Windows 10 needs a functional, non-corrupted component store.

    Repair Windows 10 Apps

    • Use the Store Troubleshooter
    • See KB4028054

    < https://support.microsoft.com/en-us/help/4028054/windows-10-repair-or-remove-programs>

    If the Repair option is not available for an app, reset or uninstall and reinstall from the MSFT Store. If uninstall is not available, use the MSFT Store check if updates for the App are available then download and update the app.

    As attempted to note earlier…..It’s always a good idea, before changing or attempting to change anything in Windows 10 to validate the local system image using the DISM CheckHealth and ScanHealth commands. Not doing so, one always risk the the chance of attempting to fix something that is broken with a broken Windows.

     

    (*) As noted in the forum, it doesn’t do the same in 7 as it does in 10 and therefore not comparable.

  • Patch Lady – forget that crypto one, worry about this one

    Posted on January 14th, 2020 at 21:41 Susan Bradley Comment on the AskWoody Lounge

    If you are a IT consultant or admin with an Essentials 2012 (or later) server, or use the RDgateway role and expose it over port 443 to allow users to gain access to RDweb or their desktops, forget that crypt32.dll bug.  This one is one to worry about.

    Impacts 2012 and above – so no impact to SBS 2011 or SBS 2008, yes to Essentials 2012 and higher.

    Essentials 2012 exposes RDgateway over port 443 and 3389 is not open to the web (well, not normally) but given that this is a pre-authentication exploit, all an attacker has to do is to throw that crafted request to port 443 rather than 3389 (assuming I’m reading this right).

    So if you patch SMB servers that use RDgateway, worry about patching those servers this time faster than you would normally do.

    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0609

    A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

    To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems RD Gateway via RDP.

    (edit:  for anyone asking, 2008 R2 is not vulnerable and thus SBS 2011 is not vulnerable.  It’s only vulnerable on Server 2012 and later, remember SBS 2011’s base operating system drops out of support today)

  • Patch Lady – Windows 7 FAQs

    Posted on January 10th, 2020 at 22:45 Susan Bradley Comment on the AskWoody Lounge

    This is a preview of the content in the next Patch Watch.

    Windows 7 is coming to the end of life.  What does that mean?  Here’s some “Patch Lady” answers:

    1.  If I rebuild my computer on January 15, will updates be available?  Yes, Windows 7 updates won’t go away, you just won’t get any new patches on that Windows 7 after next Tuesday. (The exception is for Windows 7 Pro, Ultimate and Enterprise versions if you are a small business.  Remember that for small businesses, Microsoft has made an exception and you can purchase Windows 7 extended support updates to be delivered via Windows update, WSUS or windows catalog.  If you need to know more, fill out this form and Amy and Ted will get back to you).
    2. I’ve heard from Comcast (or my ISP) that they will only allow Windows 10 on their network after next Tuesday, what does that mean?  No, Comcast is probably just letting you know that next Tuesday will be the last release of public patches for Windows 7.  Your computer will still work after next Tuesday.  However, you’ll want to be very careful and not do random surfing on any device that no longer receives patches.
    3. Will Microsoft release patches if there is some huge worm to unprotected machines?  Maybe.  Probably yes.  Historically speaking, Microsoft time and time again have showcased that when their customers are at risk they will do the right thing and release updates even when a platform is out of support.  Just this year they publicly released Windows XP patches when they thought a worm event might occur.  So historically, yes, when they think customers are at risk, they will release public patches.
    4. If I rebuild my computer after January 15, what’s the best way to get fully patched?  Remember that you will run into the slow scanning issue with Windows 7.  Follow this guidance and manually download certain patches first.
    5. Will AskWoody.com still cover the needed updates for Windows 7 so we know what we’re missing, or if I’m a small business and have purchased patches, I’ll know if it’s safe to install them?  Yes, I still plan to list all Windows updates and report on any side effects that may be seen.  I know that the rest of the AskWoody MVPs will still keep an eye out for side effects and issues as well.  Given that Microsoft plans to release the Windows 7 updates to all normal patching platforms, I fully anticipate being able to track the updates.  Furthermore I’ve purchased a single Windows 7 license in order to track issues myself.
    6. Can I surf and read email and do everything I need to do on my Windows 7 after January 14 as a home user?  I’m not comfortable at all saying that “oh sure, as long as you are paranoid you can be secure enough”.  On a daily basis I notice at the office that my firewall blocks phishing attempts from foreign countries, I see attempts to crack passwords, I see malicious banner ads in rotation on normal web sites that my firewall stops.  If you have an android phone, iphone, chromebook or some other operating system, I’d much rather you do general surfing on that device and limit your use of your beloved Windows 7 device for those applications that you know won’t work on a device or on Windows 10.

    ….stay tuned.  More FAQs to come

  • Patch Lady – once upon a reboot

    Posted on January 7th, 2020 at 17:00 Susan Bradley Comment on the AskWoody Lounge

    Once upon a time we were told that with Windows 10 you’d never be more than 2 patches away from fully patched.

    Just purchased two Surface Go units with Windows 10 Pro and so far I’m at least a dozen updates, four reboots and a feature release away from being fully patched.

    Well it’s not as bad as trying to fully patch a freshly built Windows 7…but still…  (sigh)

  • Patch Lady – Still running Small Business Server?

    Posted on January 6th, 2020 at 23:04 Susan Bradley Comment on the AskWoody Lounge

    Remember it too comes to end of life on January 2020.  While Exchange 2010 is still supported until October, the based OS of the server is not and for sure there’s no way to get extended patches for it.

    If you have not migrated there are resources to help you… most of these are not free, but if you need help just know that there are people out there still supporting and migrating Small Business Servers.

    1. https://www.server-essentials.com/ Mariette Knap was a SBS MVP years ago and she’s still out here supporting small businesses.  If you need to know how to get from point A (an old SBS box) to point…whatever… she probably has the documentation for you.
    2. https://www.itpromentor.com/  If you are trying to get your head around Office 365 (not to be confused with the Office suite, but the hosted email service) Alex Fields’s site is your helpful go to place to get guidance in making Office 365 secure for small business.  It is my personal opinion that by default – as you get it delivered to you from Microsoft, you are a sitting duck for attackers.  They know you have basic authentication enabled, they know you don’t have multi factor turned on, they know that if you are like most of us you’ve reused the same web password for 1/2 a dozen things.  And you are a sitting duck for phishers to go after you.  Alex’s guidance and security best practice checklists make it so that you CAN be secure.
    3. If you are … yes they are still out there… still running SBS 2003 and are worried about the server shutting down because it no longer holds the FSMO roles there’s a workaround.  It’s an Active directory domain thing that Small Business Server in particular has to be the only root domain in the network… if you have two domain controllers online and you move the FSMO roles over to the new domain controller, the SBS box will shut down.  If you need to buy yourself more time to migration the server there’s a long standing “hack” that has worked for years.  Bottom line don’t panic.
    4. The main thing to remember – especially with ransomware – and <cough> all of the political news that is warning that attacks from overseas might come via cyber means, is to have a backup.  Have a backup even if you are in the cloud.  If you are running online or hosted email in the cloud you can look to vendors to add backup of Cloud services.  If you are merely running a small peer to peer network, make sure you have backups even if it’s as simple as a usb attached hard drive.  Do check if your local backup vendors provide a way to have a “permission” protected backup so that the ransomware attackers can’t encrypt your local backup as well.  Many vendors provide free backup software but in my experience with them, they don’t provide the necessary “hiding” of the drive so that attackers could end up attacking the backups as well.  Consider multiple usb drives in rotation.
    5. As the support for Small Business Server 2011 formally and officially comes to a complete end, rethink how you have your network set up.  Do you really need a domain?  Should you go back to peer to peer?  What’s really key for your business?  Should some things be in the cloud?  Don’t merely thing a virtual server in a cloud location is the best solution.  Moving QuickBooks desktop to a hosted server may not be the best (and truly isn’t) experience for you and your business.
    6. Remember as a small business you can purchase for $61(US) the first year of extended security updates for Windows 7 (Amy’s form to request more info here).  However this will not protect your Server.  It will stop getting Windows Server updates on January 14, 2020.

    Bottom line, a lot of Small Business Servers were installed in places where the price of the product was great, but the fit to the business needs not so much.  Hopefully most (all) of you reading this post will say … oh this is old news, I’ve migrated years ago… but in case you haven’t…. you aren’t without resources and help.