MS-DEFCON 2: Will September updates behave?

Topic

New Reply

ISSUE 19.36.1 • 2022-09-08 By Susan Bradley Microsoft patches need to go back to school, too. Summer vacation is over, which means it’s time for young
[See the full post at: MS-DEFCON 2: Will September updates behave?]

Susan Bradley Patch Lady/Prudent patcher

5 users thanked author for this post.

abbodi86, Jorge Troitiño, joltar, Bugwart, Alex5723

Reply | Quote

Replies

Last month you had MSDEFCON set at 3.  Is it safe to install Windows 10 home update for consumer before the September update comes out or are you not recommending either one?

Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2

Dell Laptop - Inspiron 15 11th Generation Intel(R) Core(TM) i5-1135G7 Processor
Edition Windows 11 Home
Version 23H2

Reply | Quote

By blocking the uncertain update will you not also block security, driver and netframework updates also?

What MS needs to do is go back to Win7 style whereas each update must be selected.

1 user thanked author for this post.

Charlie

Reply | Quote

I’m confused (which seems to happen a lot these days).

At the top of the current Master Patch List it says:

“List updated as of 8/29. I recommend Windows 10 21H2 at this time.”

In today’s (09/08/2022) AskWoody Alert it says:

“In addition, I’ll urge you to check that you have selected the feature release you want to be on. Using any of these Registry keys will keep the systems on 22H1 and prevent 22H2 from installing.”

I am still on Win10 Pro 21H2 with Group Policy set to keep me there based on the recommendation at the top of the Master Patch List.

I just successfully installed the August updates KB5012170 and KB5016616.

Should I now change Group Policy to keep me at 22H1 or is it OK to leave it at 21H2?

Thanks!

1 user thanked author for this post.

snalmond

Reply | Quote

That should have been 21H2, NOT 22H1.
Stay on 21H2.

***** UPDATE: This has been corrected on the site.
I can’t fix any external notification.

5 users thanked author for this post.

Jorge Troitiño, 280park, Susan Bradley, snalmond, opti1

Reply | Quote

Clearly the heat is getting to me.  We are on 21H2, 22H2 is coming (there is no 21H2 22H1)

Moderator note: Fixed that one, too

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Jorge Troitiño

Reply | Quote

You know I thought I had accidentally hit post when I read this, bc I was writing a post saying the exact same thing – I’m confused and it happens a lot!! : D

I have the same Q + another Q – is this where we can set the version using GP Edit?  I don’t recall where I had put in the version number. I use GPedit to control versioning (not registry): Windows Update for Business -> Windows Components->Select target Feature Update version?  I have Windows 10 in the top box. Do I put 21H2 in the bottom box (Target Version for Feature update)?

I use WUmgr and show these hidden, as per the MPL: 5012170 & 5005463

 

Reply | Quote

Yes, 21H2 goes in the TargetReleaseVersion slot, Windows 10 in the Product Version slot.

2 users thanked author for this post.

Jorge Troitiño, dmt_3904

Reply | Quote

Thanks PK!

Reply | Quote

dmt_3904 wrote:

I use GPedit to control versioning (not registry): Windows Update for Business ->

In the same location as Select the target Feature Update version which you’ve successfully filled out, there is also Manage preview builds. I would suggest enabling and selecting Disable preview builds.

1 user thanked author for this post.

dmt_3904

Reply | Quote

Will September updates behave?

Probably not, but that’s what backups are for.

On permanent hiatus {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1992 x64 i5-9400 RAM16GB HDD Firefox116.0b3 MicrosoftDefender

Reply | Quote

G’day folks

I am on Win 10 Home, 21H2.  I just tried to install the registry key to stay on 21H2 as advised, using the provided link, but it would not install, with a Registry Editor error saying it could not import the file, due to “Error accessing the registry”.

The sequence after initially clicking the link was first the general warning about executable files, then next a warning about the security certificate for the file not being able to be verified, followed by the above final registry warning.

Is the certificate warning a real issue?  Should the certificate be able to be verified?

I suspect the final registry warning may be related to something about Protected Folder Access, which I can probably remove temporarily if required.  Also, I am using the limited user account, not an administrator account, if that makes a difference.  Just wondering about the certificate verification.

The feature updates haven’t been forced on my machine in the past, but these days I tend to use “Check for Updates” after the updates have installed, to see if there is a Servicing Stack Update available, so wanted to have the registry key as extra protection.

Reply | Quote

frankus333 wrote:

I tend to use “Check for Updates” after the updates have installed, to see if there is a Servicing Stack Update available

First, in Win10, the Servicing Stack is bundled with the Cumulative Update. It is NOT listed separately and you will NOT see it even if you “Check for updates.” It installs at the same time as the CU. To verify, click “View Update History” and at the top of the page click on “Uninstall updates.” That will take you to the list of installed updates.
FYI: “Check for updates” is not just checking, it is essentially a command to download/install ANY/ALL available pending updates.

frankus333 wrote:

Also, I am using the limited user account, not an administrator account, if that makes a difference.

Second, you should use an Administrative account for this.

frankus333 wrote:

suspect the final registry warning may be related to something about Protected Folder Access, which I can probably remove temporarily if required.

I do not use Protected Folder Access, but this may also be part of your problem.

 

1 user thanked author for this post.

frankus333

Reply | Quote

Thanks PK

The page listing updates that can be uninstalled shows lots of Servicing Stack updates, but only a small number of other updates (23 in all, back to Oct 2020).  Most of the security updates seem to be missing from the list, except the latest one from August.  The initial list of updates in View Update History shows just the quality updates as 37 in all, back to Oct 2020.  Not sure why fewer in the uninstall list?

I retried the reg key installation in the admin account, and the same results occurred.  It still tells me it can’t verify the certificate, and can’t access the registry.  Is the certificate verification a problem?

Reply | Quote

frankus333 wrote:

Most of the security updates seem to be missing from the list, except the latest one from August.

That is because the updates are cumulative.
History is just that, history. The earlier updates were installed, you can’t erase history.
But, the Cumulative August update contains the July updates, June updates, May updates, etc (that is what cumulative means). The earlier updates have been superseded, so the only one that is relevant is the last one (August) and the earlier ones (contained in the August one) are no longer listed.

Servicing Stacks are individual updates, not cumulative. So past SSUs will be listed

2 users thanked author for this post.

Jorge Troitiño, frankus333

Reply | Quote

Thanks PK

That makes sense.

Is the unverifiable security certificate a problem?  I don’t want to try disabling Controlled Folder Access if it might be.

Why would a certificate from an AskWoody knowledgebase site have a problem?

Reply | Quote

I have never had a problem with scripts downloaded from the AKB. Try downloading it again from the Admin account, double click on it, and give it permission when the prompt appears.

2 users thanked author for this post.

frankus333, Jorge Troitiño

Reply | Quote

Thanks PK

I tried adding the registry key to another machine, using the admin account, and the same warnings came up, including the certificate warning.  It is warning that the Publisher cannot be verified, not the certificate itself.

Anyway, I continued to click through, and the other warnings came up as before, but the registry key was successfully imported.

I repeated this process with my original machine, and it successfully imported the key, with the same series of warnings prior.

The job is done, and we will see how the machines react when 22H2 comes out.

I am still baffled as to why the Publisher of the certificate from the AKB is being questioned.

1 user thanked author for this post.

PKCano

Reply | Quote

frankus333 wrote:

I just tried to install the registry key to stay on 21H2 as advised, using the provided link, but it would not install, with a Registry Editor error saying it could not import the file, due to “Error accessing the registry”.

Use InControl.

1 user thanked author for this post.

frankus333

Reply | Quote

Thanks Alex5723

I will pursue a fix not requiring a third party app initially.

Reply | Quote

frankus333 wrote:

Thanks Alex5723

I will pursue a fix not requiring a third party app initially.

It is a portable app from very known developer that implement exactly the same registry updates as the .reg updates in a easier way.

1 user thanked author for this post.

frankus333

Reply | Quote

Dear Susan,

You wrote:

“As I posted the other day, if you have BitLocker enabled, be sure you know exactly where your recovery key is located. I’ll post more about this process in next week’s column”

I have dealt against Bitlocker in a brand new DELL.
I have at hand my recovery key in a .txt file located in several places.
Googling for the best way to store/use it I read on a MS page that there is a way to store it in a flash drive to use it during the start.
But I could not find how to do that.
The only way I found was to create a .txt file with it and record it on a external drive to be read in another PC and to type it on the blocked one.
Typing a long string of alphabetical characters on a blocked PC is not very easy.
Maybe you can find something better for us.

Best regards,

Jorge

Reply | Quote

Jorge Troitiño wrote:

I have dealt against Bitlocker in a brand new DELL.
I have at hand my recovery key in a .txt file located in several places.
Googling for the best way to store/use it I read on a MS page that there is a way to store it in a flash drive to use it during the start.
But I could not find how to do that.

You can’t do that. The entry of a recovery key when required cannot be automated.

What you found was an option for an additional requirement to use a special USB key to be inserted to unlock the disk at every startup for increased security, as linked by @alejr below, but that’s unrelated to the recovery key.

 

Jorge Troitiño wrote:

The only way I found was to create a .txt file with it and record it on a external drive to be read in another PC and to type it on the blocked one.
Typing a long string of alphabetical characters on a blocked PC is not very easy.

It’s not very difficult either. I’ve done it many times and rarely made typing errors. In special circumstances I’ve also read the 48 characters (as 8 blocks of 6) over the phone to be entered by verified staff members, and that usually goes without a hitch too.

Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.

BitLocker recovery guide

Reply | Quote

How to Use a USB Key to Unlock a BitLocker-Encrypted PC

Note: it requires setting a specific Group Policy so Windows “Home” users won’t be able to do this.

Reply | Quote

Windows updates will probably never be stable consistently on a month by month basis. The hope with each release is that it is stable for the majority. The complexity and shear number of fixes each month is bound to cause at least some issues. Seems like we are all beta testers who are tasked with evaluating these updates and finding the issues related to specific systems.

Reply | Quote

Hi Susan,
I am Win10/Pro, 21H2, GP=2 (notify download/install), TRV=Windows 10 & 21H2, Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components | Windows Updates | Windows Update for Business | “Select when Preview Builds and Feature Updates are received” enabled > “Select the Windows readiness level for updates you received”: Semi-Annual Channel selected & “After a Preview Build or Features Update is released, defer for this many days”: 0 selected.

This Newsletter article (ISSUE 19.36.1 • 2022-09-08 “MS-DEFCON 2: Will September updates behave?”) has a link to blockapatch.com, where there is a description of how WUSHOWHIDE works and how to use it.

I have a question about the Advanced link in WUSHOWHIDE.

I’ve always bypassed the Advanced link when running it. I assume that means that the ‘apply repairs automatically’ box is ticked, rather than unticked.

However, I don’t understand the consequences of bypassing the Advanced link and not unticking the checkbox, as they are stated <here> by @rrabbit (Kirsty).

Kirsty wrote:

If you don’t untick the checkbox, you do not gain the control of which updates get hidden or shown!

When I click on the “Hide Updates” link, I see a list of updates that are currently in the WU queue. On the other hand, when I click on the “Show hidden updates” link, I can see a list of updates that have previously been hidden. That hidden-update list does not change, unless WU withdraws it or comes up with a replacement (a newer CU is available) or I’ve previously unhidden the update and it was installed then.

So, it doesn’t appear to me that I’ve lost control of which updates get hidden or shown: “Hide Updates” shows me what can be hidden and “Show hidden updates” shows me what is hidden.

Have I not (seemingly) lost control because I have GP=2 (notify download/install)? And/or because I have the Windows Business Update for Business settings, as stated above?

Or is there some other reason that I seem not to have lost control of which updates get hidden or shown?

Or have I lost control of which updates get hidden or shown and I don’t know it??

I am puzzled b/c I see no difference, box ticked or box unticked.

Reply | Quote

Woody said it was important six years ago, but I don’t think anyone really understands whether it actually makes any difference:

https://www.computerworld.com/article/3143046/woodys-win10tip-apply-updates-carefully.html#:~:text=This%20step%20is%20important

1 user thanked author for this post.

WCHS

Reply | Quote

Oops.  I did not set the delay install for updates, and had the Windows Cumulative update for Windows 10 install on my machine this morning.  It complete cleared my desktop and started with good ole Windows 10 desktop of the blue window.  I was afraid that I would have to rebuild my desktop that I have had for many years.  Fortunately, it all uninstalled completely and I recovered all I though I had lost.  I don’t know what Microsoft is hoping this update will lead to, but for now, I warn everyone to BACKUP, BACKUP, BACKUP.

Reply | Quote