MS-DEFCON 3: Cleanup time

Topic

New Reply

ISSUE 22.16.1 • 2025-04-22 By Susan Bradley After every Patch Tuesday, there is a period I call “cleanup time.” By the end of the week, side effects s
[See the full post at: MS-DEFCON 3: Cleanup time]

Susan Bradley Patch Lady/Prudent patcher

11 users thanked author for this post.

abbodi86, lmacri, Chester Peake, deuce120, genej101, Alex5723, DLivesInTexas, Cybertooth, Kevin, PL1, EricB

Reply | Quote

Replies

Thanks for confirming that the inexplicable inetpub folder creation that some of us have seen does have a purpose even though Microsoft’s belated caution to not delete the folder provides no reasonable rationale for leaving it.

Reply | Quote

Susan Bradley wrote:

Worse, the April updates do not check to make sure that workaround patch is applied and thus installation of the April patches is not blocked, as it might be for other serious missing patches.

Aren’t monthly updates cumulative? Most only saw an empty inetpub folder in April.

Susan Bradley wrote:

If you use one of the “boxed” versions of Office, such as 2016, that uses individual updates — and not the Microsoft 365 click-to-run version — you’ll want to handle the April updates carefully.

Isn’t 2016 the only one?

1 user thanked author for this post.

Kevin

Reply | Quote

When I did my (granted single box test) where I had installed March removed the inetpub and then installed the April updates, it didn’t put the inetpub folder back.  I need to test more. At least the preview to release behavior was confusing.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Susan Bradley wrote:

When I did my (granted single box test) where I had installed March removed the inetpub and then installed the April updates, it didn’t put the inetpub folder back.  I need to test more. At least the preview to release behavior was confusing.

I see both Windows Central and Bleeping Computer providing this workaround to recreate a mistakenly deleted inetpub folder:  enable IIS, reboot, disable IIS (if you don’t need it):

https://www.bleepingcomputer.com/news/security/microsoft-windows-inetpub-folder-created-by-security-fix-dont-delete/

I would think that a short script could recreate the folder with proper permissions, but IIS is the “official” way to fix it.

 

Reply | Quote

Consumer here. Go ahead and update or wait?

Reply | Quote

Consumers go ahead and update – heeding the cautions in the Patch Alert.

 

3 users thanked author for this post.

TonyS, rizzquery, Chris B

Reply | Quote

I’ve seen domain-recognition NLA issues for many years. A registry fix for Server 2022 no longer works with Server 2025. There is some indication that Microsoft is working on a fix (see this thread).

I found “Restart-NetAdapter *” a bit of a sledgehammer, so with help from Google Gemini, I wrote a script to only restart adapters with a Public policy, and to document the change in the Event Viewer. I use a scheduled task to run that one minute after reboot on my Server 2025 machines. Blogged here:

Server 2025 Domain Controller Not on Domain
https://www.mcbsys.com/blog/2025/03/server-2025-domain-controller-not-on-domain/

Reply | Quote

Susan, I don’t have Office. I have a 2021 standalone copy of Word – this happened once before in 2022, saved the emails. NINE hours on the phone before it got resolved. Don’t know what caused it, but Word would no longer open, couldn’t even find it in Explorer. It’s worked fine until now though I rarely use it, have been using WPS suite. But reading your column today, I checked and again, Explorer can’t find word.exe, not in my list of programs and when I try to open Word, I get a message saying they can’t open the program and to go online to Office  365, which I don’t have. I’m retired have no use for the Office suite nor any need or desire to use their Cloud for as little as I use a word processor these days. I got WPS free version because I did have need of a spreadsheet last month.

So, what do you suggest as a fix here – I don’t have a network share drive, nor a clue as to how to fix and would really rather not spending 9 hours on the phone with Microsoft again to get them to set things right when there’s a patch somewhere that can do that? Sigh.

 

Reply | Quote

Do you have the original download? It sounds like it needs to be reinstalled.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

genej101

Reply | Quote

I do, and I’m trying, but it appears its installing Office 365, which I don’t have, it’s a standalone copy of Word 2021 Home and Student. I originally had Excel too, in the 2016 version, but when I retired I no longer needed, Excel, so that last time this happened, I called MS, the 9 hour conversation, and was told that I didn’t need that package and they offered just Word now, so I got that. I’ll let you know what happens after this download, I’m running the original install file from 12/21.

That did fix it. Saved me 8 3/4’s hours. Thank you! :^) gene

Reply | Quote

Update done, double restart, first at 30% which is normal, then a second. after the second, laptop booted up and logged into windows just fine with no hiccups.

Reply | Quote

Is it generally considered necessary to do that first restart at 30%? I always leave the updating alone at that point and ignore the restart prompt. It automatically goes back to 0% and updates through to 100% when it prompts a restart, and that’s when I do the restart. Is that what others do or is the earlier restart prompt important?

Reply | Quote

The 30% restart that people refer to is after you click on the presented restart prompt and you then see a blue screen that says something like “working on updates. don’t turn your computer off” and you see a per-cent done number. When it gets to 30% you’ll see a message that says the computer is restarting. The computer restarts on its own – you don’t need to do anything.

Reply | Quote

Any idea why it does that? It’s always bugged me why it only goes to 30% then restarts, then finishes.

Reply | Quote

The first 30% sets the patch’s status to a type of pending status (“staged” I think they call it?) and then, after the reboot, the patch’s status is changed to, I believe, installed and the machine then finishes rebooting with the new patch fully applied.

The status I’m referring to is its’ status within Windows’ inner workings of Windows Update and the bits and pieces that make it up.

 

 

1 user thanked author for this post.

Cybertooth

Reply | Quote

Frahaleah wrote:

Any idea why it does that? It’s always bugged me why it only goes to 30% then restarts, then finishes.

Hi Frahaleah:

Just a guess on my part, but perhaps it’s designed to pause at 30% completion to finish the installation of any new Servicing Stack Update (SSU) bundled with the monthly cumulative Quality update. Prior to February 2021 SSUs for Win 10 were released as separate updates and were installed first by Windows Update before any other available updates for the Windows OS were applied.
———–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.5737 * Firefox v137.0.2 * Microsoft Defender v4.18.25030.2-1.1.25030.1 * Malwarebytes Premium v5.2.11.183-131.0.5227 * Macrium Reflect Free v8.0.7783

2 users thanked author for this post.

Perq, Cybertooth

Reply | Quote

Frahaleah wrote:

Any idea why it does that? It’s always bugged me why it only goes to 30% then restarts, then finishes.

Here’s the scoop on exactly why this happens…

Just as a user can’t replace an existing Windows file while it’s currently in use, neither can Windows update.

So, when it restarts, the count up to 30% before it actually reboots happens because it’s configuring the system to replace those existing files with the new updated ones (as @Bob99 pointed out, their status is set to “staged“.)

Once Windows restarts, before the Windows OS actually starts running, the Windows Recovery Enviroment (WinRE) runs, the old files get replaced with the new “staged” files and, as @Bob99 pointed out, their status is changed to “installed“.

The Windows OS then starts running and the update continues installing, registering and activating the remaining 70% of the new components/features.

4 users thanked author for this post.

Perq, TechTango, Cybertooth, lmacri

Reply | Quote

Yes. You are doing it correctly.

If you have multiple updates being installed, wait for EACH ONE to be ready for restart, before you actually hit the Restart Now button.

 

 

1 user thanked author for this post.

rizzquery

Reply | Quote

https://support.microsoft.com/en-us/topic/april-22-2025-kb5055612-os-build-19045-5796-preview-428955dc-5f14-4dd8-a828-a1a3d316cb79

Windows 10 finally gets the fix for “Event Viewer displays an error for System Guard Runtime Monitor Broker service”

Preview update – which means it will be in next month’s updates.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

lmacri

Reply | Quote

mcbsys wrote:

enable IIS, reboot, disable IIS (if you don’t need it)

Why install something if you don’t need it?

If Microsoft needs that folder in place, it should make clear why and impress upon users that the Internet’s long position that the folder is not needed is no longer correct. But Redmond didn’t document this – it just did it.

3 users thanked author for this post.

TechTango, Rick Corbett, Cybertooth

Reply | Quote

Updated and all is well.
2025-04 Cumulative Update for Windows 11 Version 23H2 for x64-based Systems (KB5055528)
2025-04 Cumulative Update for .NET Framework 3.5 and 4.8.1 for Windows 11, version 23H2 for x64 (KB5054980)
Advanced Micro Devices, Inc. – Display – 32.0.12033.1030
Update for Windows Security platform – KB5007651 (Version 10.0.27777.1008)

Windows 11 Pro
Version 23H2
OS build 22631.5189

Reply | Quote

I have a single word in response to this alert: Linux

Microsoft user since MSDOS.
Linux user since 2025.

Reply | Quote

Updated Win10 PRO 22H2 via KB5055518.  I now have a inetpub folder

Reply | Quote

Will Fastie wrote:

…impress upon users that the Internet’s long position that the folder is not needed is no longer correct

Like one of Pavlov’s dogs, my pre-conditioning kicked in the moment I saw that folder on a new install… and I deleted it immediately.

Oopsie…

Too many memories from previous Windows iterations where it was a malware signature when IIS wasn’t *specifically* installed and called for… and the hazards of web scripting just wasn’t warranted.

Hope this helps…

1 user thanked author for this post.

Fred

Reply | Quote

Why must we tolerate MSFT’s treating us as beta testers?

1 user thanked author for this post.

Fred

Reply | Quote

No one is being forced against their will to be a tester for MS, although it may seem like it at times.

But, if you’re tired of feeling like you’re being used as one, there are other options out there for using a computer, such as switching your OS to Linux or getting something from Apple which would change both your hardware and your OS and may require you to learn a new program for certain things you use the computer for.

I, for one, am contemplating making the move to Linux Mint when the time is up for Windows 10 support in October or perhaps after a year of MS’s consumer grade ESU support.

 

2 users thanked author for this post.

wavy, Fred

Reply | Quote

KB5002623 has been presented on my machine as a normal update and it worked!

1 user thanked author for this post.

lmacri

Reply | Quote

This was a rude discovery.  I often right click to see recent files, but the feature is no longer available.

https://www.windowslatest.com/2025/04/22/windows-10-removes-start-menu-jump-lists-file-list-for-tiles-in-april-2025-update/

1 user thanked author for this post.

Cybertooth

Reply | Quote

curious leo wrote:

I often right click to see recent files, but the feature is no longer available.

Hi curious leo:

I don’t have this issue on my Win 10 Pro v22H2 laptop, so if it’s a deliberate design change by Microsoft then it hasn’t been rolled out to everyone yet. Windows Update installed KB5055518 (OS Build 19045.5737) on my system on 11-Apr-2024 and I’m still seeing the “Recent” files jump lists on most of my Start menu tiles.
———–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.5737 * Firefox v137.0.2 * Microsoft Defender v4.18.25030.2-1.1.25030.1 * Malwarebytes Premium v5.2.11.183-131.0.5227 * Macrium Reflect Free v8.0.7783

1 user thanked author for this post.

curious leo

Reply | Quote

Curious (hence my name).  I wonder how many people are impacted.

 

Reply | Quote

curious leo wrote:

I wonder how many people are impacted.

Hi curious leo:

From that Windows Latest article Windows 10 removes Start menu jump lists (file list) for tiles in April 2025 Update you referenced:

“Is this a bug or an intentional change? We don’t know, and it’s tough to tell because Microsoft is also removing Clock from the Windows 10 Flyout.”

Has the clock with the seconds counter disappeared from your system tray calendar flyout as well? I still have that clock in my flyout after installing KB5055518 (OS Build 19045.5737) on my Win 10 machine (see my image below), and I speculated in my 14-Apr-2025 post # 2763443 in WSCape Sand’s Clock missing above calendar in Windows 10 that this Win 10 feature change is also being rolled out slowly by Microsoft.

———–
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.5737 * Firefox v137.0.2 * Microsoft Defender v4.18.25030.2-1.1.25030.1 * Malwarebytes Premium v5.2.11.183-131.0.5227 * Macrium Reflect Free v8.0.7783

1 user thanked author for this post.

Perq

Reply | Quote

Wth? If this would happen, it’d be a solid reason for me to avoid updates from now on and consider that end of support came early. I click the taskbar clock to have it pop up, large and with seconds, to time something or see exactly how long’s left until a certain moment, or occasionally just to see the exact time for the heck of it, multiple times per day. It’s a basic function, why the heck would they remove it?

1 user thanked author for this post.

wavy

Reply | Quote

“the risks of updates are just as great as the risks of attacks”

Appreciate this acknowledgement that when it comes to MSFT sometimes the cure is worse than the disease.

1 user thanked author for this post.

Cybertooth

Reply | Quote

I’m still on Windows 10 PRO 64-bit v22H2. Not at all anxious to go to Windows 11. You didn’t address this version with respect to the MS-DEFCON level for April patches. For consumers, is it safe to patch? Thank you!

Reply | Quote

The MS-DEFCON level applies to both Win10 and Win11.
It applies to Win10 22H2.

1 user thanked author for this post.

Fred

Reply | Quote

After the April update for Windows 11 23H2, I discovered that Edge had been sneakily reinstalled on my computer.  It did not last long.

Mark

 

2 users thanked author for this post.

genej101, Fred

Reply | Quote

Hi,

Just happened to be the unlucky finder of a bug in KB5055526. This was a tricky one as it only  apply to a few users in the organization and when it is installed on a Domain Controller. We are using 2022.

What happens is that the user will be locked out several times during the day. This happens whether they are using username/password/DUO or smartcard for login. It seems that it is heavy users with a lot of tabs or applications open at the same time that are using SSO.

You can study Event Viewer, run DCdiag, repadmin, DNS etc. but everything is fine there. The resolution was to uninstall the update.

Reply | Quote

Single sign on – to what other applications?

https://www.helient.com/insights/important-update-addressing-recent-microsoft-entra-user-blockages

And it’s not related to that is it?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

b wrote:

Susan Bradley wrote: If you use one of the “boxed” versions of Office, such as 2016, that uses individual updates — and not the Microsoft 365 click-to-run version — you’ll want to handle the April updates carefully.

b wrote:

Isn’t 2016 the only one?

I asked Perplexity’s Artificial Intelligence the following questions:  Does KB5002700 apply only to “Office 2016”, or does it also apply to other boxed versions such as “Office 2021”? Do users of “Office 2021” also need KB5002623 to offset the effects of KB5002700?

Perplexity responded that it only applies to Office 2016,  and users of Office 2021 don’t need KB5002700.  Is Perplexity correct about this?  You can view their full response including the sources they cite by typing in those same questions  into their search engine at xxxxx .

[Moderator edit] no need to advertise search engines, removed link.

Reply | Quote

I’d like to correct a slight error in the posting I made a few hours ago (shown above).  I had said that “Perplexity responded that it only applies to Office 2016, and users of Office 2021 don’t need KB5002700”.   What I should have said was “Perplexity responded that it only applies to Office 2016, and users of Office 2021 don’t need KB5002623“.  I noticed this mistake only after it was too late to edit my response,  so I’m posting it now.

Reply | Quote

L95 wrote:

[Moderator edit] no need to advertise search engines, removed link.

Yet another new, undocumented rule? The newsletter includes Perplexity links.

2 users thanked author for this post.

Cybertooth, Alex5723

Reply | Quote

In Layman’s terms for windows home user Win 10 22H2, what does the consumer need to look out for within these updates mentioned in this thread?

Thanks.

Win 10 Home 22H2

1 user thanked author for this post.

stewagreen

Reply | Quote

All you really need to do is watch the DEFCON rating and read the 1st post when it rises to 3 or above. Threads like this give you specific issue advice, which most people don’t need.

cheers, Paul

1 user thanked author for this post.

Fred

Reply | Quote

Win7and10 wrote:

In Layman’s terms for windows home user Win 10 22H2, what does the consumer need to look out for within these updates mentioned in this thread?

Win7and10:  Since I myself am a layman,  I also had a hard time understanding some of discussion this month.  So I may not be much help to you,  other than to tell you that I also have Win 10 22H2 and I just went ahead and did my updates the same way I always do every month and everything went smoothly.  I didn’t appear to encounter any issues.  The only question I had before doing the update pertained to Susan Bradley’s statement that said “if you use one of the “boxed” versions of Office, such as 2016, that uses individual updates — and not the Microsoft 365 click-to-run version — you’ll want to handle the April updates carefully.”    At the time,  I thought that I did not have a Microsoft 365 click-to-run version (because I’ve tried to avoid Microsoft 365),  and this resulted in me making a posting #2767836 (above).  However,  since that time,  I’ve done further reading and learned that I do have a “click-to-run” version despite the fact that I’ve tried to avoid Microsoft 365,  and so it looks like it wasn’t necessary for me to make that posting.  Apparently the reason I have “click-to-run” is that boxed versions of Office 2021 apparently always use “click-to-run” (at least that’s my understanding of it).

1 user thanked author for this post.

stewagreen

Reply | Quote