MS-DEFCON 3: Patch carefully

Topic

New Reply

ISSUE 20.34.1 • 2023-08-22 By Susan Bradley August can be a weird month where patching is concerned. I’m lowering the MS-DEFCON level, but with cautio
[See the full post at: MS-DEFCON 3: Patch carefully]

Susan Bradley Patch Lady/Prudent patcher

7 users thanked author for this post.

deuce120, J9438, CADesertRat, jburk07, DLivesInTexas, abbodi86, lmacri

Reply | Quote

Replies

As for the Domain Join settings – I’m puzzled. Read the whole article. In the Take Action section, it describes the needed Policy Settings. But at step 5 it says in bold: Do not add the user account that performs the domain join. Uhhhh??? So if I use the Domain Admin account to join pc’s to the domain, I should <span style=”text-decoration: underline;”>NOT</span> specify that user??

The explanation for this Policy Setting:

This security setting determines whether the domain controller will allow a client identity to attempt to re-use an existing computer account owned by a different identity during domain join.

By default, the following owners are trusted: Administrators and the user performing the domain join.
When this policy is configured with a list of trusted users or groups, the domain controller will allow a client to re-use a computer account that is owned by a member of the specified group or specified identity during domain join.

I think what’s meant is that if user X joins a pc to a domain, where user X doesn’t have Admin permissions, you should not add user x to the list of allowed users.

But then – how can user X add a pc to a domain in the first place? To my knowledge, you need Admin permission to add objects to Active Directory?

Reply | Quote

Any authenticated user can join a computer to the domain
https://blog.compass-security.com/2020/03/domain-join-computers-the-proper-way/

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I’m stunned – never knew that? Really stupid! But I know do understand the fuzz about this thing – had me a bit puzzeled to start with – why all those steps etc. if you have to be Admin to join pc’s in the first place….

Reply | Quote

There was a lot going on this month, servers and whatnot. So as a Win 10 home user with a desktop I can go ahead and update?

Reply | Quote

As someone who usually waits till Defcon 4, should I wait till defcon 4, or go ahead and patch. I personally have not seen any problems this month, so maybe I’m better off waiting till it hits defcon 4. What do you guys think?

Reply | Quote

All of my home computers patched just fine.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

MrToad28, J9438

Reply | Quote

DEFCON-3 or greater is a go-ahead to patch (read the article).
DEFCON-4 is not coming this month, but DEFCON-3 says go ahead and patch.

2 users thanked author for this post.

MrToad28, Coldheart9020

Reply | Quote

Thanks. Usually I wait till Susan or one of the managers sets it to defcon 4 before patching.

Also, just finished updating, I’m on 22h2 and a gamer, nothing heavy like cod or that kind, but no problems to report after patch. Keep up the good work guys.

1 user thanked author for this post.

MrToad28

Reply | Quote

This month I need a 4 for consumers/3 for business patchers.

3 means go ahead and patch, but just double check your system afterwards.  Does it feel the same to you?  If so you are fine.

MS-DEFCON 3 There are widespread problems with current patches. It is prudent to patch but check your results carefully.

Susan Bradley Patch Lady/Prudent patcher

5 users thanked author for this post.

Coldheart9020, Steve, J9438, The Surfing Pensioner, sheldon

Reply | Quote

Susan Bradley wrote:

There are widespread problems with current patches. It is prudent to patch but check your results carefully.

This is very unclear in my opinion. If there are widespread problems with the patches, why would I want to patch?

Reply | Quote

Widespread if you are an Exchange patcher, or business patcher with L2TP/VPN.  Not widespread if you are home/consumer.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

MrToad28, Coldheart9020

Reply | Quote

Windows - commercial by definition and now function...

2 users thanked author for this post.

Coldheart9020, sheldon

Reply | Quote

 

Susan, you may have had more luck running DISM and SFC if you had used the sequence in my file attachment below. I had mixed results with DISM abd SFC until I fell down a friendly ‘net rabbit hole one day and discovered this recommendation.

Regards,

-JM-

 

 

Reply | Quote

I wrote a short article to remind myself of DISM commands, including from a local source when you have to determine and specify an index:

https://www.mcbsys.com/blog/2019/06/dism-examples/

I’m also slowly moving towards a couple standards to make this kind of thing easier:

1. Install servers as VMs, even if it’s just one VM in a small physical server. This makes it easy to mount ISOs for the guest, but also to forklift the entire VM to another box in the event of a hardware issue.
2. Create a Ventoy USB stick with a few key files and leave it permanently plugged in to the server. This could be OS installers, hardware drivers, a Veeam recovery ISO, a Linux partition manager, etc.–basically anything that might be needed to build the server or do disaster recovery.

The HP Microserver that I built recently actually has an internal USB slot which is very handy for this. And Ventoy is a game-changer with its ability to boot from any of several ISOs on the same USB stick.

Reply | Quote

A total of 25 Week D previews are out for CU’s and various .NET versions. kb5029331 for W10 | kb5029332 for W11

Windows - commercial by definition and now function...

1 user thanked author for this post.

PKCano

Reply | Quote

I’m kind of ignorant in updating in Windows 10,  because up until recently I had been running Windows 7.  I notice that one of the updates that installed on my computer today was a preview for .NET Framework (KB5029847).  Because it’s a preview,  should I have tried to stop it from installing?    And what should I do with it now that it’s installed?

 

Reply | Quote

.NET previews have been behaved.

I can’t say the same for Windows previews though.  I would leave it.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

MrToad28, L95

Reply | Quote

Susan Bradley wrote:

.NET previews have been behaved. I can’t say the same for Windows previews though. I would leave it.

Susan:  Thank you.  When you say “I would leave it”, does that mean I can just go ahead and let the .NET previews install , and not worry about trying to prevent their installation or uninstall them if they’ve already been installed?

Also,  there is an article on the AskWoody website titled “How to Uninstall a Cumulative Preview  for .NET Framework” (Posting # #2575967) ,where a user was trying to prevent the installation of a .NET Framework preview and trying to uninstall it after it had been installed.  You weighed in on that at Posting # #2575971 .  But you didn’t mention in that posting that the user didn’t need to do this.   Why you didn’t mention it at that point?

Reply | Quote

All done – no problems.

Then again, we use the keep it simple approach to managing our systems.

All PCs are running Windows 10 Pro 22H2

And, each computer stands alone – no servers.

Did have some HP driver updates including HP Software Component 4.2.1608.0 and HP Software Component 1.58.3423.0 – both installed without incident.

 

 

3 users thanked author for this post.

MrToad28, jburk07, The Surfing Pensioner

Reply | Quote

W10 22H2 all computers. Patched ok with no apparent problems. MSRT, KB5029649 .NET, KB5029244 Cum. 22H2 19045.3324, SSU 10.0.1.19041.3266.

Don't take yourself so seriously, no one else does
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

2 users thanked author for this post.

MrToad28, jburk07

Reply | Quote

Susan Bradley wrote:

All of my home computers patched just fine.

Win 10 home factory installed OEM – No problems

Win 8.1 upgraded to Win 10 home with download from MS and Windows Feature Experience Pack 19041 – No problems.

Wind 8.1 upgraded to Win 1o home with download from MS and Windows Feature Experience Pack **** 19045 *** – Big problem. It got as far as status “Downloading – 0%” and very slowly was downloading about 500 bytes per hour – yes hour.

Finally since there was no button to cancel I did the Restart button. Another hour of “restarting” status with no results. Finally in desperation I did the power down hold down button.

I let the PC rest a bit and then powered back up. Almost immediately it went from 0% downloading to 100% downloading. The install and restart was normal around 30 minutes.

Very strange but seems to be a problem with the Experience Pack 19045 as I also had reported a similar issue with it in another thread.

Reply | Quote

I would have done the same thing as you.  It works almost all the time.

Mark

 

Reply | Quote

Hardened Windows user:

In the wee hours my desktop updated to

KB5029351 Cumulative Update Preview for Windows 11 Version 22H2 for x64-based Systems

Now running Windows 11 Pro Version 22H2 (OS Build 22621.2215)

No hiccups.  The update seems primarily targeting Search, which I don’t use and have disabled in Services.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

Reply | Quote

Topic: Microsoft received reports about an “UNSUPPORTED_PROCESSOR” error @ AskWoody

Lots of hiccups. Enough for Microsoft to acknowledge the issues pretty quickly.

Yea telemetry.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Ok, just updated my Windows 11 Pro 22H2 machine with August updates through WUMgr and the system seems to be behaving correctly as far as I can tell.

Specifically, I installed these updates:
– KB5029263 = 2023-08 Windows 11 22H2 CU
– KB5029650 = 2023-08 .NET Framework CU
– KB890830 = Windows Malicious Software Removal Tool update
– KB5007651 = Update for Windows Security platform (ver 1.0.2306.10002)

No idea why the Windows Security platform update was deemed necessary for my machine, given that I use a different AV/Firewall provider, but went along with it and installed the update.

This month too I had two reboots before the updates finished installing:
– The first reboot was triggered manually by me after the updates were all reported as installed and the system restarted after installation of updates reached 21%;
– Installation of updates resumed shortly after the restart (oddly, it started from 7% rather than 21%) and continued until 30% at which point the second reboot was automatically triggered;
– Installation of updates resumed yet again starting from 30% and all the way up to 100%.

This is exactly the same thing that happened when installing the July updates, but until then the system rebooted only once after reaching the 30% installation point. Anyway, this seems to be a minor hiccup and nothing to worry about (but I thought to share this in case anyone sees the same thing happen).

1 user thanked author for this post.

Perq

Reply | Quote

BTW, just wanted to add that after installing KB5029263 the behavior of the “Print Screen” button was changed to opening the Snipping Tool. Fixed that as soon as I realized that hitting Print Screen did not capture a screenshot as is my preference. So far I did not notice any further change to my settings.

Reply | Quote

A month ago I made a post about the July cumulative update causing errors on an HP desktop that I recently did a clean install of W10 22H2 (came with W7, running W8.1 for several years). Here’s some of the relevant information from July.

1. I used wumgr to download and install only the MSRT and KB5028166 (monthly cumulative update). I was not offered any .NET updates. The computer rebooted and the status slowly updated to 97% complete, after which I got a blue screen of sadness, Stop Code WHEA_UNCORRECTABLE_ERROR and Error Code 0xc0000225.
2. Apparently the update process killed my Boot Configuration Data. My W10 install USB would not work for repair (no boot). Regardless of what I tried I kept seeing ERROR: No boot disk has been detected or the disk has failed.
3. I was eventually able to use an EaseUS Todo Backup repair USB (or whatever they call it) to boot into a repair environment and roll back my computer to a backup made before attempting the W10 update. As wise people say, always make backups.

I will note that I tried the July update several times and got the same result each time. I went through a whole slew of recommended scans, dism, etc., none of which showed any errors. In short, I couldn’t identify any issue with the computer except the fact that the July cumulative update killed it.

In response to my previous question someone asked how old the computer is. I don’t know exactly as it was originally purchased by my little sister, but it’s somewhere in the 8-9 years old range. For some of you, that might be ancient and should be tossed aside, but I think it still has useful life for home use (typing, spreadsheets, Powerpoint, Internet).

During the time my sister used the computer I updated the RAM to 16 GB, installed an SSD for the operating system, and upgraded the CPU from i5-2320 to i7-3770. Prior to installing W10 maybe six weeks ago the computer had been running W7 and then W8.1, quickly and efficiently, for years without issues. The SSD and HDD report no errors according to Hard Drive Sentinel. The RAM passes Memtest.

Someone recommended waiting to try the August cumulative update. I’ve done that now and it produces the same errors as above. So, for my computer at least, attempting to install either of the cumulative updates (July/Aug) available since I downloaded a W10 ISO file and installed W10 kills the computer.

I guess the option now is to try a fresh install again. I don’t have time today so if anyone has a different idea that could save me a wasted weekend morning, feel free to chime in.

I avoided W10 for as long as I could which in retrospect seems like a good decision. I don’t mind farting around a bit with computers (e.g., I have a white Macbook 2,1 from 2006 running W8.1, just because I thought it would be fun to try, and I have experimented with various Linux distros over the years), but in general I consider computers to be tools and not toys. I don’t want to play, I just want to do my work and be done. I certainly don’t want to spend hours and hours to coax my computer into booting after trying to install an update.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Unfortunately, I can’t think of any helpful suggestion tbh. Looks like something has gone “wrong” with your W10 installation, preventing the updates to successfully install. Assuming you have already tried also using the “Windows Update Health Tools” to see if it can find anything to fix, then if I were in your shoes I’d go for that fresh install and start anew (that is, entirely wipe the SSD and then re-install W10).

I don’t think age of the computer should matter/have anything to do with the problem you are having: a couple years ago I installed W10 on an even older machine than yours: a custom build with an i3-540 CPU running on Vista and that was even before I upgraded RAM from 4 GB to 8 GB and replaced the HDD with an SSD. Despite the computer’s age, W10 installed without problem, albeit I’ll admit that performance was not so good until I increased RAM to 8 GB and updated to an SSD. If the problem you are currently facing has anything to do with hardware, then a defective component might be a more likely explanation than simply the age of the hardware. Still, if the system behaves properly (except for the failure to install updates), i.e. no random errors/reboots/blue screes/weird stuff, it seems unlikely that hardware has anything to do with your problem at all.

Unless anyone else has better ideas, I’d wipe clean the disk, make a new partition and re-install W10 from scratch. Hopefully that will solve the problem for good.

1 user thanked author for this post.

Cybertooth

Reply | Quote

@ASW, Was that PC upgraded to W10 from Win8.1 before or after the CPU upgrade?
The Windows Hardware Error Architecture error is more than likely attributed to the CPU change and not hardware errors.

Note: Only certain components can be changed without OS reactivation/license and CPU’s aren’t one of them…without purchasing another W10 license for the PC.

Windows - commercial by definition and now function...

Reply | Quote

CPU upgrade was made in the past, but I will check (after rolling back to my backup before trying the cumulative update) that the license is accepted and there’s nothing wrong on that front.

I’ve never bought a W10 license. I used the previous W8.1 license I bought years ago for this computer. Not sure if that makes any difference but your comment made me think of it.

Reply | Quote

Not sure anyone sees these older threads and will respond, but I’m at a loss here. After the Aug cumulative update killed my W10 22H2 (as outlined a few posts above), just like the July cumulative update had, I didn’t have time to deal with the computer for a while. As advised above, my plan was to restore to a backup and then do a complete W10 reinstall and start over with my wonderful W10 experience.

Except… when I finally had time to work on the computer about a week ago I had no boot. Nothing. No beeps. Just spinning fans and a black screen on the monitor. More specifically, the fans would spin up for about 5 seconds, then stop, then spin back up and keep spinning for at least 5 minutes, at which time I got tired of watching and pulled the power.

I did a bunch of reading and the following tests.

1 – I tested the monitor. When unplugged from the desktop there was a “no input” message and when plugged into my laptop it worked fine. I tried both DVI-D outputs on the desktop with no change. I’ll note that the monitor almost immediately goes to sleep (based on the color of the power button) after attempting to boot the computer, suggesting that there’s no signal at all being output.

2 – I reset the CMOS (several times, several methods) and tried to boot. No change.

3 – I pulled the SSD (boot/OS) and HDD (my files) and tested them using my laptop. I did chkdsk, sfc, and dism tests along with various tests implemented through Hard Disk Sentinel. No problems with the drives. I’ll note that when I tried to boot without drives in the desktop the screen was again black (i.e., no error message about missing boot drive) so again no response at all.

4 – I pulled and reseated all components and cables (RAM, SATA, power) inside the desktop computer. I didn’t think this could be a problem as the desktop wasn’t touched or moved in between being able to boot and not, but worth a check. No change.

5 – I tested the power supply using a multi-meter. All pins read as they should: 3.35V, 5.17V, or 12.19V. The only thing different from my 24-pin connection and the example in the tutorial I read was that mine doesn’t have a pin 14 (-12V) or pin 20 (-5V; I’m not sure what the negative means but that’s what the diagram in the tutorial showed). These slots are just empty, and there’s no wire coming from the back. I don’t know if that matters, but the wires didn’t evaporate so it’s always been like that and hasn’t caused a problem previously. Apparently the power supply is fine.

The only other thing I’ve read about is the motherboard failing, but I haven’t found instructions for testing that. It doesn’t seem terribly likely to me that motherboard would be fine for years and fail immediately after a W10 cumulative update problem.

Does anyone have ideas or suggestions for other tests to run. As best as I can tell, all the components in the computer are fine, they just don’t come together to make a booting computer. As I’ve noted above and in previous posts, this desktop was a functioning W7 and then W8.1 computer for years before I (foolishly?) tried to install W10. Which is frustrating.

Thanks.

Reply | Quote

The next thing I would try is pulling all but 1 stick of ram out ( if you have more than 1 ) and try booting. Try each stick until you hopefully get a bootup. The reason I suggest this is that it has happened to me before.

Don't take yourself so seriously, no one else does
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

Good shout with the RAM check, could also do a visual inspection of the motherboard capacitors, in particular, look for any that are bulging or splitting.

Windows - commercial by definition and now function...

Reply | Quote

Thanks for the ideas.

I have two 8 GB DIMMs in two slots. I tried each one singly in each slot with no boot. Just for kicks, I dug out an old 4 GB DIMM used in this computer before I beefed up the RAM and tried it in each slot. No boot. I will note that the 8 GB RAM sticks recently passed a memory test (before the booting issue) when I was trying to figure out why the W10 cumulative updates kept killing the computer.

To my eyes, all parts of the motherboard — capacitors, connector slots, etc. — look completely normal.

Reply | Quote

Can you get  into the BIOS?  Does it recognize the drive, and is listed in the boot order.

Reply | Quote

I can’t do anything really. Pressing the power button on the computer causes the fans to spin up but apparently doesn’t proceed far enough in the boot process to send any signal to the monitor or produce beeps or other noises.

I’ve tried using the function key presses that you would normally use to force access to the BIOS, boot order selection, etc., but if anything is happening I can’t see it.

I’ve tested that the monitor is good (works attached to my laptop) but don’t have a good way to check if there’s some issue with the DVI-D outputs on the computer. It seems unlikely that issue would appear immediately after my cumulative update problem.

I have access to my wife’s monitor, so I’ll try that, but I’m not sure if it really gives me any information if it also doesn’t show any signal.

Reply | Quote

Just skimming through I didn’t see if you mentioned if you have a video card. If so, could you try removing and testing with onboard video?

1 user thanked author for this post.

Microfix

Reply | Quote

No video card. The computer uses the onboard Intel video.

Reply | Quote

With all the things you have tried, Moniter ok, Drives ok, memory maybe unless both sticks are bad, no capacitor damage visible, you may have a bad MB after all especially since you can’t even get into BIOS.

Just my opinion as there may be other suggestions coming.

Don't take yourself so seriously, no one else does
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

Is there anyway to actually assess if the motherboard is bad outside of replacing it with a different one?

Reply | Quote

The device is behaving like the onboard video has died.
The method to bypass this, is by adding a known working pcie video card (borrow one for testing?) then upon system start, enter the BIOS, disable the onboard graphics within the BIOS and point settings towards the installed Graphics card.

As it’s a ‘significant hardware change’, W10 may not play well thereafter, but may be enough to get your data backed up.

Windows - commercial by definition and now function...

1 user thanked author for this post.

cyberSAR

Reply | Quote

Am I correct that onboard video is an attribute of the CPU? The reason I ask is that I still have the original CPU from this computer that I can swap back in. I replaced a second generation i5 with a third generation i7 at some point in the past. It worked fine with W8.1 before the W10 upgrade, when I started having problems.

But, assuming I can find it in my “stuff” box it’s not hard to put it back in and see.

As far as video cards go, I’m not sure I know anyone (nearby) who even uses a desktop computer. My younger brother has a bunch of old desktops, but he’s unfortunately 1/2 a U.S.A. away from my location.

Thanks.

Reply | Quote

You can swap out the CPU if you wish but, if the onboard video is kaput, you still won’t be able to boot the system, let alone see anything on any monitor. See my previous post to troubleshoot

Windows - commercial by definition and now function...

1 user thanked author for this post.

ASW

Reply | Quote

I thought onboard video was associated with the CPU, but you’re saying it’s a separate part of the motherboard, correct? You learn something new every day.

I suspect my only way of acquiring a separate video card will be to buy one, so I guess I’ll see what prices look like for that. I’m sort of getting away from my plan of updating a cheap older computer here.

However, if the onboard video is bad, and if you need to be able to see screen output to get in to the BIOS to swap from onboard to a separate graphics card, how would you do that?

I still keep thinking that if the computer was actually booting up but with no video output so I can’t see what’s happening there should be some audio indication (= beeps). I actually can’t recall if this computer beeps when it’s booting, but I know other computers I’ve used did.

Thanks.

Reply | Quote

ASW wrote:

I thought onboard video was associated with the CPU

It is.

Microfix is just saying to try a video card and if the BIOS shows up, change the settings so that the MB isn’t looking for the onboard video.

Don't take yourself so seriously, no one else does
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

1 user thanked author for this post.

Microfix

Reply | Quote

Thanks for the clarification.

I tried the old (known working) i5 processor and got the exact same result of no boot/no beeps/black screen. Basically no indication that anything is happening under the hood except for the fans spinning.

Guess I’ll take a look for graphics cards. There is an e-recycler in my small town. Maybe he will let me look through some junk computers to see if I can find cheap parts for testing purposes.

What’s the chance that a working, unmolested DVI-D cable would fail? I only have the one cable (my laptop uses a different cable) so again, no spare to test against.

Reply | Quote

ASW wrote:

What’s the chance that a working, unmolested DVI-D cable would fail?

Anything can fail. cable, connection to MB, etc.

Don't take yourself so seriously, no one else does
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

1 user thanked author for this post.

cyberSAR

Reply | Quote

ASW, any updates on progress??

Don't take yourself so seriously, no one else does
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

Home user: August updates applied to 3 Win10Pro & 1 Win11Pro without apparent problems.

Thanks to all who provided feedback on their updating experiences.

Reply | Quote