MS-DEFCON 4: A mixed bag for May

Topic

New Reply

ISSUE 19.21.1 • 2022-05-24 By Susan Bradley Good news! Most consumer and home users should be just fine after installing this month’s updates. I’m not
[See the full post at: MS-DEFCON 4: A mixed bag for May]

Susan Bradley Patch Lady/Prudent patcher

9 users thanked author for this post.

Melvin, Casey S, DrBonzo, jburk07, SueW, Mele20, abbodi86, eee zee, Alex5723

Reply | Quote

Replies

This was the weirdest update ever on this four years, five months old Windows 10 Pro computer 21H2. When I saw Defcon 4 here about a hour ago, I immediately tried to do a cumulative update for this computer (from the last cumulative update for April to this current May one).

I use Winaero Tweaker for many years now on various versions of Windows. So, I unchecked the box in it that, when checked, stops willy-nilly Windows updates and then I rebooted and was offered KB4023057. I got it installed, rebooted and to my consternation Windows Updates said I was up to date! No, I have the APRIL cumulative update not May so what the….???

I had to go to the Microsoft Catalog website and search for the May cumulative update and then download and install it manually. I don’t mind doing that at all but what has me puzzled and a bit concerned is that Windows Update was insisting that this computer was UP TO DATE when it had ONLY the April cumulative update installed…not the May one! Has Microsoft fiddled with Windows Update and checking for new updates from a Windows 10 computer in the last month? Or is my computer getting wacky because of its age? I have always bought a new desktop in the past when a computer reached four years of age. I didn’t this time and it is almost 4 and one-half years old now. Plus, I have never needed in the past to wait a day or more with the box in Winaero Tweaker blank for stopping Windows Updates. In the past, all I needed to do was remove that checkmark and reboot and Windows Updates would IMMEDIATELY begin downloading any available updates like a cumulative update (I never update drivers through WU).

When I removed the checkmark in Winaero Tweaker so that WU was free to offer/download available updates this time all it offered was KB4023057. Windows Updates seemed oblivious to the fact that I did NOT have the May Windows 10 Cumulative Update and did not offer it. Weird. Plus, WU claimed I was up to date when obviously I was not!

Reply | Quote

so if i understand correctly after updating my win 10 21h1 on my home PC version 19043.1706 is the latest build?

many thanks in advance.

Reply | Quote

Yes, that is the May update.

Reply | Quote

it’s actually 19043.1708 for 21h1 as 19043.1706 still has ongoing issues for a few users who can’t install apps from MS store & running recent PCs with 11th gen or newer Intel CPUs

for those using machines with 11th gen Intel or recent gen AMD Ryzen CPUs, skip the KB5013942 May 2022 update and download & install the out-of-band KB5015020 update instead. but for those using 10th gen Intel or older AMD Ryzen based systems, KB5013942 (build 1904x.1706) should be fine.

Reply | Quote

That was interesting. Windows decided not to reenable dotnet after update.

Windows 11 21H2

Binisoft Firewall Control was running with no problems before update.

After update. WFC refused to start. Error 0xc0000135. It also refused to run the installation file.

The cure was to

1. open the run box
2. enter optionalfeatures
3. check .net options and click OK.

 

Sigh! Update  fiddled with WFC firewall settings. I’ll need to run through the process of checking all the ‘experience’ things remain off.

Reply | Quote

I’ll leave updates as usual for a few more days, I like to let others take the initial plunge when the DefCon changes so I can see how they fare!

On the subject Susan mentions of “dribble” mode, the one new thing I’ve noticed is that a couple of days ago I saw a new round icon on the taskbar which turned out to be a reference to “Your location is currently in use”. I disabled it under the Win10 privacy settings and haven’t seen it since, nor have I experienced any issues from having disabled it. Is that one of the new things being “dribbled” onto our machines? I can’t think of any other reason why it would have appeared all of a sudden.

Reply | Quote

I had posted a few months ago about problems with Windows Update where WU would download and install the first update and wait for a restart before installing other updates.  Today I installed the May updates to my Windows 10 Professional 64-bit 21H2 system.  WU downloaded and installed the .NET update (which this month was not a preview), and then finished and installed the monthly MRT update.  When WU told me that the Win 20 cum upd had been downloaded 100%, I noticed that the Task Manager Internet graph was still showing constant 4Mb download.  I waited 15-20 minutes until the download activity stopped, and then WU installed the downloaded Win 10 update.  So, as I had seen previously in Win 7, Windows Update erroneously tells me that an update is 100% downloaded, when the update is still being downloaded.  If I wait until the download stops, then the update gets installed, even when the first installed update is waiting for a reboot.  My system has been up for about 1/2 hour, so I have not have time to experience any problems.

Reply | Quote

With Win10, the SSU is bundled with the CU and you don’t see it.
I suspect what you are seeing in WU is the SSU downloading and installing first (that’s the first 100% you see) then the CU installs taking longer (the second 100%).
After the CU installs is when you need to restart, not the first time you see 100%.

1 user thanked author for this post.

jburk07

Reply | Quote

For a long time now I’ve been following Susan’s advice to defer installment of KB4023057. In the latest May Update sheet ( 5/24/2022) it now says to install this update.

What changed?

Thanks,

Marc

2 users thanked author for this post.

Melvin, jburk07

Reply | Quote

Ooops I got cut and paste happy.  I’ll fix, that should be defer.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

jburk07

Reply | Quote

Thanks, thought I’d check first!

Reply | Quote

Thanks for the work you always do on your patching recommendations. I rely upon your advice. I appreciate the updates to defer (rather than install) KB5005463 and KB4023057.

I usually go straight to the links to the monthly recommendation listings. For instance, MAY UPDATES … May 24, 2022 … Consumers and Businesses …  Those links need to be updated with your latest version to defer those two patches.

Thanks for helping us manage Windows patching.

Win 11 Pro 23H2, Office 2024.
Win 10 Pro 64-bit 22H2, Office 2019.
Win 7 Pro 64-bit, Office 2010.
Nethermost of the technically literate.

Reply | Quote

I did update it?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Links were updated at the top of the Master Patch List article https://www.askwoody.com/patch-list-master/ but not down where MAY UPDATES are listed. Specifically, May 24, 2022 … Consumers and Businesses … links to the original patch list files for May 24, 2022:

For example https://www.askwoody.com/wp-content/uploads/2022/05/2022-05-24-May.xlsx

I’m suggesting that these should be the same as you updated at the top of the Master Patch List.

For example https://www.askwoody.com/wp-content/uploads/2022/05/2022-05-24-May-1-1.xlsx

Maybe just copy a single line from the top?

• Listings of May’s updates: CSV / Excel /PDF / HTML

Win 11 Pro 23H2, Office 2024.
Win 10 Pro 64-bit 22H2, Office 2019.
Win 7 Pro 64-bit, Office 2010.
Nethermost of the technically literate.

Reply | Quote

Win 10 Pro 21H2. Quick query: Master Patch list reco’s installing quite a list under ‘.NET core/NET 5.0’ . I have never been offered these. Do I need to install any of those, if so how? (I have ‘get updates for other Microsoft..’ turned off.) I do have KB5013642 .Net framework for 3.5 & 4.8 in winshowhide.

Reply | Quote

Deo wrote:

I have never been offered these

If you don’t use software that need .net 5 or 6 you won’t be offered updates.

1 user thanked author for this post.

Deo

Reply | Quote

Hello Susan,

Domain Controllers
Certificate Authorities
Small Companies

Small businesses who use AD, do not typically have the money to have,  A real/virtual server (+license) for  AD server and Certificate Authority server, and perhaps, as recommended by all Microsoft literature, a 2nd Domain Controller server.

Back in the ‘SBS’ server days, the Certificate Authority (CA) was also on the DC itself.
If any techs migrated to a newer MS Server flavor, they might have also migrated the Certificate Authority to that newer server.  I know I have encountered some.

If the AD is NOT PAIRED with a CA, and there is no CA in the domain, do the May updates have any gotchas?   Customers in this situation will not be updating any SID into any OID, as there are no OID without CA.  (And an alphabet soup to you too

Reply | Quote

I’m not seeing issues reported in SBSized firms – i.e. one domain controller, workstations joined to the domain.  It’s only in the larger networks that I’m seeing this cert side effect.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Miller Networks

Reply | Quote

major4579 wrote:

For a long time now I’ve been following Susan’s advice to defer installment of KB4023057. In the latest May Update sheet ( 5/24/2022) it now says to install this update.

What changed?

Thanks,

Marc

I see that KB5005463 is also listed as “install” instead of “defer”. I have studiously avoided installing KB4023057 and KB5005463 for a long time. Are both “copy and paste” errors?

Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.

1 user thanked author for this post.

Melvin

Reply | Quote

Refresh and try it again?  Both should be skipped or uninstalled.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Steve S.

Reply | Quote

How do I report an issue with the May 2022 Security Update to Microsoft?

Reply | Quote

Honestly not easily if you aren’t an enterprise customer.  They tell us to go into the windows feedback app on your Windows device, look for similar issues and upvote.  You can open a support case ($425 if the issue is due to a security patch the fee will be refunded) but the last time I opened a support case, it was a lesson in futility.

What’s the exact issue and I can see if it’s being discussed and thus on Microsoft’s radar?

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Coldheart9020

Reply | Quote

Thanks for the link to the blog on Domain-Join Computers.  I’ve been meaning to do this for some time now.

Casey

Reply | Quote

Doing what, install a DC?
This is not a trivial task and it may not be wise to mess with a working system.

cheers, Paul

Reply | Quote

winver 19043.1706 and no issues with updates. Thank you Susan for the master patch list guidance.

Win10 Pro

Reply | Quote

Glad to see Defcon 4.  Today I am working on a Dell Inspiron that is running Windows 20H2.  I used the InControl.exe program from Steve Gibson to set the Target Release Version to 21H2.

Windows Update is offering me the following, all marked pending download

1. Feature update to Windows 10, version 21H2, no version number
2. MSRT KB890830 twice – version 5.101 AND version 5.98
3. 2022-05 CU for .NET for 20H2 KB5013624
4. 2022-04 Update for Win 10 version 20H2 KB 5005463
5. 2022-04 Update for Win 10 version 20H2 KB 4023057

I have WUMgr 1.1b by David Xanatos installed.  So, I wonder if I should use WUMgr to install ONLY the Feature update to version 21H2, and then see if the same updates are offered after that.

Any advice is much appreciated.

Depending upon results, I might  go through a similar process tomorrow on an old but still running Thinkpad T61,

 

Reply | Quote

Use WUMgr to hide KB 5005463 and KB 4023057. They are MS Health check and Susan doesn’t recommend them.

Install the Feature Update, MSRT, and NET.

2 users thanked author for this post.

MrToad28, AlphaCharlie

Reply | Quote

Thank you very much PK.

I did exactly as you suggested, and after a reboot the Inspiron has been updated
from 20H2 Build 19042.1110
to     21H2 Build 19044.1706

without any apparent errors or problems.

Interestingly, I am now offered the updates that are shown below:

It seems strange to update drivers offered by Microsoft instead of coming straight from the hardware manufacturer, especially those that are a year or more old.  So I will ignore those.  The Dell Inspiron laptop comes with a preinstalled application called “Dell Update” that has updated a few things in the past, and it currently says (May 2022) that eveything is up to date.

Finally, I will re-hide the other two (KB5005463 and KB4023057) which you mentioned before, even though that second one is considered “critical” by Microsoft.

 

Reply | Quote

Block drivers updates in Windows updates.
Hide in WUmgr.

1 user thanked author for this post.

AlphaCharlie

Reply | Quote

I have downloaded WUMgr, but has no clue how to use it. Is anyone kind enough to point me to the right direction?

Reply | Quote

https://www.askwoody.com/forums/topic/60002-guide-to-using-wumgr-for-windows-10-updates/

Reply | Quote

Some Windows 7 Machines lost their activation after the May-Patchday.

What is going on?

 

Reply | Quote

what editions of Windows 7 are these machines running, mr anonymous?
Win7 Home Premium, Professional or Ultimate

Reply | Quote

May patches installed with no problems to report on Win 8.1.

Installation Successful: Windows successfully installed the following update: 2022-05 Security and Quality Rollup for .NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8 for Windows 8.1 for x64 (KB5013872)

Installation Successful: Windows successfully installed the following update: 2022-05 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5014011)

Installation Successful: Windows successfully installed the following update: 2022-05 Servicing Stack Update for Windows 8.1 for x64-based Systems (KB5014025)

Win 10 ver. 22H2 x64

1 user thanked author for this post.

DrBonzo

Reply | Quote

Thanks from another Windows 8.1 user!

Reply | Quote

Updated an 8.1 machine last night. Same 3 updates as JD and same result – no problems.

Reply | Quote

“You do not need the out of band update, so skip it.”

not so fast

updates KB5011831 and KB5013942 for Win10 seem to crash clipsvc for some users reported on reddit, lenovo forum & elsewhere:

https://www.reddit.com/r/sysadmin/comments/uipvj3/kb5011831_crashing_clipsvc_ms_store_affected/

https://forums.lenovo.com/t5/Gaming-Laptops/My-Windows-getting-weird-and-windows-store-app-cant-be-opened/m-p/5146984

https://answers.microsoft.com/en-us/windows/forum/all/the-client-license-service-clipsvc-service/fcc0d96c-880e-4633-8996-5c87743a4f92

so for these Win10 users having these specific problems, go with the out-of-band updates instead

Reply | Quote

new preview updates for Win10 20H2, 21H1 & 21H2 released THU June 2:

KB5014023 update build 1904x.1741:
https://support.microsoft.com/help/5014023

KB5013887 .NET 3.5 & 4.8 update:
https://support.microsoft.com/help/5013887

1 user thanked author for this post.

Alex5723

Reply | Quote

It was indicated that update KB5014032 (servicing stack update) was not necessary since it is included in the Cumulative update.

After I updated (without seeing a KB5014032 listed using wushowhide) I saw that a servicing stack update was installed, though it is designated as 10.0.19041.1704.

I do not know how to (if applicable) “convert” to a KB number!

I use Win 10, 21H2.

A little help requested.

Thanks,
Gunny

Reply | Quote

Gunny wrote:

10.0.19041.1704

That is correct:

For a list of the files that are provided in this update, download the file information for SSU version 19041.1704.

KB5014032: Servicing stack update for Windows 10, version 20H2, 21H1, and 21H2: May 10, 2022

1 user thanked author for this post.

Gunny

Reply | Quote

Gunny wrote:

10.0.19041.1704

This is a Windows version number. Run “winver” to see what version you have.

Can you post more details / screenshot of the installed SSU?

cheers, Paul

1 user thanked author for this post.

Gunny

Reply | Quote

Susan is currently recommending folks to be on Win 10 21H2.  But what if you have a Win 10 system that apparently won’t upgrade to it?  One of my systems is a Lenovo Legion Y520 laptop, currently running Win 10 Pro 21H1.  It has all the latest Lenovo driver updates, and is current with all available Windows updates — except for KB4023057 and KB5005463, both of which I deliberately keep hidden.  But this system never gets offered an upgrade to 21H2.  Does anyone have an idea why Windows Update is telling me this system is “up-to-date” with no other updates available for it?  Should I be concerned that maybe (for some strange reason) this system isn’t compatible with 21H2?

Reply | Quote

Did you previously use Susan’s script to set the Target Release Version (TRV) to 21H1?
Did you use wushowhide or WUMgr to hide the 21H2 update?
If the answer to either of these is “Yes”, that is the reason you are not being offered 21H1.

See this Knowledge Base article to set the TRV to 21H2.

https://www.askwoody.com/forums/topic/6000003-registry-keys-and-group-policy-settings-to-select-specific-feature-rele/

1 user thanked author for this post.

Tom-R

Reply | Quote

Tom-R wrote:

why Windows Update is telling me this system is “up-to-date”

That’s because 21H1 doesn’t actually reach EoS until 2022-12-13.

You can “force” the update by going to Microsoft’s Download Windows 10 page and clicking the  Update now button.

The upgrade from 21H1 to 21H2 only takes ~15 mins to complete because all it really does is enable some “already existing” features included in 21H1.

2 users thanked author for this post.

Tom-R, Bob99

Reply | Quote

Tom-R wrote:

Should I be concerned that maybe (for some strange reason) this system isn’t compatible with 21H2?

There are no known block for 21H2.
Set ‘target Release’ to Windows 10 21H2, you can use InControl, and check that there are no deferrals.
Let Microsoft handle the upgrade.

1 user thanked author for this post.

Tom-R

Reply | Quote

Alex, thanks for the suggestion about using InControl.  Up until now, I hadn’t even been using that.  But just for kicks I tried running it on this problem system.  It said that the system had 2 of the 6 registry keys set, which got me to go check which of those keys had been set.  What I found was that TargetReleaseVersion was set to 1 (which was OK); but for some unknown reason the TargetReleaseVersionInfo was set to “1909“.

What’s strange about that is that (a) I don’t recall ever making that change; and (b) I don’t understand how the system ever got updated previously to 21H1.  In any event, I used InControl to set the TargetReleaseVersionInfo to 21H2; and Windows Update was then more than happy to offer the update.  So the system is now on 21H2; and all’s well.  Thanks again for the advice to check things with InControl.

1 user thanked author for this post.

Alex5723

Reply | Quote

See #2450955 above.

Reply | Quote

Tom-R wrote:

I don’t understand how the system ever got updated previously to 21H1.

Microsoft is pushing new upgrades to EOL versions disregarding any Target release settings.
21H1 isn’t EOL yet so no pushing of new upgrades.

Reply | Quote

You have evidence of MS doing this?

cheers, Paul

Reply | Quote

EOL has always overridden TRV:

Select the target feature update version … When you use this policy, specify the version that you want your devices to use. If you don’t update this before the device reaches end of service, the device will automatically be updated once it is 60 days past end of service for its edition.

I want to stay on a specific version

2 users thanked author for this post.

windbg, Alex5723

Reply | Quote

This has been documented in AKB2000016 since it’s inception, with a link to the MS documentation included.

1 user thanked author for this post.

windbg

Reply | Quote

Paul T wrote:

You have evidence of MS doing this?

cheers, Paul

There are many such case here on the forum.

Reply | Quote

“…First, update your Certificate Authorities servers. The patch adds a new OID to the templates used for authentication. The OID is then populated by the AD object SID, which further identifies the specific device in the certificate. Once Certificate authorities are updated and the OID is present in the certificates offered to the computers (be sure to test this), you can revoke older certificates without the OID and issue new certificates through auto-enrollment. Then you can patch your domain controllers, and authentication will work — because the domain controllers will now understand the new identifier…”

– Updated DC’s and servers running certificate services. How do I test the “…OID is present in the certificates…” and revoke older certs? …..also do I need to ‘reapply’ the patch to the DC’s?

Reply | Quote

Enterprise Certificate Authorities

Enterprise Certificate Authorities (CA) will start adding a new non-critical extension with Object Identifier (OID) (1.3.6.1.4.1.311.25.2) by default in all the certificates issued against online templates after you install the May 10, 2022 Windows update. You can stop the addition of this extension by setting the 0x00080000 bit in the msPKI-Enrollment-Flag value of the corresponding template.

https://support.microsoft.com/en-gb/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

You don’t need to reapply the patches if you’ve already installed them.

 

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I had to also patch the server running NPS used with our NetMotion infrastructure. After a restart, the ‘device’ certificates started working again.

Reply | Quote

Do the out-of-band server updates for both 2016 and 2012r2 mean I will have to re-boot the server machines twice? Once for the updates and then another time for the out-of-band updates?

Reply | Quote

For 2016 you can just install the out of band and reboot once.  For 2012r2 if you haven’t installed the first update, you can install it -and- the out of band at the same time and reboot once.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Zad

Reply | Quote