MS-DEFCON 4: Holiday patching

Topic

New Reply

ISSUE 21.48.1 • 2024-11-26 By Susan Bradley Thanksgiving in America is a mere two days away. I often use the holiday to multitask while the turkey is
[See the full post at: MS-DEFCON 4: Holiday patching]

Susan Bradley Patch Lady/Prudent patcher

15 users thanked author for this post.

Perq, abbodi86, it1, AusJohn, bowled845, windbg, Casey S, WCHS, pandarunnerpt, deuce120, jburk07, LHiggins, lmacri, DLivesInTexas, Chester Peake

Reply | Quote

Replies

I have already embraced Windows 11 24H2 in a new laptop. There doesn’t seem to be much difference between 23H2 and 24H2. When I got this machine, I made sure that the local computer tech store had disabled CoPilot. Because I was unsure if the GPE method was the same in this version.

If I can be given any advice in what to look out for or modify. It would be helpful.

Thanks.

Reply | Quote

I reboot/restart anything in the house with a computer in it on a regular basis.

Desktop daily, after my incremental backup, using the “Shut down when backup completed option.”

Router, Android tablet and phone weekly.

Router and Android TV have the power cycled monthly.

It is amazing how often something odd which I had barely noticed gets cleared when I do that.

 

Reply | Quote

Susan, It looks like the new patch list hasn’t been posted yet. The one I found is from 11/12/24. Am I missing something?

2 users thanked author for this post.

LHiggins, Willard14

Reply | Quote

@PatchingAgain, I was wondering the same thing.

 

Reply | Quote

Oops didn’t hit the publish button -I’ll fix.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Posted the 11/26/2024 version of the spreadsheet.

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Douglas, PatchingAgain, LHiggins

Reply | Quote

Looks like the HTML version is still the old one (the link itself is a bit messed up, too, with only the “L” in HTML being linked).

Reply | Quote

Try it again?

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Casey S

Reply | Quote

@susan Thank you for your concurrence that iOS 18.1 on an iPhone 13 (not AI compatible) serves no real purpose if you have installed 17.7.2 and aren’t interested in the iOS 18 features.  Let’s hope Apple keeps giving us these Security updates.

iPhone 13, 2019 iMac(SSD)

Reply | Quote

I use Thunderbird.  It reminds me of the old Eudora simple look with the trash can  icon.

1 user thanked author for this post.

Fred

Reply | Quote

“What do your guests plan to do when Windows reaches its “official” end of life next October?” At that time I’m going to install Linux Mint. It’s not perfect, as Linus Torwald and the Linux Foundation have banned 12 kernel maintainers associated with Russia but not China’s Huawei.

1 user thanked author for this post.

Charlie

Reply | Quote

And with Linux Mint, you won’t need to spend a lot of time updating and worrying about Win 11!

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

3 users thanked author for this post.

jburk07, MHCLV941, dutchjim

Reply | Quote

For my Win 23H2 system, Wumgr found and installed KB4023057  but not KB5046613. Is that a problem?

Reply | Quote

KB4023057 is the PC Health Tool.
KB5046633 Is the 2024-11 Cumulative Update for Win11 23H2.

Have you restarted your computer?
Check in Control Panel\Programs & Features “View installed updates” to verify whether you got the November CU (in case it doesn’t show up in Update History).

Does you PC show any pending updates under Settings\Update and Security\Windows Update? Unless you are blocking it, you should be offered the CU unless there is a problem with Windows Update

Reply | Quote

cmar6 wrote:

For my Win 23H2 system, Wumgr found and installed KB4023057 but not KB5046613. Is that a problem?

??KB5046613 is the monthly CU for Win10 22H2.

Reply | Quote

I meant KB 5046633.

Reply | Quote

PK, thanks for rapid response.
Have you restarted your computer?   Yes

Check in Control Panel\Programs & Features “View installed updates” to verify whether you got the November CU (in case it doesn’t show up in Update History).

Did not get.

Does you PC show any pending updates under Settings\Update and Security\Windows Update? Unless you are blocking it, you should be offered the CU unless there is a problem with Windows Update
No pending updates. I also got KB5035942 (1126/24). Wumgr is letting me down. Perhaps I should have checked the boxes for various options like “Manual Download/Install” or “Register must update” ?
Settings/Windows Update does not show KB5046613 installed or pending. I will try again in a couple of days.
Thanks, CMA

Moderator Edit: to remove HTML. Please use the “Text” tab in the Entry Box or the “Paste as text” menu option when you copy/paste. The HTML from copy/paste makes the post very hard to read.

Reply | Quote

Updated with no problems.

2024-11 Cumulative Update for Windows 11 Version 23H2 for x64-based Systems (KB5046633)
Windows Malicious Software Removal Tool x64 – v5.130 (KB890830)

Windows 11 Pro
Version 23H2
OS build 22631.5039

2 users thanked author for this post.

jburk07, MrToad28

Reply | Quote

A small client had five older Windows 10 PCs in what I call “secondary uses,” little used but still needed. I had already upgraded all of them to use SSDs, so they run Windows 10 fine. I was worried about having to replace all of these next year—a budget strain loomed. This Ars Technica article inspired me to try upgrading them:

What I learned from 3 years of running Windows 11 on “unsupported” PCs

All of them support Secure Boot and all have a TPM, so it was mostly the older i5 processors that were incompatible with the upgrade. Long story short, with the registry workaround, I was able to upgrade all of them in place to Windows 11. I did have an odd problem with one machine, a Lenovo TS140 server:  the Win11 23H2 media kept causing a blue screen, but Win11 24H2 worked.

Bottom line, if your PC was made in the last 7 years or so, there’s a good chance you can upgrade it to Windows 11.

1 user thanked author for this post.

Perq

Reply | Quote

When I click on your link for KB5046613, it takes me to a web page that says I must have KB5011543. When I look at Installed Updates, I don’t know how to find that. There’s no search that I know of in Windows 10 & I don’t see it listed. I’m not sure if that’s preventing me from installing KB5046613.

When I search for KB5046613 on the Microsoft website, https://support.microsoft.com/en-us/topic/november-12-2024-kb5046613-os-builds-19044-5131-and-19045-5131-44e6c27e-e188-4dd5-8ad2-edde2e235c01, it’s on a side panel. I click it & it takes me to the same site, but I don’t see a way to download or install it.

Happy Thanksgiving!

Reply | Quote

Here’s the link for KB5011543 from the Microsoft Update Catalog.

https://www.catalog.update.microsoft.com/Search.aspx?q=KB5011543%20%22windows%2010%22

Simply click the Download button for your specific Windows version.

Note: that KB was issued back on 03/22/2022 and only applies to Windows 10 20H2, 21H1 and 21H2.

Windows 10 22H2, which was release on 10/18/2022, already includes KB5011543 so there’s no separate KB to install!

1 user thanked author for this post.

WCHS

Reply | Quote

cmar6 wrote:

Wumgr is letting me down.

WUmgr runs Windows Update.

Reply | Quote

“Apple released its new devices this fall. But if you are like me, most of my Apple devices still work and are still fully supported. Whether you upgrade to iOS 18.1.1 or stay on 17.7.2 is entirely up to you.”

The patch list still says defer “Unless you want hearing aid feature”.

Why do you still says” defer”? Is there some issue you are concerned with?

 

Reply | Quote

The Photo app update is not comparable.  On an older device there’s not a lot compelling reasons to update.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

For Server 2016 both 5046612 cumulative update and 5046266 .NET 4.8 cumulative updates the status is Defer. Last month the cumulative update was set to defer.  I’m concerned about the Server 2016 devices we support. Should they be going this long without security updates?

Reply | Quote

For whatever reason I keep skipping over the 2016 section and not changing them to install.  They should be flagged as such.

Revised the spreadsheet.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

PatchingAgain

Reply | Quote

Thank you for the heads up regarding the forced new Outlook change coming down the line. I just tried (again) switching to new Outlook and had to switch back. I called it quits after 3 show stoppers:

• Not able to add shared mailboxes to Favorites section
• Not able to disable opening messages with a single click
• Not able to change/customize mailbox headers (From, Subject, Received, etc.)
  • I have a custom header in place in our organization that displays the domain of the sender. I’ve trained my users to take note of that domain before opening a message. It’s a small, simple step in the interest of security.

I’m hoping you include additional information about this when MS is close to forcing it upon us, including how to block it with group policy. Thank you and Happy Thanksgiving!

2 users thanked author for this post.

Perq, Cybertooth

Reply | Quote

RobM wrote:

Thank you for the heads up regarding the forced new Outlook change coming down the line.

Where is this “heads up”? I seem to have missed it.

Reply | Quote

Check out the DEFCON alert that Susan linked to in her original post. Specifically, the information about new Outlook is under the Businesses heading in that article.

Reply | Quote

Hi. On the MPL, Server 2016 cumulative KB5046612 is still set to defer.
I cannot see any reported problems in the forums. Should it still be deferred ?

Thanks.

1 user thanked author for this post.

PatchingAgain

Reply | Quote

Revised, it’s now install.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

it1, PatchingAgain

Reply | Quote

Happy Thanksgiving!

So, I just updated (including Office and Microsoft Store updates, as well as a BIOS update) and and have noticed some things that I have not noticed during previous updates.

First of all, my wallpaper / desktop background automatically changed to Windows Spotlight.

And, every time I would close a Word document, I would get a pop-up asking me to confirm changes made to Global template (Normal.dotm). I would initially clicked Cancel, then Don’t Save. After a while, I clicked Save, but am now not at all sure I should have.

There could’ve been other changes too that I haven’t noticed.

Any change this is related to this — https://www.askwoody.com/forums/topic/kb4023057-2/#post-2585841 ?

I guess this may also be related to my other question — https://www.askwoody.com/forums/topic/ms-defcon-4-side-effects-for-dual-booters/#post-2721203

Thank you

Reply | Quote

I’ve got three new Dell Optiplex machines out of the box in the past week.  By the time I actually had any control of them during setup, all were already on Windows 11 Pro 24H2.  So far – knock on real WOOD (not particle board) – I’ve seen no major problems.

I have noticed one annoyance (so far!): one can no longer edit the Quick Settings collection of buttons.  (For those who don’t know what Quick Settings is, like me, it’s what you get when you click on the network or volume buttons on the taskbar).

Windows 11 23H2 has a pencil icon and a gear wheel at the bottom left corner of the Quick Settings window.   Clicking the pencil allows you to add, remove, or move the Quick Settings buttons around.  The pencil is gone in 24H2 and there appears no way to get it back.    One can move the buttons around but Microsoft has decided (again!) that we are too stupid to know what we want to see, so we are now stuck with the entire set.

The only “fix” is a policy, Computer Configuration > Administrative Templates > Start Menu and Taskbar > Simplify Quick Settings Layout, which reduces Quick settings to only Wi-Fi, Bluetooth, Accessibility, and VPN buttons as well as the brightness slider, volume slider, and battery indicator and the link to the Settings app.  Of the 3 remaining buttons, only Accessibility is always present; the remaining three show up only if applicable, e.g. no VPN button if no VPN is configured.

 

The rest of the Quick Settings buttons are gone.

 

 

1 user thanked author for this post.

Cybertooth

Reply | Quote

Waiting for more reports of problems or success till next week. A search pulled up a lot of problem reports. If it doesn’t look better by next weekend, I’ll do another start pause to skip this update. Update problems are far higher risk than malware attacks in my experience. YMMV!

2 users thanked author for this post.

Cybertooth, MHCLV941

Reply | Quote

W10 gaming desktop here, upgraded about 3 days ago. Everything is normal and upgrade process went normal.

2 users thanked author for this post.

jburk07, MrToad28

Reply | Quote

My experiences with the Windows 10 22H2 November updates:

KB5048292 2024-11 Cumulative Preview Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows 10 Version 22H2 for x64
KB890830 Malicious Software Removal Tool (Nov2024) MRT.exe

KB5046613 2024-11 Cumulative Update for Win 10 22H2 for x64

First, I have no idea why MS makes the .NET preview patch a mandatory patch.  I had to install it.  MRT installed with no problems, as usual.  But KB5046613 was still downloading (it gets larger each month) when I decided to re-try installing the recent Java update, which has been failing with a 1603 error for a few weeks.  That Java update started a new download, and in the process the download for 6613 stopped.  I had to reboot (due to the .NET update), and then try 6613 again.  6613 installed OK, but Windows Update also installed  KB5046714 2024-11 Cumulative Update Preview for Win 10 22H2 for x6; I did not tell WU to install this Preview update.  The only problem I have seen with the updates is that the update process somehow turned off Windows Defender, and I had to turn it back on in order to get pattern updates.

Reply | Quote

bsfinkel wrote:

First, I have no idea why MS makes the .NET preview patch a mandatory patch.

Previews are not mandatory.
On a Pro version they should be blocked using GPEdit.
On a home version user should use WUmgr and hide preview updates (and drivers, firmware..)

Reply | Quote

“Previews are not mandatory.
On a Pro version they should be blocked using GPEdit.”

The November patch KB5048292 2024-11 Cumulative Preview Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows 10 Version 22H2 for x64 was not listed as “Optional”, so I installed it.  I could have done extra work to hide this update.

The November patch KB5046714 2024-11 Cumulative Update Preview for Win 10 22H2 for x64 was listed as optional.  But for some reason, after my reboot and again running Windows Update (to complete the download and installation of the KB5046613 update), Windows Update decided to install the KB5046714  preview update.  I had NOT told WU to install any optional updates.  I do nothing special with optional updates; I look to see what they are, and I ignore them (assuming that they are optional and will not be installed without my explicit action).

 

 

Reply | Quote

Alex5723 wrote:

bsfinkel wrote:

First, I have no idea why MS makes the .NET preview patch a mandatory patch.

Previews are not mandatory.
On a Pro version they should be blocked using GPEdit.
On a home version user should use WUmgr and hide preview updates (and drivers, firmware..)

That might be true in general, but this particular update is ALWAYS named “preview”.  There is never a “production” .Net update.

Reply | Quote

Never got a “preview” .NET update

Reply | Quote

“Never got a “preview” .NET update”

On October 22, 2024 I installed the following update: KB5044091 2024-10 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows 10 Version 22H2 for x64

This was a last .NET update that was not marked “Preview”.  And in August: KB5042352 2024-08 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows 10 Version 22H2 for x64 .

 

Reply | Quote

MHCLV941 wrote:

That might be true in general, but this particular update is ALWAYS named “preview”. There is never a “production” .Net update.

That is not correct. There is a Security CU for .NET issued on Patch Tuesday (most of the time).

The Security CU for .NET is issued on Patch Tuesday. If you use Pause or otherwise defer Windows Update until after the Preview CU for .NET is issued at the end of the month, the Preview CU supersedes the Security CU, so the Preview gets installed and you don’t get the Security CU.

To install the Security CU for .NET, it needs to be installed before the superseding Preview is issued. You can do this by controlling/hiding the other Patch Tuesday updates (wushowhide, WUMgr, or other third-party software) and installing only the Security CU for .NET prior to the Preview issue, then hiding the Preview when issued so it doesn’t get installed.

2 users thanked author for this post.

Win7and10, Alex5723

Reply | Quote

I pause Windows Updates until the end of the month.  Then I wait for Ask Woody to lower the DEFCON before I un-pause Windows Update.  I do not look to see what the updates might be before I download and install the updates.  And I usually do not look at any MS documentation to see what is contained in each update.

 

Reply | Quote

PKCano wrote:

The Security CU for .NET is issued on Patch Tuesday. If you use Pause or otherwise defer Windows Update until after the Preview CU for .NET is issued at the end of the month, the Preview CU supersedes the Security CU, so the Preview gets installed and you don’t get the Security CU. To install the Security CU for .NET, it needs to be installed before the superseding Preview is issued. You can do this by controlling/hiding the other Patch Tuesday updates (wushowhide, WUMgr, or other third-party software) and installing only the Security CU for .NET prior to the Preview issue, then hiding the Preview when issued so it doesn’t get installed.

 

I want to thank PKCano for this explanation. I always wait until just before patch Tuesday to install updates.

Win 10 Home 22H2

Reply | Quote

Felix wrote:

Happy Thanksgiving!

So, I just updated (including Office and Microsoft Store updates, as well as a BIOS update) and and have noticed some things that I have not noticed during previous updates.

First of all, my wallpaper / desktop background automatically changed to Windows Spotlight.

And, every time I would close a Word document, I would get a pop-up asking me to confirm changes made to Global template (Normal.dotm). I would initially clicked Cancel, then Don’t Save. After a while, I clicked Save, but am now not at all sure I should have.

There could’ve been other changes too that I haven’t noticed.

Any change this is related to this — https://www.askwoody.com/forums/topic/kb4023057-2/#post-2585841 ?

I guess this may also be related to my other question — https://www.askwoody.com/forums/topic/ms-defcon-4-side-effects-for-dual-booters/#post-2721203

Thank you

So, looks like it may have also changed my Power Plan/Power Options or at least parts of it — just ended up switching to High performance because my browser started completely freezing up all of a sudden.

Reply | Quote

Updated 3 Win10 Pro & 1 Win11 Pro with Novemeber updates without adverse impact.

1 user thanked author for this post.

jburk07

Reply | Quote

Windows 10 22h2 all updates installed!

KB504829 installed! It was another WINRE Security update.

Last month’s did NOT install and then disappeared upon running windows update after failed installation.

What would be the reason that October’s KB5046400 failed, and this month’s update installed?

Upon reboot and installation, a notice came up to check to see if my laptop would support Windows 11. I did not pursue and paused until January.

Win 10 Home 22H2

Reply | Quote