MS-DEFCON 4: Safe — for now

Topic

New Reply

ISSUE 21.17.1 • 2024-04-23 By Susan Bradley The April updates have been relatively quiet, with some exceptions. That’s why I’m lowering the MS-DEFCON
[See the full post at: MS-DEFCON 4: Safe — for now]

Susan Bradley Patch Lady/Prudent patcher

17 users thanked author for this post.

sdanr, Mike W, abbodi86, Perq, bowled845, Kathy Stevens, JCpharm, windbg, EricB, J9438, WCHS, deuce120, DLivesInTexas, jburk07, rc primak, LHiggins, lmacri

Reply | Quote

Replies

What’s the advice for KB articles KB5037754 and KB5025885?

Reply | Quote

Are you a consumer patcher or business patcher? If consumer-nothing.

If business-read the article and the links.

keep in mind these are not patches to install, rather they are manual steps that may or may not be needed depending on the type of patcher you are.

 

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Business machines. I did read the articles but it’s unclear what to do? For KB5037754, section Take Action it says:

To fully mitigate the security issue for all devices, you must move to Enforced mode (described in Step 3) once your environment is fully updated.

And Step 3 says:

ENABLE: After Enforcement mode is fully enabled in your environment, the vulnerabilities described in CVE-2024-26248 and CVE-2024-29056 will be mitigated.

So… How <span style=”text-decoration: underline;”>do</span> I move to Enforce Mode?

As for KB5025885, Microsoft released an article on how to tackle this one, with a lot of but’s and if’s – enough to scare me away….

Reply | Quote

Susan, you posted:

This month does include updates for Secure Boot and BitLocker that require additional steps,

Do you have a reference link for what exactly these steps are?

-- rc primak

1 user thanked author for this post.

Fred

Reply | Quote

Looks like this page: https://support.microsoft.com/en-us/topic/kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

And the Garytown blog.

cheers, Paul

1 user thanked author for this post.

rc primak

Reply | Quote

The GARYTOWN link shows a Software Center screenshot with a message for 7 reboots! LOL #LoveReboots

 

1 user thanked author for this post.

rc primak

Reply | Quote

RE: “This month does include updates for Secure Boot and BitLocker that require additional steps, but for consumer machines I advise you to ignore Microsoft’s recommendations and the six (yes, six) reboots that are required to fully implement those updates.  If you have a machine that does not have Secure Boot enabled, you won’t be at risk by skipping these steps.”

I was a bit confused by these comments.

I have Secure Boot enabled and Bit Locker disabled.

Are you suggesting that Secure Boot should be disabled to ensure minimum risk from the updates?

If so, would it be reasonable to disable Secure Boot prior to updating, and then re-enable it afterward?

 

1 user thanked author for this post.

WCHS

Reply | Quote

No. If you are a consumer patcher take no additional steps. If business evaluate only.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

rc primak, WCHS

Reply | Quote

Looking over what the additional steps are, and what they might do to all of my USB Boot Media, including Linux (until the distros and GRUB update their own Certificates), I’ll take a hard pass on those additional steps. I have enough multi-booting headaches without going out looking for trouble.

-- rc primak

Reply | Quote

Susan, thanks for alerting us to the sneaky install of the Copilot ‘chat provider’ app. I found it installed on my Win 10 Home 22H2 PC, much to my surprise.  I was able to use the ‘uninstall’ button to get rid of it.

I didn’t realize it came in with an Edge update (123.0.2420.81 or perhaps the previous one), and am surprised beta versions are installed without any warning that they are a beta version?

Edge is not my primary browser, so I have to remember to go in and update it periodically (doesn’t automatically update because I use metered connection to block updates.)

I had already followed your guidance and  blocked copilot with your reg keys, and made sure the Edge settings for Copilot were off.

1 user thanked author for this post.

rc primak

Reply | Quote

Cijan wrote:

and am surprised beta versions are installed without any warning that they are a beta version

Windows Copilot first showed up in the beta version and then later in the regular version. So, if you don’t have Edge beta installed, you got it via the regular Edge version.

You do get a indication that you have a beta version of Edge installed, because the Edge icon looks a bit different.

2 users thanked author for this post.

Cijan, rc primak

Reply | Quote

I have 2 Home Win 10 PC’s. They both have Secure Boot but not Bitlocker. Neither one issued more than the one normal restart. Hmmm?

The only thing unusual was something called ms-gamingoverlay://kglcheck that appeared in my Windows/History file on one PC only. I don’t use any games so wonder why that appeared? The kglcheck exe seems also to be a hidden file I cannot access so cannot delete it if not needed.

Reply | Quote

I have Win 11 Home 23H2 with Secure Boot, but not Bitlocker.  I was expecting the worst, but it only required two normal restarts.  No additional steps were required.

Reply | Quote

My recent update required that I cycle through the MS (KB5036893) and Online Experience Pac to set/reset a variety of options seemingly related to AI. I refused all and was unable to continue with any Office 365 apps. I accepted the web access one and was able to continue only after closing and restarting an Office app. This seems especially arrogant of MS.

Reply | Quote

For those who do the April 9 Win 10 Pro or Home 22H2 Updates and post here, could you also include this information:

1. Do you now have the option for prompts on the lock screen? The option is supposed to be at Settings | Personalization | Lock Screen.
2. Do you have the UCPD installed? If so, can you use 3rd party apps without interference from the UCPD? If not, have you disabled it?
3. Do you see any signs of Windows Copilot yet?

For details, see @lmacri’s post about 1. and 2. <here> and see @lmacri’s post about 3. <here>.

Reply | Quote

See #2659416 for my comments on UCPD.

I have deprovisioned most of the UWP Apps, uninstalled Edge using AveYo’s script, and blocked most of MS’s other intrusions like lock screen and taskbar additions. So my installations are otherwise not the standard.

Reply | Quote

PKCano wrote:

So my installations are otherwise not the standard.

And so, you have prepared in advance not to see any sign of Windows Copilot, when it is finally dribbled out?

Reply | Quote

I have blocked Copilot as much as is possible with what we know now. (I hope)

1 user thanked author for this post.

rc primak

Reply | Quote

Windows 10 Pro 22H2 /w April updates (no problems encountered installing the updates.)

WCHS wrote:

1. Do you now have the option for prompts on the lock screen? The option is supposed to be at Settings | Personalization | Lock Screen.

Yes but it looks like this and, if I click any of the + prompts, it shows no apps available to be added.

WCHS wrote:

2. Do you have the UCPD installed? If so, can you use 3rd party apps without interference from the UCPD? If not, have you disabled it?

UCPD was installed (it was actually part of the March KB5035845 CU update – March CU updated files list) but I disabled it because I use SetUserFTA and it no longer worked once UCPD was installed!

FYI, the April KB5036892 CU update did “not” re-enable UCPD.

WCHS wrote:

3. Do you see any signs of Windows Copilot yet?

No sign of Windows CoPilot but, like @PKCano, I’d already set all the Group Policies and registry entries to disable it back when they were first announced on AskWoody.

1 user thanked author for this post.

WCHS

Reply | Quote

I am Win 10/Pro 22H2. Now, after Microsoft has acknowledged its mistake, and we know that we weren’t supposed to get the Microsoft Copilot app via an Edge update, can we assume, for the time being, that we won’t get it again if we uninstall it?

Reply | Quote

Correct.

 

Susan Bradley Patch Lady/Prudent patcher

3 users thanked author for this post.

Mike W, rc primak, sheldon

Reply | Quote

Windows 10 Pro 22H2 with a local home-use consumer account.  I have no technical expertise but I try to apply your advice.

The Microsoft Copilot App was installed on my computer on 3/28/24.

You wrote: “As part of the upcoming resolution of this issue, the chat provider for Copilot in Windows component will be removed from devices where Microsoft Copilot is not intended to be enabled or installed.” 

Should I uninstall the Microsoft Copilot App?  Or should I wait for Microsoft to remove the Microsoft Copilot App?  Are there any ramifications if I uninstall the Microsoft Copilot App?

NOTE: Per your advice:

I set Show suggestions occasionally in Start to Off.

I set Show me the Windows welcome experience after updates and occasionally when I sign in to highlight what’s new and suggested to Off.

Reply | Quote

Susan, this was a bit confusing:“This month does include updates for Secure Boot and BitLocker that require additional steps, but for consumer machines I advise you to ignore Microsoft’s recommendations and the six (yes, six) reboots that are required to fully implement those updates….If you have a machine that does not have Secure Boot enabled, you won’t be at risk by skipping these steps.”

I have five Windows 10 Pro 22H2 systems, though one is Windows 11 capable.

1) How does one know if Secure Boot is enabled?
2) How does one ignore MS recommendations during the update, e.g., which KBs are to be blocked and what to do during update process?

Thanks, CMA

Reply | Quote

You just install the updates.  Period.

The KBs I point to in the business section need a series of manual steps that I DO NOT want you to do.

Susan Bradley Patch Lady/Prudent patcher

2 users thanked author for this post.

rc primak, cmar6

Reply | Quote

From the Alert – Consumer Section

If you have a machine that does not have Secure Boot enabled, you won’t be at risk by skipping these steps

Susan Bradley wrote:

You just install the updates. Period.

For Win10/Pro, 22H2 with BitLocker disabled:
And you just install the updates, even if you have a machine that DOES have Secure Boot enabled?

Reply | Quote

WCHS wrote:

And you just install the updates, even if you have a machine that DOES have Secure Boot enabled?

Susan Bradley wrote:

If you are a consumer patcher take no additional steps.

Image your system(s) first…before installing updates.

If something goes sideways, you can go back to where you were before.

 

1 user thanked author for this post.

rc primak

Reply | Quote

Sorry, I assumed “image your system” in my post. I’m positive that Susan meant that also in her post ‘You just install the updates. Period.’, which I quoted.

But, thanks for bringing that assumption out in the open.

Reply | Quote

Image your system(s) first…before installing updates.

If something goes sideways, you can go back to where you were before.

According to the KB article on the changes to Secure Boot, once you revoke the old EFI/UEFI setups for USB boot, your backups may no longer work. This is what has scared me off from doing any additional steps as a home user with stand-alone PCs and multi-booting with Linux from USB drives. I hope that when the changes become mandatory, there will be some sane and rational way to get everything updated without any loss of the ability to use backups.

-- rc primak

4 users thanked author for this post.

AJ2000, jburk07, Cybertooth, WCHS

Reply | Quote

Windows 10 Pro 22H2 with a home-use consumer account.  Secure Boot and BitLocker are enabled.  I have no technical expertise but I try to apply the advice in this column.

In the Consumer Section, Susan Bradley wrote:

“This month does include updates for Secure Boot and BitLocker that require additional steps, but for consumer machines I advise you to ignore Microsoft’s recommendations and the six (yes, six) reboots that are required to fully implement those updates.”

Followed by:

“You just install the updates. Period.”

I still need a basic clarification.  Susan Bradley advised that we should just install the Secure Boot and BitLocker updates but ignore the Microsoft recommendations and the six reboots.  I have never encountered this situation.  What should I do to ignore the recommendations and the six reboots?  Do I just allow the computer to reboot the first time to install the update and then decline the request for additional reboots?  It would be very helpful to know what to expect and know what to do before installing the updates.

Reply | Quote

Mike W wrote:

Windows 10 Pro 22H2 with a home-use consumer account. Secure Boot and BitLocker are enabled. I have no technical expertise but I try to apply the advice in this column.

In the Consumer Section, Susan Bradley wrote:

“This month does include updates for Secure Boot and BitLocker that require additional steps, but for consumer machines I advise you to ignore Microsoft’s recommendations and the six (yes, six) reboots that are required to fully implement those updates.”

Followed by:

“You just install the updates. Period.”

I still need a basic clarification. Susan Bradley advised that we should just install the Secure Boot and BitLocker updates but ignore the Microsoft recommendations and the six reboots.

See Susan’s post at #2663026 for the clarification you are looking for.

In other words, as a consumer, you won’t see anything about the 6 steps.

1 user thanked author for this post.

b

Reply | Quote

[Rush2112]

I received an error when updating my Windows 11 Pro.

Any remedy’s for this?

• This reply was modified 1 year ago by Rush2112. Reason: Additional information

Reply | Quote

I would do a repair install over the top.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

I did another attempt at installation. It worked. I was able to install the update successfully.

1 user thanked author for this post.

rc primak

Reply | Quote

Just got this in a message from Microsoft –

Reply | Quote

Just in case this might be of interest to anyone here, it appears that the issue on systems with an xbox controller causing the Explorer.exe crash bug from a couple of months ago also affects the Win11 April CU. Users on reddit report that the bug was apparently fixed in the March Preview, but still happens with the regular April CU if the gameinput service is enabled and running.

Reply | Quote

Exchange Team has released a hotfix which fixes the March 2024 SU bugs as well as introduces support for ECC certificates.

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2024-exchange-server-hotfix-updates/ba-p/4120536

https://support.microsoft.com/en-us/topic/hotfix-update-for-exchange-server-2019-and-2016-april-23-2024-kb5037224-35eddea8-4828-4e38-b462-db89ea1100c9

Reply | Quote

Any reason to apply KB5037224? Anything critical? I generally avoid Hotfixes unless there is a compelling reason to. Exchange 2016 fully patched.

Reply | Quote

From MS

released on April 23, 2024. It includes fixes for non-security issues and introduces new features.

So no, do not install it.

cheers, Paul

2 users thanked author for this post.

Fred, Cybertooth

Reply | Quote

Windows 10 22h2 – longest update ever for me. Sat at the updating your computer screen for 10 minutes before showing any progress. After reboot (finally) desktop icons flashed many times before settling down.

NO lockscreen widget works. I used to have weather, now NONE I select work at all. Got a fix?

And what did this cumulative do I should be aware of? Seems like it had to be significant.

1 user thanked author for this post.

jburk07

Reply | Quote

Have completed updating 10 of our systems – laptops, desktops, and workstations.

All are running Windows 10 Pro 64-bit Version: 22H2 and operating as “Consumer” machines.

Prior to updating we followed Susan’s suggestion to:

• Turn show suggestions occasionally in Start to Off, and
• Turn show me the Windows welcome experience after updates and occasionally when I sign in to highlight what’s new and suggested to Off, as well as
• Turning off Windows backup in Windows 10 ( https://www.isunshare.com/windows-10/two-simple-ways-to-turn-off-windows-backup-in-windows-10.html ), and
• Disabling all Edge related Services.

All downloads and installations went smoothly except for 2024-01 Security Update for Windows 10 Version 22H2 for x64-based Systems (KB5034441) that failed to install on any of our PCs.

Update times did not exceed 30 minutes on any machine and only required one reboot.

2 users thanked author for this post.

jburk07, MrToad28

Reply | Quote

‘Safe for Now‘ indeed!
Come May 2024 Patch Tuesday, CVE-2022-38028 will likely cause printing issues..again!

Yup, it’s in-the-wild with a CVSS score of 7.8 (HIGH)
Seems like a collateral Windows annual event../sigh

More info: https://www.securityweek.com/cisa-warns-of-windows-print-spooler-flaw-after-microsoft-sees-russian-exploitation/

Windows - commercial by definition and now function...

Reply | Quote

CVE-2022-38028 requires local access or the user has to run a malicious file.
Nothing to worry about if you practice safe hex.

cheers, Paul

2 users thanked author for this post.

rc primak, MrToad28

Reply | Quote

Microfix wrote:

‘Safe for Now‘ indeed!
Come May 2024 Patch Tuesday, CVE-2022-38028 will likely cause printing issues..again!

Why May? Wasn’t this patched 18 months ago?

1 user thanked author for this post.

rc primak

Reply | Quote

I’m running Win 10 Pro on a test/backup machine. A couple weeks ago I noticed that on an extremely long boot (10 minutes or so) a Copilot Preview icon showed up in the far right of the taskbar. Being involved with other pressing life issues at the time I didn’t think much of it and figured that as with the 99.9999% of other MS “features” that I have no use for I would just ignore it.

Tried updating the machine last night. The April .NET 3.5/4.8.1, KB5036618, installed fine up to the “pending restart” notification, but the April CU, KB5036892, gave me a download error 0x80073701. The restart took 20 minutes (!), but the Copilot Preview icon was no longer present; apparently it was removed.

I restarted again and let it sit overnight. This morning a new “feature” appeared, a vertical Edge sidebar. Easy enough to get rid of via the sidebar settings, but still, I didn’t ask for it, I don’t want it, so leave me alone MS.

What I do want is for the CU updates to work. I ran sfc with scannow option and was told corrupt files were found and successfully repaired. Dism with the ScanHealth and CheckHealth options (in that order) both completed successfully, but both did say that the ‘component store is repairable’. Unfortunately Dism with RestoreHealth option gave a 0x800f081f error and said ‘the source files could not be found’.

Perhaps the info in the first 3 paragraphs will be useful to someone.

Anybody have an opinion about the CU update failure? Should I try resetting the Windows Update components, or do a repair install as in Topic 6000015?

1 user thanked author for this post.

jburk07

Reply | Quote

So after I got rid of the new “feature” (the vertical Edge sidebar), I shut down and then turned the computer on after a couple days. For some reason Windows Update thought I was still running W10 pro 21H2 -apparently because of corrupted files dism couldn’t repair – and offered me a feature update to 22H2 via an enablement package. The update downloaded and installed and after a 20 minute restart, Windows update said I was running 22H2 and was current through the April updates. All seems well. Seems like a fairly strange turn of events but as things seem back to normal, I’ll take it.

Reply | Quote

Our standard practice is to run RevoUninstaller immediately after updating our Windows computers.

New apps discovered after updating this month include:

• HP One Ageny (which we uninstalled),
• HEIF Image Extensions (waiting to see what it does before uninstalling),
• Store Experience Host (waiting to see what it does before uninstalling), and
• Web Media Extensions (waiting to see what it does before uninstalling).

1 user thanked author for this post.

jburk07

Reply | Quote

Win10 Pro 22H2 secure boot = off   After April cumulative update see Event ID 1796 TPM-WMI    “The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine..”  No issues so far.  Should I be concerned?

1 user thanked author for this post.

lmacri

Reply | Quote

Update – fixed by turning secure boot on

1 user thanked author for this post.

WCHS

Reply | Quote

sheldon wrote:

No issues so far. Should I be concerned?

sheldon wrote:

Update – fixed by turning secure boot on

I just noticed this in my Event Viewer also, Event ID 1796.

However, I have never had Secure Boot turned ON, and I don’t want to turn it ON.

Why is this appearing?  OK to just let it appear?  Doesn’t seem to be causing any issues that I can detect.

Windows 10 Pro x64 v22H2 and Windows 7 Pro SP1 x64 (RIP)

Reply | Quote

The update wants to change some “KEYS” in the Secure Boot section of the Bios.  It can’t since secure boot is turned off. This is the cause of the error. The error shouldn’t be an issue, but you may keep getting the error at every boot up.

Reply | Quote

sheldon wrote:

Win10 Pro 22H2 secure boot = off After April cumulative update see Event ID 1796 TPM-WMI …

Hi sheldon:

Thanks for posting about this error. I have Secure Boot turned OFF on my Win 10 machine and confirmed my Event Viewer has been logging these Event ID 1796 / TPM-WMI system errors after every system restart since I installed the April 2024 cumulative monthly Quality Update KB5036892 (OS Builds 19045.4291) on 12-Apr-2024 (see attached image).

I sent a bug report to Microsoft using my Feedback Hub app.  Anyone who has Microsoft’s Feedback Hub app installed on their computer should be able to view (and upvote) this report at https://aka.ms/AAqfges.
———-
Dell Inspiron 15 5584 * 64-bit Win 10 Pro v22H2 build 19045.4291 * Firefox v125.0.3 * Microsoft Defender v4.18.24030.9-1.1.24040.1 * Malwarebytes Premium v5.1.4.112-1.0.1233 * Macrium Reflect Free v8.0.7783

Reply | Quote

Microsoft has enabled Start menu ads in the optional KB5036980 preview cumulative update for Windows 11 22H2 and 23H2 released on April 23.. More details below:

https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5036980-update-goes-live-with-start-menu-ads/

Reply | Quote

No updates for me on Windows Xp. Great for me. No worries about MS spyware and issues they cause.

Reply | Quote

No, you just need to worry about an OS that can’t run any sort of modern software.

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

rc primak, Alex5723, Kathy Stevens, OldGuyForum

Reply | Quote

Susan

Think about it.  Several of our computers are used for administrative activities only and the software used includes:

• Microsoft Office including Outlook and Access,
• Dragon Naturally Speaking,
• A PDF application,
• Firefox and Brave, and
• Third party security software.

The printed manuals we use for Office date from 2000 and 2007 and are more than adequate.

No need for “modern software” as along as our security software continues to be supported.

So, the question is, why move from Windows 10 to Windows 11?

3 users thanked author for this post.

Cijan, windbg, Cybertooth

Reply | Quote

Kathy Stevens wrote:

No need for “modern software” as along as our security software continues to be supported.

Which modern up to date security software still support XP (or 7) ?

1 user thanked author for this post.

rc primak

Reply | Quote

The Windows 7 PC that I’m typing this on is protected by Bitdefender Total Security. In addition, it has HitmanPro.Alert, CyberLock (formerly known as VoodooShield), 0patch, and BlackFog Privacy installed on it.

One of my Vista computers is running Panda Dome and another is on eScan Internet Security Suite. Both of them regularly receive virus definition updates. Panda Dome and eScan still also support XP systems.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

3 users thanked author for this post.

Kathy Stevens, Alex5723, Paul T

Reply | Quote

VPN connections might fail after installing the April 2024 security update

KB5036893/KB5036892

Windows devices might face VPN connection failures after installing the April 2024 security update (KB5036893) or the April 2024 non-security preview update.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Windows support:

Home PC: If you need support with your personal or family account, use the Get help app in Windows.

Enterprise devices: Request help for your organization through Support for business.

Affected platforms:

Client: Windows 11, version 23H2; Windows 11, version 22H2, Windows 11, version 21H2, Windows 10, version 22H2, Windows 10, version 21H2.

Server: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows Server 2008.

Moderator Note: This post is a duplicate (albeit from a different MS source) of a topic started by Susan Bradley three hours before this post was made. The topic, and subsequent answers to questions can be found here.

1 user thanked author for this post.

lmacri

Reply | Quote

Updated 3 Win10 & 1 Win11, all Pro, with Apr patches. No problems seen.

I post this because this is the type of post I look for when new patches show up. If I see a bunch of posts like this, it confirms the Defcon rating. OTOH if users are talking problems & complexity, I delay till next month.

1 user thanked author for this post.

WCHS

Reply | Quote

Well, now Microsoft admits it can’t fix the issue for Windows 10 KB5034441 automatically.

https://www.neowin.net/news/microsoft-admits-it-cant-fix-windows-10-kb5034441-0x80070643—errorinstallfailure/

Win 10 ver. 22H2 x64

2 users thanked author for this post.

Kathy Stevens, NaNoNyMouse

Reply | Quote

Susan Bradley wrote:

I would do a repair install over the top.

That is so very right!

* _ ... _ *

Reply | Quote

JD wrote:

KB5034441

also reported here as well:

https://borncity.com/win/2024/05/02/windows-10-11-server-2022-microsoft-says-no-more-fix-for-installation-error-0x80070643-during-winre-update/

see folks, that’s what wushowhide.diagcab is there for – to hide/block unwanted updates like KB5034441; learn how to use wushowhide.diagcab

2 users thanked author for this post.

Cybertooth, Kathy Stevens

Reply | Quote

Other than BitLocker Secure Boot – does KB5034441 address any other Windows 10 22H2 issues.

If not and we do not use BitLocker and have uninstalled OneDrive and Edge – can we ignore the KB5034441 installation failure going forward?

Reply | Quote

Yes, ignore 34441.

If you do use BitLocker and the update won’t install, add a pre-boot PIN to prevent attackers bypassing BL, or not, depending on your paranoia levels.

cheers, Paul

4 users thanked author for this post.

Cybertooth, Kathy Stevens, lmacri, NaNoNyMouse

Reply | Quote

Personally, I don’t recommend refreshes and instead recommend that you perform repair installs to fix anything that your system has issues with — especially when it comes to updating issues.

what is the refreshes mentioned in this article? windows reset?

Reply | Quote

Refreshes being the update of specific components.
Repair Install.

cheers, Paul

1 user thanked author for this post.

heybengbeng

Reply | Quote

rc primak wrote:

Image your system(s) first…before installing updates.

If something goes sideways, you can go back to where you were before.

According to the KB article on the changes to Secure Boot, once you revoke the old EFI/UEFI setups for USB boot, your backups may no longer work. This is what has scared me off from doing any additional steps as a home user with stand-alone PCs and multi-booting with Linux from USB drives. I hope that when the changes become mandatory, there will be some sane and rational way to get everything updated without any loss of the ability to use backups.

Hi Susan and Team,

I hope this message finds you well.

I really appreciate your advice and analysis of the changes related to Secure Boot updates. As a consumer base user, what is your advice for deploying these updates? What I mean, they will be mandatory and will eventually enabled to the recommended (and restricted) settings.

While I am in favour of the security benefits they bring, just as rc primak pointed out it won’t be without potential drawbacks. Wouldn’t it be better to start testing now and be prepared?

My most recent system is an HP Elitebook 1040 G9 from early 2023 running Windows 11 23H2. It has BitLocker and SecureBoot enabled in addition to the most recent UEFI firmware available installed I believe this will have the most chance of installing and using these updates.

Thanks in advance for any further advice.

Reply | Quote

What kind of advice is the HP Driver-and-Hardware-Assistant ! giving you?
In my case HPElitebook 650G10 begin 2024, W11pro-22H2, HP is very strickt in what to update or not.
Mind you to be very strickt and secure about UEFI and Secured Boot changes, in my opinion HP is leading here in changes.
greeings

* _ ... _ *

Reply | Quote