Puzzled by Windows Security Update: KB2973351

Topic

New Reply

I have two Win 7 (x64) Home Premium PCs (desktop and laptop). Among the other Windows updates I received notification about on both computers was KB2973551. It is titled, “Microsoft Security Advisory: Registry update to improve credentials protection and management for Windows-based systems that have the 2919355 update installed: July 8, 2014” (http://support.microsoft.com/kb/2973351).

Although, all the other recommended Windows security patches were mentioned in this week’s newsletter, this one was not. So I checked to see whether I had previously installed KB2919355 on either, or both, PCs. In each, I went to my Control Panel > Programs & Features > View Update History and did not find KB2919355 among the many Security Updates for Windows listed.

This raises several questions:

[*]Is it possible I do have KB2919355 installed, but it is not listed among the installed Windows security updates on each PC because of some feature of the update itself?
[*]If KB2919355 is not installed on my PCs, will installing KB2973551 cause problems?

To make the waters even murkier, the Microsoft Support site article includes a link to another, titled appropriately enough, “Microsoft Security Advisory: Registry update to improve credentials protection and management for Windows systems that do not have the 2919355 update installed: July 8, 2014” (http://support.microsoft.com/kb/2975625). I wonder if this is the update notification I should have received.

I searched the Web, the Lounge, and Windows Secrets and found no relevant information to suggest others have experienced this situation. I do not plan on installing either KB2973551 or KB2975625 until I am comfortable about the appropriate course of action. I hope that someone in the Lounge can provide me with specific guidance on what that is or suggestions on where to find out. Thanks in advance.

Reply | Quote

Replies

It’s KB2973351 (as in your link), not KB2973551 (as you typed three times):

One update that I got that is not mentioned in this newsletter is KB2973351. For now I am putting it on hold until someone tells me whether it is safe to install or not. Thanks!

Pam

That’s a minor update to a recent security update, and it’s only relevant to enterprise IT administrators using Remote Desktop Protocol to connect to servers within a domain.

It’s related to KB2871997 which Sue covered on May 15, 2014:

> What to do: Home-network users — or anyone who doesn’t sign into a domain — can pass on KB 2871997. Those who do sign into a corporate domain should install the update when offered.

Details of the May update and its July update are at Update to Improve Credentials Protection and Management.

Perhaps Susan Bradley will remember to address KB2973351 sometime soon as it will apparently be offered to all Windows 7 and Windows 8 users.

(I installed this update three days ago and have not noticed any adverse consequences; but I always install all updates immediately and I haven’t used RDP on a domain lately.)

Bruce

Yup I’ll cover it at the end of the month.

Reply | Quote

Thanks. Pardon the dyslexia.

Reply | Quote

It’s KB2973351 (as in your link), not KB2973551 (as you typed three times):

Security Update for Windows 7 for x64-based Systems (kb298378) is included in my 9/9/14 updates but is not mentioned in the 9/10/14 PatchWatch column. It references MS security advisory 2871997 which you indicated is related to kb2973351. Is it being reissued to those who elected to hide kb2871997?

Reply | Quote

Security Update for Windows 7 for x64-based Systems (kb298378) is included in my 9/9/14 updates but is not mentioned in the 9/10/14 PatchWatch column. It references MS security advisory 2871997 which you indicated is related to kb2973351. Is it being reissued to those who elected to hide kb2871997?

Apparently not:

• On September 9, 2014, Microsoft released the 2982378 update for supported editions of Windows 7 and Windows Server 2008 R2. The update adds additional protection for users’ credentials when logging into a Windows 7 or Windows Server 2008 R2 system by ensuring that credentials are cleaned up immediately instead of waiting until a Kerberos TGT (Ticket Granting Ticket) has been obtained. For more information about this update, including download links, see Microsoft Knowledge Base Article 2982378.
Microsoft Security Advisory 2871997

Bruce

Reply | Quote

Bruce-

Are you able to bring Susan Bradley’s attention to this particular update KB 2973351? I am also still waiting for word on this and would really like to know what she recommends.

Reply | Quote

I’ll try to break this one down as it had me puzzled a few days ago; any/all errors are of course my own because MS doesn’t make any.

From https://support.microsoft.com/kb/2973351, please read it in full.

I’ve emphasised what I consider to be important/explanatory:

The default behavior for Restricted Admin mode changed in Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

By default, Restricted Admin mode is now turned off, and you have to enable it again after you install update 2973351 or 2975625 if it is required.

Previously, Restricted Admin mode was turned on by default.[/quote]

That indicates that this ‘bug’ was introduced with the latest updated OS versions, W7/8 should still be at the default, ‘safe’ settings – BUT – judging by the ‘fix’ packages on offer for earlier OS versions, something (KB2975625 or KB2973351 from the May update?) might have incorrectly set the values in those versions as well.

So, if you’re using Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1, you will need to install the KB (or to manually modify the Registry – DisableRestrictedAdmin should be added and set to ).

For earlier versions (W7->8, see below for the full list), checking the Registry entry is required – if there is no DisableRestrictedAdmin entry, no further action should be needed; if DisableRestrictedAdmin exists, the value should be set to or the patch needs to be installed.

Versions that are affected:

Windows RT 8.1
Windows 8.1
Windows 8.1 Enterprise
Windows 8.1 Pro
Windows Server 2012 R2 Datacenter
Windows Server 2012 R2 Essentials
Windows Server 2012 R2 Foundation
Windows Server 2012 R2 Standard

Versions that might be affected:

Windows RT
Windows 8
Windows 8 Enterprise
Windows 8 Pro
Windows Server 2012 Datacenter
Windows Server 2012 Essentials
Windows Server 2012 Foundation
Windows Server 2012 Standard
Windows 7 Service Pack 1, when used with:

Windows 7 Enterprise
Windows 7 Professional
Windows 7 Ultimate
Windows 7 Home Premium
Windows 7 Home Basic

Windows Server 2008 R2 Service Pack 1, when used with:

Windows Server 2008 R2 Standard
Windows Server 2008 R2 Enterprise
Windows Server 2008 R2 Datacenter

How to check/modify the setting:

To configure the Restricted Admin registry setting, add a DWORD value that is named DisableRestrictedAdmin to the following registry subkey:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa

To do this, follow these steps:

Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following subkey in the registry:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa
On the Edit menu, point to New, and then click DWORD Value.
Type DisableRestrictedAdmin for the name of the DWORD value, and then press Enter.
Right-click DisableRestrictedAdmin, and then click Modify.
To disable Restricted Admin mode, type 1 in the Value data box, and then click OK.
To enable Restricted Admin mode, type 0 in the Value data box, and then click OK.
Exit Registry Editor, and then restart the computer.[/QUOTE]

Reply | Quote

Unfortunately, I installed the update KB2973351 (Win 7 Ultimate x64) on 7/12/2014. I saw it wasn’t mentioned in Patch Watch, and slipped up by installing it without checking to see if I had previously installed the predecessor mentioned in the article. Bad move. Everything seemed to work well until I tried to print from Photoshop CC and Lightroom 5. The printer driver took 3.5 minutes to load (usual time is less than 5 minutes), and I was unable to change any of the printing settings without waiting at least 4 minutes per subscreen — effectively destroying my ability to print from Photoshop and LIghtroom. There was no disk activity while waiting, and I had no other programs running at that time. I last printed from Photoshop on 7/8/2014, at which time everything worked normally.
Started to uninstall the patches from 7/12 one by one, and fortunately, uninstalling the last patch I had installed, KB2973351, fixed the problem. I take the blame for this one because I did not check to see if I had installed it’s prerequisite patch.

Reply | Quote

Correction: the usual time for my printer drive to appear in Photoshop and Lightroom is less than 3 seconds, not 5 minutes. (Need another cup of coffee this morning.)

Reply | Quote

I hope Susan will follow up kb2973351.

Reply | Quote

I hope Susan will follow up kb2973351.

Me too.

Thanks
wd

Reply | Quote