Replies

Known reboot flags in Win 10 and up – any one of these will block many installers and updates if not cleared by the process that set it.

HKLM:\SOFTWARE\Microsoft\ServerManager\CurrentRebootAttempts – key exists
HKLM:\SOFTWARE\Microsoft\Updates – UpdateExeVolatile – Value is anything other than 0
HKLM:\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackagesPending – key exists
HKLM:\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootInProgress – key exists
HKLM:\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending – key exists
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce – DVDRebootSignal – value exists
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting – key exists
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired – key exists
HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending – Any GUID subkeys exist
HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager – PendingFileRenameOperations – value exists
HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager – PendingFileRenameOperations2 – value exists
HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon – AvoidSpnSet – value exists
HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon – JoinDomain – value exists

The following special key pair comes into play when a machine is renamed (system compares, both keys must match to prevent reboot flag)

HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

~ Group "Weekend" ~

2 users thanked author for this post.

satrow, TechTango

This is hitting all of our M365 Exchange customers, and it is also hitting my family’s personal MSN/Outlook accounts.

 

 

~ Group "Weekend" ~

Thanks Susan!

Our team has blocked that KB now across our entire org.  Some notes:

Unless you have a current Software Assurance subscription along with your correctly scaled Server 2022/2019 license core count, accepting this update WILL put you into non-compliance with your license unless you purchase new Server 2025 licenses.

In place upgrades have become drastically more reliable since the 2016 days, but there are some gotcha’s that our team has identified:

Domain controllers should be migrated to new builds, not upgraded in place.  MS technically supports upgrading DC’s with some special and convoluted instructions, but it has not proven reliable for our team.

Application servers, including SQL servers, generally upgrade in place just fine, but many LOB applications will trigger a re-activation workflow.  You may also need to re-apply all prerequisite packages like .Net and other third party code libraries.  Be prepared and make sure your software is on a current and supported license, that the applications re-activation is possible (you have a working key), and that the system requirements for your application include the new server OS as a supported platform.  If any of those checks are not in place, defer the upgrade.

Dedicated file servers generally are safe to upgrade in place.

Internal Certificate Authority server roles don’t play nice with upgrades in place, migrate the role to a new server (often on a DC.)

Radius Servers have also not played as nice as we would like, recommending migrating to a new server.

ALWAYS do a test upgrade in a sandbox with the roles and applications your business uses!  Document every workaround you make during the test so you can replicate that on production.

And finally:  Make sure you have a fully restorable backup image, refreshed just before the upgrade, ready to use if you need to rollback!

Never -ever- upgrade a server without a known good recent backup.

Cheers!

~ Group "Weekend" ~

Are you somehow implying that Google or Apple has better controls over who or what gets access to your metadata and privacy?

I’m . . . not convinced that any of the tech companies are better or worse than their peers.  Choose the bucket you feel will give you the least pain, but it’s kinda all the same.

~ Group "Weekend" ~

1 user thanked author for this post.

b

I personally prefer Outlook (Android, iOS, Windows, MacOS) over nearly any other option.  And I’ve tried them all over the years.

I like that the functions are all a flick of the finger away (Email, Schedule, Task List, Contacts) and I like that I can link pretty near as many email accounts as I want, which lets me see all emails from all accounts or narrow it down to a single account with one click.

I also prefer it for M365 Corporate accounts, by far.

But then, I am not your average user. 

~ Group "Weekend" ~

1 user thanked author for this post.

RRtechgroup

Really good timing Susan!

I manage several Hyper-V clusters with “many” guest VM’s running Server 2019/22 and this coming weekend is our scheduled cluster-aware patching date. We also use Veeam . . .

Looks like I might pause them until the MSFT and Veeam get their act together regarding the Oct ’23 CU for Server 2019 and 2022.

Thank you!

~ Group "Weekend" ~

For those who wish to keep and use Windows Server 2012 and 2012R2 past this months patch cut-off:   looks like you can install Azure Arc on those servers and provision ESU to it to extend security patches to October 2026.

More info here:

https://learn.microsoft.com/en-us/azure/azure-arc/servers/prepare-extended-security-updates

 

~ Group "Weekend" ~

I’ll be interested in any info your sources can gather.  My internal source thinks its a few years out still, they want to measure NTLM use over time as they press application developers to stop hard coding it into their programs – but knowing how slow some large and expensive line of business applications move it may be a decade.

I’ll likely be fully retired by then. 

~ Group "Weekend" ~

I have a bit of bad news about this announcement,

Regarding this statement:

• NTLM is the only protocol supported when using local accounts.

When they deprecate NTLM entirely in the future, unless they add a local Kerberos authority to Windows 11/12/13/14 (right now they are only planning to add a Kerberos “cache/proxy”) then peer to peer file sharing on small networks using local machine accounts will be broken forever.    I suspect they want everyone to use an online account, which can use MS as the authentication authority.

~ Group "Weekend" ~

1 user thanked author for this post.

windbg

Another mitigation layer to consider:  Use a DNS service that attempts to delist all known malware addresses.

 

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

 

~ Group "Weekend" ~

2 users thanked author for this post.

windbg, E Pericoloso Sporgersi

Hey Susan!

Wanted to thank you for posting this.  I was trying to conduct a live migration today to move several VM’s over to a new Hyper-V host on an AD network that had taken the November patches.

The Kerberos constrained delegation trust relationship between the old host and the new Hyper-V host was completely broken by the Nov 12th patch on the domain controller. Kept getting errors that one host could not connect to the other. (WinRM failures)

I installed the hot fix listed (KB  KB5021655 from the MS download catalog for Server 2019) on the MS Status page link you provided on the Domain Controller and also applied the LSASS memory leak mitigation reg-key mentioned on the same page – again on that same DC.

It completely fixed the issue with my migration failures.

Weirdly, this particular customer informed me that all their workstations had been popping up an odd notification since Nov 12th asking them to lock and unlock their computer to refresh a password change . . .  but none of them had recently changed their passwords.  If the user complied with the lock/unlock process, the popup would repeat anyway at some random time – several times a day.  That issue also went away once I installed this hotfix on the DC.

~ Group "Weekend" ~

Cheap, effective mitigation for the current highest risk on new cars with remote start key fobs:  a faraday box.

I got one that actually works for about $20 . . .  tested by putting keys inside and trying to open a car that uses the near field to unlock doors when I touch the handle.

~ Group "Weekend" ~

3 users thanked author for this post.

rc primak, Cybertooth, Charlie

That was a source of confusion for a long time, as the tool allowed an invalid combination by accident that would not work . . .  Glad they fixed it finally!

~ Group "Weekend" ~

I just had a chance to try this out for a new install of Windows 11 22H2, on a VM with networking disabled during setup, and am happy to report the bypass to allow creating a local account worked perfectly.

~ Group "Weekend" ~

3 users thanked author for this post.

Just another Forum Poster, Alex5723, Paul T

Just a quick visual aid for GPEdit.msc using PKCano’s settings above:

~ Group "Weekend" ~

1 user thanked author for this post.

glnz