ISSUE 19.14.1 • 2022-01-25

By Susan Bradley

Thanks, Microsoft, for a very messy January.

This month will be somewhat convoluted for patching, due to the high number of side effects. To make it worse and more complicated, Microsoft has left it up to us to figure out what to install — rather than pushing out the fixed updates via Windows Update or WSUS. The side effects for those with servers are extreme. In some cases, you’ll need to install two updates before rebooting the servers you manage to successfully patch this month.

I’m lowering the MS-DEFCON level to 4 in spite of these difficulties, but business users must be cautious.

Here’s an important clarification for home users. If you run consumer-class VPN software, the side effects mentioned later in this alert do not impact you. I know of no problems with such VPN software. So if you have a standalone computer or even a peer-to-peer network, now is the time to proceed with any January updates that you may have deferred.

Count yourself lucky that you haven’t been impacted by the slew of side effects that business users saw this month.

This is going to be a difficult month to patch. And in a very unusual twist, I have different recommendations for servers and workstations.

For those of you using business-class virtual private network (VPN) software to connect workstations to your network, and if you are patching Windows 10 or 11 machines, you’ll need to skip over the normal Windows 10 releases and install the optional updates. If you use Windows software update services (WSUS) to deploy updates, this means manually importing KB5010795 for Windows 11 and KB5010793 for Windows 10 Versions 21H2, 21H1, and 20H2. Both of these updates are deemed out-of-band, so your options are limited for some deployment methods and nonexistent in others.

For those without an update-management mechanism, your users will need to go to Settings,  Update and Security, and Windows Update. Under View optional updates, you’ll find the link to download and install the update for the feature release of Windows 10 running on that PC.

For those who update using the Group policy/Update for Windows methodology, the only option is to manually download the update for the feature release of Windows 10. You can either download the update and place it into a location from which all users can run it, or each user can download and run the update on individual PCs.

To get the update, visit the Microsoft catalog site and find the appropriate download, the one that matches your feature release. Click the download button on the far right. The file will be downloaded and placed into your Downloads folder. You may get a warning that the file cannot be downloaded, in which case you’ll need to click the three dots next to the file name in your browser’s download list and select the “Keep” option. See Figure 1.

Figure 1. If there is an error downloading an update file, use the Keep option on the downloads dialog to force the download.

Those using business-class VPN can manually install the updates as shown below:

If you do not use business-class VPN, you can install the regular updates released on January 11, which include the following:

For server installations, skip over the normal Windows updates and install only the out-of-band releases for Windows Server 2016, 2019, and 2022. For these, choose from the following:

As a reminder, the side effects on servers are not trivial:

For those patching Hyper-V servers using Server 2012 R2 as the underlying platform, there is yet another side effect. In addition to the notice that “Windows Servers might restart unexpectedly after installing the January 11, 2022, Windows update on domain controllers (DCs)” on the Server 2012 R2 platform, you will face this: “Virtual machines (VMs) located on a server that has Unified Extensible Firmware Interface (UEFI) enabled fail to start after installing the January 11, 2022, Windows update.”

Now comes the fly in the ointment. In order to properly patch Server 2012 R2, you must install both the original patch released in January (choose either KB5009610 monthly rollup or the KB5009621 security-only update) and then install the out-of-band update KB5010794. This ensures that you reboot only after the installation of the out-of-band update, not after the initial install of the monthly rollup or the security-only patch. On these older platforms, you choose monthly rollup or security-only; they are not cumulative updates, as the Windows 10/11 patches are.

I warned you this was going to be confusing! If you have any questions, join us in the forums, where we will either help you or commiserate with your patching troubles this month!

(Edited on 1-25-2022 – I had the wrong KB number listed for 2012 R2 – apologies!)

References

Join the conversation! Your questions, comments, and feedback about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.