alert banner

ISSUE 19.43.1 • 2022-10-25

MS-DEFCON 4: Install or defer updates? Your choice.

MS-DEFCON 4

By Susan Bradley

I’ve got a slightly mixed message about the latest round of updates.

In the most general terms, updates this month have proven safe and unlikely to cause many problems. It is for that reason I am lowering the MS-DEFCON level to 4. But there’s a grain of salt to go along with that recommendation.

I continue to recommend that you not install the feature-release updates for Windows 10 or Windows 11 version 22H2. But I do recommend that you allow the rest of the updates to install. That’s the mixed message.

As I have suggested many times before, visit this Knowledge Base page and ensure you install the registry keys to block the 22H2 releases for both. Alternatively, use Gibson Research Corporation’s (GRC) clever InControl app to block the feature releases. InControl may add a few extra registry keys, but they are of no harm. GRC’s little apps have always been very straightforward, easy to understand, and nearly brainless to use — and may be an easier approach for the typical consumer.

The Windows 10 22H2 is a very minor release and will install quickly. It’s probably safe, but I never recommend installing feature releases right away. Give it some time — let other, less well-informed users take the slings and arrows.

Windows 11 22H2, on the other hand, is Windows 11’s first so-called “moment” release. Moments are small, incremental changes and are a departure from Microsoft’s past history of making annual or semiannual major releases with many new features arriving at the same instant. But my advice still stands: wait and see. A special problem is that we’re not yet sure how well you can control the deployment of these “dribbles” — another good reason to wait. IT admins in businesses may have good control, but consumers may not. I’m watching this closely.

I say that, in spite of knowing that the ability to have multiple tabs in File Explorer is a feature I’m really looking forward to. It’s in this update, rolled up in the security updates coming in the next Patch Tuesday (November 8).

Besides the tabbed File Explorer, the dribbled changes include several other new features. Suggested Actions will recommend words or actions based on predictions that are based upon what you’ve already done or typed. According to Microsoft, Taskbar Overflow, along with easy access to Task Manager, allows you to:

… pin a larger selection of apps to your taskbar than space allows. Taskbar gives you an entry point to an overflow menu that allows you to view all your overflowed apps in one space.

Microsoft indicates that these changes in particular result from the company’s responding to user feedback. I’ve said this before, and I’ll say it again: it’s little things like this that make an overall experience. These two changes are long overdue. Do keep in mind that these are in the preview updates, and although they are due by the next Patch Tuesday, allow some time before you deploy them.

Microsoft is also sliding in some features from the Apple ecosystem. For example, install iCloud for Windows from the Microsoft Store, and the photos you take with your iPhone will appear automatically in your Windows Photos app. Microsoft has indicated that iCloud integration will be available in November. This should be happy news for the large chunk of our readers who own an iPhone or other Apple device.

As announced at Microsoft’s Ignite conference, Microsoft will be migrating and renaming all its Microsoft 365 links away from the office.com domain to microsoft365.com. If you are like me and have several bookmarks, you’ll ultimately need to update them in your browser.

I recommend bookmarking Adam Fowler’s useful Microsoft Portals site, which lists Microsoft’s key administrator portals. (It lists Microsoft 365 URLs first.) As Fowler points out, using his page is simpler than trying to sort out search results from Bing or Google. Of course, Microsoft rebranded 365 several years ago, so this is just catch-up to make sure the URLs match the current brand.

Now that I’ve sufficiently warned you about what’s coming for November’s updates, let’s go over what we saw this month in the October releases.

Consumer and home users

The biggest October impact to consumers was not due to the security releases and patches, but rather to a change in Exchange servers that blocks basic authentication. Basic authentication is a set of credentials based solely on a username and password. “Modern” authentication, using OAuth, is now required. This is not a surprise, as Microsoft has warned about this change for some time.

You may find that you’ve been beating your head against the wall this month, trying to get your beloved email client to receive and send email. The modern authentication requirement may put some older email clients into the grave, so you may need to find a different one. I know this kind of thing makes many of you mad, but please realize that there are other, very good alternative email clients — from Thunderbird to eM Client. If you are taking your time to explore other clients, you may need to temporarily access your email using your service’s Web-based email client.

The .NET updates released on Patch Tuesday do not include any new security fixes. Because .NET patches have been (for the most part) well behaved, don’t worry — I don’t anticipate any side effects. If you have a methodology (see blockapatch.com) to hide updates, you can opt to hide the .NET framework releases. Only the .NET core updates are security updates. See the Master Patch List for more details.

Business users

Microsoft released out-of-band updates to fix an issue introduced by the October releases that impacted SSL/TLS. Microsoft stated this:

In the September 20, 2022, preview update, we will disable TLS 1.0 and 1.1 by default for applications based on winhttp and wininet.

Translation: Microsoft made a change in SSL settings that may impact older applications.

This appears in the October updates, but in late October an out-of-band update appeared that was placed only on the Microsoft catalog site. I have seen reported issues only with business software, which is why Microsoft didn’t roll this fix out broadly. Unfortunately, calling it an out-of-band update is like waving a matador’s cape in front of a frothing bull, because it makes me think I should take immediate action. That’s because, in the past, “out-of-band” meant that there was a widespread security risk and Microsoft was taking an emergency step by pushing out a security patch before the next Patch Tuesday.

Given that this wasn’t pushed out to all users, I feel that the phrase is being abused this time. It’s fixing a bug introduced by a security patch, not fixing a security issue. I wish Microsoft would not mix up such terminology — it just confuses everyone, including me.

On this matter, home users need take no action because I’m not seeing any problems.

Businesses may want to roll this patch out, but you’ll have to do it manually. I’ve seen reports of issues with SonicWall NetExtender VPN as a result of the October updates, which simply means you’ll need to examine your security protocols closely. Many businesses have a policy requiring deployment of all security updates. If you start to see issues, install the out-of-band updates noted on the Master Patch List instead. Note that you will need to install them with a script or use some other method, because they are not going to be delivered via Windows Update.

An early heads-up for November: You’ll want to make your final testing regarding the impact of DCOM “hardening.” The final hardening is included in the November patch releases. As noted in a blog post,

The Distributed Component Object Model (DCOM) Remote Protocol is used for communication between software components of networked devices through a server. First released in 2006, it essentially allows a computer to run programs over the network on a different computer as if the program was itself running locally. Given the potential for exploitation, it’s been undergoing significant progressive hardening since 2021 through Windows Updates. From its inception, DCOM authentication hardening has been moving toward default enablement by 2023.

Further:

November 8, 2022 update will automatically raise authentication level for all non-anonymous activation requests from DCOM clients to RPC_C_AUTHN_LEVEL_PKT_INTEGRITY if it’s below Packet Integrity. With this change, most Windows DCOM client applications will automatically work with DCOM hardening change on server side without any modification to the DCOM client applications.

Translating again: Microsoft will be making a change in November, and you may need to disable the impact after the November updates. Importantly, be aware that it will be the last time you’ll be able to defer the setting. I’ll be explaining more about this in an upcoming newsletter.

For now, just make a note on your calendar to ensure you do extra testing in November.

References

MS-DEFCON 4

Talk Bubbles Join the conversation! Your questions, comments, and feedback
about this topic are always welcome in our forums!

Susan Bradley is the publisher of the AskWoody newsletters.


The AskWoody Newsletters are published by AskWoody Tech LLC, Fresno, CA USA.

Your subscription:

Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, AskWoody.com, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Copyright ©2022 AskWoody Tech LLC. All rights reserved.