A special thanks to last year’s AskWoody donors

We’re almost ready to roll out the AskWoody Plus membership system. Still have one technical hurdle — a bug in one of our partner’s signup routines — but it’s getting there.

Before we go into high gear, I wanted to give a special shout-out to those of you who contributed to AskWoody last year, or earlier this year. Your name (or an Anonymous hash mark) should appear on the Thanks, Patrons! list — and if you donated before the 3rd edition of Windows 10 All-In-One For Dummies went to press, your name’s also on the thanks page in the book.

For those of you who donated in the past year, I’m offering a free one-year AskWoody Plus Membership. I’ll have more details about Plus later this week, but for now suffice it to say that it includes a one-year subscription to the AskWoody Plus Newsletter (a revamped and greatly expanded version of the Windows Secrets Newsletter) plus a one-year subscription to AskWoody Plus Alerts (the email notification many of you have requested that goes out when there’s an important news story). We’ll have more benefits, but those are the immediate ones.

If you donated to AskWoody in the past year, and you want to claim your free one-year AskWoody Plus Membership, here’s what you need to do:

• If you have an AskWoody username and password, use it to log on. (If you forgot your password, use the Lost Password link in the upper right corner.)
• If you don’t have an AskWoody username and password, create a new one using the Register link in the upper right corner of this page. (You’ll have to respond to an email that confirms your email address.)

Once you’re logged on, click on this link: https://www.askwoody.com/plus-membership

At that point, you can choose any contribution amount and click Join Plus Now.

Up at the top, where it says Have a coupon? click on Click here to enter your code.

Enter the coupon code

PATRON

Then click Apply coupon. It’s a 100% discount coupon.

IMPORTANT: Make sure you use a “real” email address, so you can receive your Newsletters and Alerts.

You’ll end up with a free one-year subscription, with our compliments. If we have any questions, we’ll email you.

Thanks once again for keeping us at AskWoody afloat. We couldn’t have done it without you.

UPDATE: We now have direct credit card support. That was the last big stumbling point. Watch for the rollout shortly.

Didja notice the new Newsletter/Alerts and About menus, up above?

Win7 Enterprise clients reporting “Not Genuine”, 0xc004f200, when they’ve been working for years

Blame KB 971033, which shouldn’t even get installed on KMS-controlled machines.

For some unknown reason, earlier today, Microsoft suddenly started pushing the eight-month-old KB 971033 — an “update for Windows Activation Technologies” that was released on April 17.

I’m seeing cries of pain all over the internet. For example, torontojc reports on the Reddit sysadmin forum:

Woke up this morning to find a few thousand Windows 7 VDI machines reporting that Windows 7 wasn’t genuine. After much troubleshooting we found that KB971033 (should not have been installed in a KMS environment in the first place) was installed on these machines. Until today having this KB installed hasn’t been an issue, it appears a change to how Microsoft’s activation servers respond to a standard KMS key being sent to them may be to blame.

Removing the update, deleting the KMS cache and activation data from the PC’s and re-activating against KMS resolved the issue.

Most of the responses recommend uninstalling the patch then reaming out the systems, but Nick on Microsoft’s TechNet forum says:

I found that the only steps I required were as follows. I didn’t need to uninstall the KB971033 patch in my case, even though it was installed. Nor did I need to delete the tokens.dat or cache.dat.

net stop sppsvc
del %windir%\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0 /ah
del %windir%\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0 /ah
net start sppsvc
slmgr /ipk 33PXH-7Y6KF-2VJC9-XBBR8-HVTHH
slmgr /ato

We are currently trying to decide whether to roll out this workaround to all our clients, or to wait a day or two to see if Microsoft issue a patch for the problem. It has been widely reported on Reddit/r/sysadmin too.

If you hit the problem, let us know how you solved it.

UPDATE: Looks like it wasn’t a problem with this month’s patches. It’s a bug in a change MS made in the way its Activation Servers behave, that just coincided with the patch push. The bug sets off red lights if you have the old KB 971033 installed. @abbodi86 has details and a link here. Günter Born has an article here. And Martin Brinkmann has more details here.

AskWoody’s security certificate is back and all is well in this, the best of all possible worlds

… with apologies to Leibniz.

Good news on the Plus Membership front, too. The bugs are disappearing slowly. More info shortly, I hope.

January patches for Win7, KB 4480970 and KB 4480960, break networking

Tell me if you’ve heard this one before.

I first read about it on Günter Born’s site, but word is starting to spread:

The KB4480970 (Monthly Rollup) and KB4480960 (Security only) updates were released by Microsoft on January 8, 2018 for Windows 7 SP1 and Windows Server 2008 R2 SP1. The updates seem to cause serious network issues for some people. Network shares can no longer be achieved via SMBv2 in certain environments.

Details in Computerworld Woody on Windows.

UPDATE: Martin Brinkmann has further details:

The issue is triggered only if the user attempting to make the connection is an administrator on the machine that hosts the Share. If the user is “just” a user on the device that hosts the share, the connection should be fine.

(Some of you ask why I quote Günter and Martin so frequently. Ends up, they’re in the right time zone — they get the bad news before it’s circulating widely in the US — and they both have excellent eyes for screw-ups. Of which there are many.)

ANOTHER UPDATE: It’s possible that this is another manifestation of the oem<number>.inf issue that’s documented in the KB article — the same bug that’s been acknowledge by MS since April. But the descriptions I’m seeing are different. In particular, Brinkmann’s description above doesn’t sound anything like the oem<number>.inf NIC failure.

Anybody have more details?

Patch Tuesday patches are here

As usual, Martin Brinkmann has the first full list:

• Microsoft released security updates for all client and server versions of Windows.
• No critical vulnerabilities in Windows 8.1 and 7.
• Microsoft released security updates for Microsoft Edge, Internet Explorer, Adobe Flash Player, .NET Framework, Microsoft Office, Microsoft Exchange Server, and Microsoft Visual Studio
• The Update Catalog lists 187 updates for January 2019.

Dustin Childs has an interesting take on the patches for the Zero Day Initiative:

• CVE-2019-0547 – Windows DHCP Client Remote Code Execution Vulnerability
  If you are running Windows 10 or Server version 1803, this patch has to be on the top of your deployment list.

• CVE-2019-0586 – Microsoft Exchange Memory Corruption Vulnerability
  This corrects a bug in Exchange that could allow an attacker to take control of an Exchange server just by sending it a specially crafted email.

• CVE-2019-0550, CVE-2019-0551 – Windows Hyper-V Remote Code Execution Vulnerability

Which means most of you aren’t in the crosshairs. The only known exploit he lists is for the Jet Database engine — another hole found in ancient technology that probably won’t affect you unless you use an old database application.

There’s also a new Servicing Stack Update for Win10 version 1703, KB 4486458. As if any of you are still running 1703.

There are January Security-only patches for .NET as well as the Security and Quality Rollups.

January 2019 Security Updates for Microsoft Office 2010, Office 2013, Office 2016, the Office Viewers, and SharePoint Servers are available on the Office Support Pages. These Updates are for the .msi versions of Office, not Office 365 or C2R.

UPDATE: It looks like the Win10 version 1803 patch, KB 4480966, may be something you need to install quickly. So far there are no known exploits, and no proof of concept code. But Microsoft is saying it’s bad.

….Remote Code Execution in Windows DHCP Client (9.8/8.8) 😈 It was internally found & no POC will be released but please, start the year off right and patch. your. systems.

BTW, the team who found the DHCP vuln is hiring & @metr0 is someone you really want to work with 😎

— 🇺🇦 Nate Warfield | n0x08.bsky.social🌻 (@n0x08) January 8, 2019

Will keep you posted as the drama unfolds.

Patch Lady – the Office 365 admin center

Patch Lady here – for those of you that are admins in Office 365 I would highly recommend bookmarking the Office 365 admin center and especially to make sure that you have access to the message center inside of it.  It’s a key way to keep aware of updates and changes.  On my cheapest Godaddy Office 365 subscription I don’t have the ability to forward the alerts to other email addresses, but on my higher Office 365 subscriptions (a Office 365 Business plan and a Microsoft 365 E5 plan just to be aware of the nuances and changes with each plan).  You can also download the Office admin center app on an iPhone or android and log in with admin credentials to get the same info.

Today they announced they are adding more forensic features that turn on more auditing by default.  This is a very good thing and starts to get the online better aligned with on premise in terms of forensics.

Now if I can just get Advanced Threat Protection features built into EVERY Office 365… yes I know… never happy am I?

Updated feature: Exchange Online mailbox audit to add mail reads by default

 

To ensure that you have access to critical audit data to investigate security incidents in your organization, we’re making some updates to Exchange mailbox auditing. After this change takes place, Exchange Online will audit mail reads/accesses by default for owners, admins and delegates under the MailItemsAccessed action. This message is associated with Microsoft 365 Roadmap ID: 32224. How does this affect me? The MailItemsAccessed action offers comprehensive forensic coverage of mailbox accesses, including sync operations. In February 2019, audit logs will start generating MailItemsAccessed audit records to log user access of mail items. If you are on the default configuration, the MailItemsAccessed action will be added to Get-mailbox configurations, under the fields AuditAdmin, AuditDelegate and AuditOwner. Once the feature is rolled out to you, you will see the MailItemsAccessed action added and start to audit reads. This new MailItemsAccessed action is going to replace the MessageBind action; MessageBind will no longer be a valid action to configure, instead an error message will suggest turning on the MailItemsAccessed action. This change will not remove the MessageBind action from mailboxes which have already have added it to their configurations. Initially, these audit records will not flow into the Unified Audit Log and will only be available from the Mailbox Audit Log. We’ll begin rolling this change out in early February, 2019. If you are on the default audit configuration, you will see the MailItemsAccessed action added once the feature is rolled out to you and you start to audit reads. What do I need to do to prepare for this change? There is no action you need to take to derive the security benefits of having mail read audit data. The MailItemsAccessed action will be updated in your Get-Mailbox action audit configurations automatically under AuditAdmin, AuditDelegate and AuditOwner. If you have set these configurations before, you will need to update them now to audit the two new mailbox actions. Please click Additional Information for details on how to do this. If you do not want to audit these new actions in your mailboxes and you do not want your mailbox action audit configurations to change in the future as we continue to update the defaults, you can set AuditAdmin, AuditDelegate and AuditOwner to your desired configuration. Even if your desired configuration is exactly the same as the current default configuration, so long as you set the AuditAdmin, AuditDelegate and AuditOwner configurations on your mailbox, you will preclude yourself from further updates to these audit configurations. Please click Additional Information for details on how to do this. If your organization has turned off mailbox auditing, then you will not audit mail read actions.

AskWoody Plus Newsletter delayed

Bugses. My life is filled with bugses. (Credit: Welta Digital via Wikipedia)

In spite of the efforts of many people over a long (and lost) holiday, we didn’t make the cutoff to get the AskWoody Plus Newsletter — formerly the Windows Secrets Newsletter — out the gate this morning.

There are lingering technical problems. And a couple of software manufacturers who aren’t co-operating. Microsoft’s bugs are bad enough, but some of the ones I encountered in the past few weeks put our woes here to shame. I should write a book.

Anyway, if we’re lucky, we’ll have the newsletter out tomorrow morning. And if a %$#@! credit card processing company can get its act together, I’ll publish more details about Plus Membership — and signing up for the newsletter — later today.

Stay tuned.

Windows 10 1809 adoption rate is slow. And that’s good!

Gregg Keizer has his usual thorough review of the situation: No matter how you slice it, adoption of the latest version of the last version of Windows is going at a snail’s pace:

According to statistics gathered by AdDuplex… Windows 10 October 2018 Update – 1809… had been installed on just 6.6% of all Windows 10 systems by year’s end. That was a small fraction of the 53.6% powered by 1709 – Windows 10’s second feature upgrade of 2017 – at the close of that year.

I think that’s great. Microsoft’s showing some long-overdue restraint in forcing Win10 users onto the next version. We saw repeated bloodbaths on the forced upgrades last year. Maybe this year we’ll seem some sanity return to the Win10 scene.

People are fretting over the delay in 1809 and how that’ll impact the delivery of the next-next version of Win10, code named “19H1.” I think it’s been obvious for quite a while that MS will let the next version slide until much later in the first half of 2019 — thus the “H1” part of 19H1 — and that the decision to do so was made more than six months ago.

I hope, nay pray, that this means our every-six-months upgrade treadmill is coming to an end.

Time will tell, but it’s one more hopeful sign that Microsoft may not end up killing Windows. Maybe.