Newsletter Archives

  • Yes, I’m recommending that you get updated

    Posted on March 27, 2016 at 16:33 CDT by Comment in the Forums

    Lots has happened in the past couple of weeks. In case you missed it, we’re at MS-DEFCON 3 for a reason: If you’re careful, now’s a very good time to get caught up on patches.

    Remember, you NEED TO INSTALL SECURITY PATCHES. Even if they contain scummy Microsoft additives. Even if you never use Internet Explorer. Even if somebody told you that you don’t need to patch Windows any more.

    Latest MS-DEFCON post is here.

    (For clarification, I still recommend that you not install KB 3139398 and KB 3139852, for reasons stated in the MS-DEFCON post. Thanks to commenters who asked!)

    Windows Patches/Security

  • MS-DEFCON 3: Get patches installed, except for a couple

    Posted on March 16, 2016 at 11:47 CDT by Comment in the Forums

    We have more than a hundred patches sitting on the back burner, since the last foray to MS-DEFCON 3, three weeks ago. For those of you staring at a bunch of patches, here’s my recommendation.

    As has been the case for a couple of months, I’m generally recommending that Vista, Win 7 and 8.1 users install identified Security updates, and that you give all of the rest a wide berth. There are two Security updates, though, that are probably worth avoiding. If you’re running Win10 and have updates turned off (probably with the metered connection trick), it’s time to cross your fingers and get caught up.

    The details are similar to last month’s:

    Vista: Start Internet Explorer and verify (Help > About) that you’re running Internet Explorer 9. Apply all outstanding patches, but DON’T CHECK any update boxes that are unchecked. Also, see the description in the next paragraph about KB 3139398 and KB 3139852: If you see them, uncheck them.

    Windows 7: There were two patches released earlier this month that still need some time to stew before they’re ready: KB 3139398, the Windows 7 and 8.1 USB driver fix; and KB 3139852, the kernel mode driver patch. Susan Bradley recommends holding off on both (paywalled). I haven’t seen any specific reports of problems with either, but given the headaches we’ve had in the past with kernel patches, it’s worthwhile to wait.

    Step 1. If you haven’t checked recently, crank up Internet Explorer. Don’t use it to go to any sites, but click the gear icon in the upper right corner, choose About Internet Explorer, and verify that you’re on IE 11. If you aren’t yet on IE 11, make sure the box marked “Install new versions automatically” is checked, then click Close. That’s the easiest way to upgrade to IE 11. There may be an IE 11 upgrade sitting in Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). If so, keep it checked.

    I don’t recommend that you use IE. (Hey, Microsoft’s already put it out to pasture; that’s what Edge is all about.) But you need to update it, and keep it patched, because Windows still uses bits and pieces of IE in various places.

    Step 2. Run GWX Control Panel and set it to block OS upgrades.

    Step 3. Go into Windows Update (Start > Control Panel > System and Security > under Windows Update, click Check for updates). Click the link that says “XX important updates are available” and select only security updates. In other words, check the boxes next to items that say “Security Update” and UNCHECK the boxes next to items that only say “Update.”

    Uncheck KB 3139398 and KB 3139852, if they appear.

    Yes, you should check the KB 3139929 Internet Explorer cumulative update, even though it hides an ad generator in the guise of a security patch. We haven’t seen the ad appear yet and, when it does, you’ll just avoid it, OK?

    For those of you who have asked, I don’t see any worthwhile updates in yesterday’s bountiful crop of patches. Apparently KB 3103709 is appearing on some Windows 8.1 machines. I don’t have a clue what that one does — there’s no KB article, and it isn’t included in the master Windows Update list. KB 3115224 doesn’t have a KB article either. Can’t think of any good reason to install either of them.

    Step 4. On the left, click the link that says Optional. Uncheck every box that you see. Yes, I’m saying that if a box is checked, uncheck it. If you uncheck the box next to “Upgrade to Windows 10 Pro, Version 1511, 10586 box.” Windows Update will check it again for you. Don’t be alarmed. GWX Control Panel will protect you.

    Step 5. Click OK, then Install updates.

    Step 6. Back in Windows Update, on the left, click the link to Change settings. Make sure “Important Updates” is set to “Check for updates but let me choose whether to download and install them,” and uncheck the box next to “Give me recommended updates the same way I receive important ones.”

    Step 7. Click OK and reboot.

    Step 8. This one’s important. You need to run GWX Control Panel again. That’ll ensure Microsoft didn’t install anything untoward.

    Windows 8.1: Follow the instructions for Windows 7, but in Step 3 go into Windows Update by right-clicking on the Start icon and choosing Control Panel.

    Windows 10: If you’re using the metered connection trick to block updates, unblock the metered connection long enough to get caught up.

    Everybody: Either watch here on AskWoody.com, or follow me on Twitter (@woodyleonhard) or Facebookto keep up on the latest. Microsoft’s releasing patches at the rate of more than a hundred – maybe 200 – a month. It’s a jungle out there. And if you catch something, shoot me email (click on the mail icon in the upper right corner of this page), or post a reply to this blog.

    I’m putting us at MS-DEFCON 3: Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems.

    My usual boilerplate advice:

    For those of you who are new to this game, keep in mind that… You should always use Windows Update to install patches; downloading and installing individual patches is a clear sign of impending insanity. I always install Windows Defender/Microsoft Security Essentials updates as soon as they’re available – same with spam filter updates. I never install drivers from Windows Update (in the rare case where I can actually see a problem with a driver, I go to the manufacturer’s web site and download it from the original source). If Windows Update has a patch but the box isn’t checked, DON’T CHECK THE BOX. It’s like spitting in the wind. I use Chrome and Firefox, and only pull out IE when I feel very inclined — but even if you don’t use IE, you need to keep up with its patches.

    P.S. Yes, you read that right. I now recommend that you Win7 and 8.1 users only install Security Updates. For many months, almost all of the non-security updates Win7 and 8.1 customers have received are specifically designed to push them to Windows 10, or to increase Microsoft’s ability to snoop on Win7 and 8.1 machines. No thanks.

    Thanks, as always, to Susan Bradley and her in-depth work in Windows Secrets Newsletter.

    P.S. Remember when patching was easy?

    Windows Patches/Security

  • Big batch of patches just dropped

    Posted on March 15, 2016 at 13:30 CDT by Comment in the Forums

    I count seven patches for .NET on Windows Embedded, and 39 40 separate non-security patches. But I might be off by one or two.

    No rest for the weary.

    Here’s the list. I don’t see anything that’ll be of interest to most Windows users, but admins may want to take a look. (One KB hasn’t been posted yet.)

    Update to enable WSUS support for Windows 10 feature upgrades https://support.microsoft.com/kb/3095113

    DNS records get deleted when you delete the scope on a Windows Server 2012 R2-based DHCP server https://support.microsoft.com/en-us/kb/3100473

    Update that supports Azerbaijani Manat and Georgian Lari currency symbols in Windows (for Windows Embedded 8 Standard) https://support.microsoft.com/en-us/kb/3102429 – original version released Jan. 19

    Can’t connect to the desktop of Windows 8.1 or Windows Server 2012 R2 from a remote desktop at low screen resolution https://support.microsoft.com/en-us/kb/3105115

    Licensing servers become deadlocked under high load in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3108326

    Texas Instruments xHCI USB controllers may encounter a hardware issue on large data transfers in Windows 8.1 https://support.microsoft.com/en-us/kb/3109976

    KB 3115224 (No description yet, but the KB article should eventually appear at https://support.microsoft.com/en-us/kb/3115224)

    Update improves port exhaustion identification in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3123245

    DPM filter driver can’t track changes on CSV or VM setting files can’t be online in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3130944

    Virtual machines don’t respond to your operation in SCVMM in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3133681

    Update to add Discrete Device Assignment support for Azure that runs on Windows Server 2012 R2-based guest VMs https://support.microsoft.com/en-us/kb/3133690

    DNSSEC validation fails when incorrect response to DNSKEY query is sent on Windows Server 2012 R2-based DNS server https://support.microsoft.com/en-us/kb/3133954

    BitLocker can’t encrypt drives and the service crashes in svchost.exe process in Windows 7 or Windows Server 2008 R2 (only applies to FIPS mode-enabled machines) https://support.microsoft.com/en-us/kb/3133977

    Memory leak in RPCSS and DcomLaunch services in Windows 8.1 or Windows Serer 2012 R2 https://support.microsoft.com/en-us/kb/3134785

    Explorer.exe may crash when you play back an MPEG-4 file in Windows 8.1 or Windows RT 8.1 https://support.microsoft.com/en-us/kb/3136019

    Windows Azure VMs don’t recover from a network outage and data corruption issues occur https://support.microsoft.com/en-us/kb/3137061

    LBFO Dynamic Teaming mode may drop packets in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3137691

    Get-StorageReliabilityCounter doesn’t report correct values of temperature in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3137725

    “VSS_E_PROVIDER_VETO” error occurs when VSS restore fails in Windows Server 2012 https://support.microsoft.com/en-us/kb/3137726

    VSS restore fails when you use ResyncLuns VSS API in Windows Server 2012 R2-based failover cluster https://support.microsoft.com/en-us/kb/3137728

    “0x00000027” Stop error and unexpected restart in Windows Server 2012 https://support.microsoft.com/en-us/kb/3137916

    Files are corrupted on deduplicated volumes that were created as NTFS-compressed in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3137923

    “File contents” option is always selectable, Start screen becomes blank, or computer freezes when startup in Windows 8.1 (could explain why Win 8.1 users aren’t getting good search results) https://support.microsoft.com/en-us/kb/3138602

    Deduplication filter marks files as deleted incorrectly and data corruption occurs on Windows Server 2012 R2 file server https://support.microsoft.com/en-us/kb/3138865

    Access to Internet is denied because proxy settings are overwritten in Windows 7 SP1 or Windows Server 2008 R2 SP1 https://support.microsoft.com/en-us/kb/3138901

    DirectAccess client receives incorrect response to reverse lookup query from a Windows Server 2012 R2-based DNS64 server https://support.microsoft.com/en-us/kb/3139162

    Tracert command doesn’t receive responses when you trace resources on Internet through Windows Server 2012 R2 HNV GW https://support.microsoft.com/en-us/kb/3139164

    High CPU load on a Windows Server 2012 R2-based server because NAT keep-alive timer isn’t cleaned up https://support.microsoft.com/en-us/kb/3139165

    0x1E Stop error when you restart or shut down a computer running Windows 8.1 or Windows Server 2012 R2 (RAID problem) https://support.microsoft.com/en-us/kb/3139219

    Print job fails if Creator Owner is removed from Windows Server 2012 R2 or Windows Server 2012 https://support.microsoft.com/en-us/kb/3139649

    Hyper-V guest may freeze when it is running failover cluster service together with shared VHDX in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3139896

    MSI repair doesn’t work when MSI source is installed on an HTTP share in Windows (“MSI repair no longer works after you install update 3000988 or update 3008627”) https://support.microsoft.com/en-us/kb/3139923

    March 2016 WAU (Windows Anytime Upgrade) update for Windows 8.1 (“This update removes the commerce specific entry points for WAU since it’s no longer supported for Windows 8.1.”) https://support.microsoft.com/en-us/kb/3140185

    “0x00000133” Stop error after you install hotfix 3061460 in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3140219

    Conflicting files on the desktop when Work Folders are installed in Windows 8.1 (“You see many unresolved file conflicts on your desktop. The conflicting files are shortcuts on the desktop folder redirected to Work Folders.”) https://support.microsoft.com/en-us/kb/3140222

    “0x0000009F” Stop error when a Windows VPN client computer is shutdown with an active L2TP VPN connection https://support.microsoft.com/en-us/kb/3140234

    MinDiffAreaFileSize doesn’t work on Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3140250

    Windows Server backup fails despite sufficient free space on target volume in Windows Server 2012 R2 https://support.microsoft.com/en-us/kb/3140786

    System becomes unresponsive because filter manager leaks nonpaged pool allocations in Windows Server 2012 https://support.microsoft.com/en-us/kb/3140990

    “0x00000001” Stop error when a shared VHDX file is accessed in Windows Server 2012 R2-based Hyper-V guest https://support.microsoft.com/en-us/kb/3141074

    Windows Patches/Security

  • MS-DEFCON 2: Time to make sure you’re locked down

    Posted on March 7, 2016 at 11:54 CST by Comment in the Forums

    Tomorrow’s Black Tuesday. Time to make sure your cows are in and the barn door’s closed.

    Make sure you have your Vista, Win7 and 8.1 Windows Update set to “Notify but don’t download.” If your Windows 10 machine is set up with a Wi-Fi connection, set it to a metered connection. To do all of that, see the Automatic Update tab above.

    This month I’ll be trying a new trick. I’m going to see if I can get wushowhide to hide the Win10 cumulative update (assuming there is a cumulative update) before my Win10 machines download and install the patch. It’s all in the timing. For details on running wushowhide, see my discussion about the Outlook 2010 Calendar bugs. You’re most welcome to join me in testing the catch-if-you-can technique. (I’m still too skittish to shut down Windows Update in Win10 entirely.)

    Anyway, I’m headed to MS-DEFCON 2: Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don’t do it.

    If you’re able to test the hair-trigger wushowhide approach on a working Win10 system, chime in here and tell me how it goes.

    Windows Patches/Security ,
DON'T MISS OUT!
Subscribe to the Free Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

View the Forum

  • Recent Replies
  • My Replies
  • My Active Topics
  • New Posts in the Last day
  • Private Messages
  • Knowledge Base
  • How to use the Forums
  • All Forums

    • Recent Topics

    My Profile

    April 2025
    S M T W T F S
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  

    Remembering Woody

     

    Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.

    Mastodon profile for DefConPatch
    Mastodon profile for AskWoody

     

    Home About FAQ Posts & Privacy Forums My Account
    Register Free Newsletter Plus Membership Gift Certificates MS-DEFCON Alerts

    Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.