You know it is heading to be an Alice in Wonderland month when some web pages report that Microsoft plugged 54 vulnerabilities on Patch Tuesday, when many others report 53. Point is, patching has grow to be so brutal — and so banal — that there is no consensus on counting, significantly less on what’s good and terrible.
Suffice to say that, at the time once more this month, there was a massive variety of protection patches (129 particular person patches, in accordance to the Microsoft Update Catalog), with no pressing protection fixes unless you’re working with the Edge browser or Internet Explorer. Microsoft changed Win10 edition 1803 to “Semi-Once-a-year Channel,” but the expression now signifies less than it at any time has right before. If that is doable.
Moral of the tale: Never use IE or Edge, and wait around a number of months to see if any of the other patches blow up — which is really shut to the exact Patch Tuesday suggestions I’ve doled out month to month for the previous yr.
An overview with a jaundiced eye
The SANS Internet Storm Center suggests there are no recognized exploits for any of the patches, although a few of the exploits have been disclosed to the patching community. None of the a few is specially attention-grabbing, unless you use Edge.
There are “critical” fixes for Edge (12 important) and Internet Explorer (four important), but no “critical” fixes for any Home windows edition. It even now amazes me how lots of main protection issues crop up, month right after month, for Edge.
Our evergreen snooping patches, KB 2952664 for Win7 and KB 2976978 for Win8.one make a reappearance, this time marked “Important,” checked and prepared to load. Likewise, KB 4023057 — an “update reliability” patch for more mature Win10 variations — has appeared once more. Unless you want Microsoft to force you to a new edition of Home windows, you really do not need to have or want them — they only shuffle a lot more telemetry info off to Microsoft.
Win10 1803 now “Semi-Once-a-year Channel” — what ever that signifies
The craziest Patch Tuesday blip wasn’t a patch at all. Win10 April 2018 update — good ol’ edition 1803 — now seems in the Home windows ten release data checklist as “Semi-Once-a-year Channel.” What is a lot more the weird blurb that appeared as a footnote in that submit on Tuesday morning is now absent:
(one) Home windows ten, edition 1803 designation has been up to date to replicate the servicing option available in the operating procedure and to replicate current deferral insurance policies. We suggest organizations broadly deploy the newest edition of Home windows ten when they are prepared, and not wait around till the “Targeted” designation has been taken off.
… definitely a person of the worst circumstances of Microsoft bafflegab at any time.
On June fourteen, Microsoft declared:
Based mostly on the update top quality and reliability we are viewing by way of our AI solution, we are now growing the release broadly to make the April 2018 Update (edition 1803) thoroughly available for all suitable equipment managing Home windows ten around the world. Total availability is the closing section of our rollout process.
Now, it seems, edition 1803 has been kicked up from “(Qualified)” to, uh, “Not (Qualified)” — with no fanfare, and with no rationalization. How “Not (Qualified)” differs from “fully available” stays a mystery.
Here’s the very best way I located to parse the current announcement:
- Win10 1703 Pro/Business personal computers established to “Current Branch” with days function deferral are now earmarked as getting prepared for upgrading to 1803. They’ll be pushed to 1803 as before long as telemetry confirms that the pc is suitable.
- Win10 1709 Pro/Business personal computers established to “Semi-Once-a-year Channel” with days function deferral are also earmarked as prepared for 1803, pending telemetry success.
At the very least, I assume that is what it signifies. Neither the “reflect current deferral policies” footnote in the previous KB post nor the June fourteen declaration of “fully available for all suitable devices” mean significantly of just about anything, as very best I can notify. Promoting pabulum.
If you want to preserve 1803 off your device, make confident the function deferral placing is massive. And pray that Microsoft does not go rogue on compelled updates once more.
We’re slowly and gradually unraveling this knot on the AskWoody Lounge.
Server 2016 patch KB 4338814 stinks
However one more patch that never should’ve produced it by way of top quality management: The KB 4338814 post suggests:
Just after putting in this update on a DHCP Failover Server, Business customers may perhaps get an invalid configuration when requesting a new IP address. This may perhaps final result in reduction of connectivity as techniques fall short to renew their leases.
Presently, there is no workaround for this challenge. Microsoft is doing work on a resolution and estimates a alternative will be available mid-July.
The patch was reissued on July eleven, but it appears to be like like there was only a adjust in detection logic (“metadata”). An anonymous poster on AskWoody suggests it was yanked from WSUS. There is an … entertaining … thread on Reddit that blasts Microsoft for releasing a patch that, knowingly, blows away essential Server functions. What on earth is Microsoft pondering?
Allow me to rephrase that. Is Microsoft pondering?
.Web patches and 0x80092004
If you tried using to put in KB 4340558, the “Security and Good quality Rollup updates for .Web Framework 3.five SP1, 4.five.two, 4.6, 4.6.one, 4.6.two, 4.7, and 4.7.one for Home windows 8.one, RT 8.one, and Server 2012 R2” and experienced it crash with an mistake 0x80092004, you are not by yourself. AskWoody poster macauln82 suggests he’s found it transpire on all of his Server 2012 R2 machines. Günter Born has a comprehensive rationalization.
@abbodi86 gives this rationalization and resolve:
The alternative: Uninstall KB 4229727 & KB 4096417, then clear up the leftovers by managing
Dism /Online /NoRestart /Cleanup-Image /StartComponentCleanup
(you may perhaps also run Disk Cleanup > Home windows Update Cleanup)
Reboot and KB 4338419 will put in efficiently.
In accordance to an anonymous poster on AskWoody:
If you’re on Home windows ten 1803, Home windows Update will take treatment of the botched up .Web 4.7.two release shipped with that Home windows edition. If .Web 4.7.two was mounted right before today on a preceding Home windows edition, make confident to look at out the offline installer and reinstall once more from the up to date installer! Re-managing the up to date .Web 4.7.two really should not bring about any issues. In buy to re-put in .Web 4.7.two with no reboot, make confident to shut down all .Web apps (which include World-wide-web apps managing in IIS) right before managing the installer.
If the .Web 4.7.two SDK was mounted right before today as nicely, make confident to down load it and reinstall once more.
This .Web patch is also failing, with the exact mistake code, in Home windows 8.one. That is a extraordinary accomplishment due to the fact Win8.one proceeds to be the most steady edition of Home windows available.
Win7’s NIC issues go on and on and on
The previous Win7 NIC dilemma — released by a protection patch in March — even now has not been mounted. The KB post suggests:
Symptom: There is an challenge with Home windows and a 3rd-occasion application that is associated to a missing file (oem
.inf). Simply because of this challenge, right after you apply this update, the network interface controller will stop doing work.
- To track down the network device, launch devmgmt.msc it may perhaps look underneath Other Gadgets.
- To routinely rediscover the NIC and put in motorists, pick out Scan for Hardware Changes from the Motion menu.
a. Alternatively, put in the motorists for the network device by proper-clicking the device and selecting Update. Then pick out Search routinely for up to date driver application or Look through my pc for driver application.
If you can determine out that logic, yer a better hack than me, Gunga Din.
I’m commencing to assume that Microsoft won’t at any time resolve this NIC dilemma. If it decides to go on a alternative, I hope Microsoft just will come out and suggests it, as an alternative of burying the selection and doctoring previous documentation to deal with it up. It’d be pleasant if Microsoft would determine the offending NICs as nicely. Let us listen to it for transparency.
Aged snoops will out
This month marked a re-re-re…-visual appeal of the snooping patches KB 2952664 for Win7 and KB 2976978 for Win8.one. You remember the Microsoft Party Line:
This update performs diagnostics on the Home windows techniques that take part in the Home windows Customer Working experience Improvement Method. The diagnostics assess the compatibility position of the Home windows ecosystem, and assist Microsoft to guarantee software and device compatibility for all updates to Home windows. There is no GWX or improve operation contained in this update.
Poster Invoice C has a good get on the claim:
They say they will not do GWX once more, Okay, but the genuine query is what WILL they do?
We have found, about and about once more, that the Customer Working experience Improvement Method settings have no bearing on these patches’ increased telemetry. If you’re even remotely tempted to put in possibly of these “important,” checked patches, see @PKCano’s AskWoody KB post on the matter, AKB 2952664.
ProTip: Microsoft has no incentive to make improvements to Win7. None. Unless you’re provided a plainly determined protection patch, you really do not want it, checked or not.
Delta updates heading away
Recall the Win10 “delta” updates? The ones that bricked lots of machines previous Oct? Now will come phrase that the experiment did not function. Or, at the very least, there is a better option. Mike Benson, on the formal Home windows IT Pro site, suggests:
We approach to stop transport delta updates. Beginning February 12, 2019 Microsoft will conclude its exercise of building delta updates for all variations of Home windows ten. Express updates are significantly lesser in size, and simplifying the cumulative selections available will lessen complexity for IT directors.
Bogus prompt for Win10 1703 updaters
Updating my 1703 VM today (CU KB4338826, IE11 Flash, MSRT and C++) when I got a popup saying “Your Home windows Update is not doing work effectively. You need to have the Update Facilitation Support. Click Okay underneath.”
Oh, no you really do not! I clicked on the “X” and closed the box – it was not then mentioned in the downloaded updates.
A fast be aware for these who put in Win10 patches manually
There are numerous Servicing Stack Updates this month. If you are heading to put in the Win10 updates manually, make confident you put in the Servicing Stack Update initially:
There is no new SSU for Win10 edition 1703. At the very least, not yet.
Certainly, it is significantly too early to put in the July patches — unless you want to sign up for the ranks of the unpaid beta testers.
Thx to @PKCano, @BillC, @abbodi86, @NibbledToDeathByDucks and lots of a lot more
Abandon hope all ye who enter the AskWoody Lounge.