MS-DEFCON 2: April sprinkles

By Susan Bradley

In honor of spring (and the recent weather in my home state of California), let’s avoid my usual term. Updates are being “sprinkled” this month, not “dribbled.”

It’s just terminology, though. Either way, I’m raising the MS-DEFCON level to 2. Defer updates for both Windows 10 and 11.

Meanwhile, I’ll put on my CPA hat for all you late filers out there. Don’t defer any longer — get those US income tax returns in! (Isn’t that aggravating enough?)

My recommendation for most users remains: stick with Windows 10 22H2 and Windows 11 22H2. Only if you wish to engage or experiment with Microsoft Copilot in all its various editions and forms, do I recommend Windows 11 23H2. I’m not yet ready to advance this advice, but I expect a revision of some kind in the coming months.

Upcoming end of life for Windows 10 22H2

Those of you with Windows 10 22H2 have a lot of time to use your current system before Microsoft declares its end of life in October 2025. Microsoft recently announced that it will offer an Extended Security Update (ESU) plan for the Windows 10 22H2 platform, similar to the ESU offering for Windows 7. For most, the first year’s price is USD $61 per PC, after which the price doubles in each of two succeeding years. Three years is the maximum and would thus cost $427 per PC if the full term were used.

That price will probably be too steep for most consumers, who are more likely to upgrade existing PCs to Windows 11 where possible — or to buy a new PC instead. But there are many companies with line-of-business or custom apps for which a Windows 11 version is not ready or available. Keeping Windows 10 patched in those cases may prove necessary. As I did with Windows 7, I’ll be providing guidance and step-by-step instructions on how to install the ESU key when the time comes.

By the way, this means Will lost the bet. Pay up, Mr. Editor.

Consumers

Changes are coming to Windows in the form of desktop backgrounds and notifications as well as prompts on the Windows lock screen. The good news is that it’s an opt-in feature. The bad news is that many of Microsoft’s planned changes all come under the now-familiar banner of “Note: This feature might not be available to all users because it will roll out gradually.” Sprinkles, indeed. As usual, it means some may get this change in the April release and not want it, but some who would like to see it may not be able to turn it on for some time yet.

Windows 11 is also slated to get similar enhancements to the lock screen (such as sports, traffic, weather, and finance) — sprinkled out after the April updates have been installed.

Speaking of sprinkling, if you accidentally opted into Outlook (new) and want to roll yourself back, there are several ways to do so. If you have any issues with these confusing steps, post into the forums, where all the helpful regulars will assist. I find this rollout of uncompleted code sent out to Microsoft’s beta testing arm — better known as consumers — to be one of the worst ways to get feedback while simultaneously losing your customer base.

Businesses

As noted in March, the out-of-band updates for Server 2012 R2, Server 2016, Server 2019, and Server 2022 fixed an issue where servers handling Kerberos authentication requests started eating up more CPU and would cause the domain controller to crash. The issue was fixed in the following out-of-band updates:

The fixed code will be included in the April releases. I will be testing and will report back as soon as possible, in case you want to install the April updates on your Domain controllers a bit sooner than you would normally would.

Finally, while not exactly patching related, I found two items of interest to businesses that need to keep Microsoft devices secure as well as deal with Cloud-connected infrastructure.

Last November, a Microsoft blog post explained how attackers had gained entrance into targeted email boxes of various customers, including Microsoft. The theory at the time was that attackers had found security keys in a crash dump left behind in an engineer’s workstation. But in March, Microsoft quietly updated its post:

The blog below states that the actor access may have resulted from a crash dump in 2021, but we have not found a crash dump containing the impacted key material.

This indicates that Microsoft does not actually know how the attackers gained access to key material of their secure-token signing environment.

Review of the Summer 2023 Microsoft Exchange Online Intrusion, a CISA report on the incident, contains the following statement:

The Board concludes that this intrusion should never have happened. Storm-0558 was able to succeed because of a cascade of security failures at Microsoft, as outlined in this report. Today, the Board issues recommendations to Microsoft to ensure this critical company, which sits at the center of the technology ecosystem, is prioritizing security for the benefit of its more than one billion customers.

Here’s hoping industry pressure on Microsoft will also push them to make on-premises operating systems more secure.

Resources

Source