MS-DEFCON 2: Do you need that update?

By Susan Bradley

Microsoft is blurring the lines between those updates that I consider mandatory and those that some administrators might need for their networks.

For many years, I’ve urged folks to immediately install Microsoft’s out-of-band updates to protect us from whatever was occurring in the attack. But now, Microsoft is not communicating well. It’s hard to know whether these updates are needed.

Therefore, I’m raising the MS-DEFCON level to 2. Put updates on pause, and don’t install the out-of-band updates from May. Mea culpa: I realize that we lowered the level just a week ago, but these updates arrived after that, giving me too little time to figure them out. As I say, poor communication from Microsoft.

Windows 10 received not one but two out-of-band updates during the month of May. The first, KB5061768 on May 19, specifically fixes this issue:

A known issue on devices with Intel Trusted Execution Technology (TXT) enabled on 10th generation or later Intel vPro processors. On these systems, installing the May 13, 2025, Windows security update (KB5058379) might cause the Local Security Authority Subsystem Service (LSASS) process to terminate unexpectedly, triggering an Automatic Repair prompting for the BitLocker recovery key to continue.

If you have a 10th-gen Intel vPro processor on your Windows 10 computer and BitLocker is not enabled, you do not need this out-of-band update.

The second, KB5061979 for Windows 10, includes the fix above and then includes an additional fix:

An issue in the direct send path for a guest physical address (GPA). This issue caused confidential virtual machines running on Hyper-V with Windows Server 2022 to intermittently stop responding or restart unexpectedly. As a result, service availability was affected, and manual intervention was required. This problem primarily impacted Azure confidential VMs.

This would impact only hosted machines, not physical Windows 10 computers.

Windows 11 24H2 received a similar out-of-band update, KB5061977, fixing the Hyper-V platform:

An issue in the direct send path for a guest physical address (GPA) where confidential virtual machines running on Hyper-V with Windows Server 2025 might intermittently stop responding or restart unexpectedly, affecting service availability and requiring manual intervention. This issue primarily affects Azure confidential VMs.

Windows 11 23H2 got its share with KB5062170:

This update addresses an issue where some customers encountered a recovery error with error code 0xc0000098 while installing the May 2025 Windows security update (KB5058405) on Windows 11, version 22H2 and 23H2 devices. This update will not install on systems that successfully applied KB5058405.

Consumers

The good news for consumers is that none of these updates will automatically install. You must go to the Microsoft catalog and manually download the update in order to obtain them. I don’t see consumers impacted by these issues. I do recommend that you place updating on hold as we get ready to receive the June updates and start testing them.

Businesses

Businesses can also decide to skip these updates and pause deploying updates until June’s updates come out. Unless you are specifically impacted, I recommend not installing these out-of-band updates at this time.

For both businesses and consumers, it’s time to pause — don’t install any out-of-band updates.

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of May): 2,377

RIP Matrix | Farewell my friend