MS-DEFCON 2: Seven months and counting

By Susan Bradley

It’s time to put a pause on updates as I sort out developments from this coming Patch Tuesday.

Therefore, I’m raising the MS-DEFCON level to 2.

The security updates coming next week include all supported Windows platforms, including Windows 10. Seven months may seem like a lot, but time flies. Given that time is needed to prepare for the end of Windows 10 updates, it’s better to think that a mere three months are left.

Will Windows 10 suddenly stop working on October 15, the day after Patch Tuesday? Absolutely not. Will it continue to function just as in the past? Yes. Is there any possibility that Microsoft might dribble out a Windows 10 patch or two after October?

Actually, yes. There is historical evidence that Microsoft looks at what the customer impact is, decides whether there is grave danger to its customer base, and on occasion releases patches after the end of life of a product. It’s happened several times before when there was a worm-style event and the risk from unpatched, out-of-support machines was too great to ignore.

However, I contend that the risk of using an unpatched version of Windows 10 is far lower than it was for Windows 2000 and Windows XP. We’re better protected today because our network infrastructure provided protections that did not exist 20 years ago, such as built-in firewalls and other protections in network hardware. I don’t predict events like the worms of old occurring for Windows 10. It could happen, but I consider it unlikely.

That’s why I think Microsoft’s past behavior represents a precedent for Windows 10. If Microsoft sees that a vast number of machines are at risk, it will take action and provide patches.

Nonetheless, I’m in the process of signing up for business extended support licenses for up to three years that require a volume licensing signup. Consumers will be able to purchase a one-year extension, although we’re still waiting for Microsoft to release full details about that.

Don’t panic.

Consumers

Based upon what we know about the upcoming nonsecurity changes discussed in Microsoft’s preview updates, put a pause on updating while we test and review any impact.

I do want to reiterate my advice about falling skies. Ignore the clickbait headlines. This is like seeing one rat in two months and yelling loudly that the neighborhood has a dangerous rat infestation and the plague is imminent. In many cases, very few people or organizations have reported the issue, or it affects a very small minority with complex environments — but the news reports it as if WWIII has arrived.

Always have a backup. Always remember that you can uninstall an update. Always ensure that any third-party File Explorer add-ons are up to date. Always ensure that any browser plugins are still supported and up to date. And as always, always watch and wait.

Microsoft still has not fixed the cosmetic error in Event Viewer on Windows 10 that is triggered by SgrmBroker.exe. This is the one that throws off the error message “The System Guard Runtime Monitor Broker service terminated with the following error: %%3489660935.” It will occur right after booting and can be safely ignored.

The April Windows 10 update will fix the issue affecting some printers connected via USB but that supported both USB and IPP over USB protocols. Such printers would spit out an extra piece of paper every morning. My office now has a nice stack of scratch paper courtesy of our Lexmark printers. The March preview KB5053643 will then be folded into the April updates.

Businesses

Some bugs that will be fixed in the April security updates make me wince and continue to wonder why these took so long to be addressed. This is one of the reasons (besides being busy at the office) why I haven’t yet upgraded to 24H2.

An example is included in KB5053656 from March, which means it will be rolled into the April updates to Windows 11 24H2. The KB notes:

[Local Administrator Password Solution (LAPS)] This update addresses an issue with Windows LAPS. LAPS settings would not be preserved after an in-place upgrade.

This is mildly concerning. One of the tools often used to fix a misbehaving workstation is an in-place repair install. Many of us also want to upgrade Windows 11 from 23H2 to 24H2. Learning that LAPS might be impaired after such updates certainly caught my attention.

LAPS is a solution that allows the administrator (me) to have the computer assign a random password to the built-in administrator account and then store it in a domain setting. This allows me to ensure that attackers can’t guess or crack a local administrator password and then use that password to move laterally across a domain. You certainly don’t want an attacker to gain access to one workstation and then — merely because they have cracked the access on that computer — to be able to jump across the network and gain access to all workstations.

That’s for businesses. In a home setting, you probably want to access any and all file storage locations, and you’re very unlikely to have a domain to worry about.

Resources

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of March): 1,357

RIP Matrix | Farewell my friend