MS-DEFCON 2: Windows 11 21H2 nears end of life

By Susan Bradley (AKA The Microsoft patch lady)

On October 10, 2023, the Home and Pro editions of Windows 11 21H2 will no longer be supported by Microsoft.

Anticipating next week’s Patch Tuesday, I’m raising the MS-DEFCON level to 2. When (and if) the dust settles, we’ll enter another period of safe patching toward the end of the month. I’ll say more then, but you should prepare.

I’ve been holding back on recommending Windows 11 22H2 for gamers. During the next patching window, make sure to update your firmware and your video card drivers to ensure they are current before updating to 22H2.

If you use the Enterprise or Education edition of Windows 11 21H2, know that support expires on October 8, 2024, not next month. I must apologize to users of those editions because with my constant focus on Pro and Home, I tend to forget that Enterprise and Education always have a longer life span. Most of my systems, both in the office and at home, run Pro.

Highlights

It seems like only yesterday that Windows 11 was released. Yet already, we are nearing the end of life for the Home and Pro editions of Windows 11 21H2. As we prepare ourselves to install the September updates later this month, I want to bring you up to date regarding some misleading headline stories.

Windows updates cause blue screens of death — The reality is something quite different. In the case of August updates, only some machines experienced BSODs — and only if you installed the optional updates for Windows 10 and Windows 11 released on August 22, 2023. Microsoft soon identified the problem machines and stopped offering the offending updates to them.

The machines in question were from a specific Taiwanese manufacturer and affected the Micro-Star International (MSI) Z690- and Z790-based motherboards the most. The manufacturer provided a temporary workaround that involved reverting the BIOS to a previous version and uninstalling the problematic Windows update (KB5029351 for Windows 11 and KB5029331 for Windows 10).

A reminder: Do not install optional updates unless I have specifically told you to do so. Optional updates are previews of the nonsecurity updates and fixes that will be rolled into next month’s security updates. They are meant for businesses, to test for side effects before the updates become official the following month. Consumers should not be subjected to yet another unpaid beta testing process. As long as you do not explicitly select them for installation, they will not automatically install.

There have been times when I’ve seen the optional .NET updates get installed on my home machines. Optional updates are not supposed to be pushed, but every so often Microsoft gets a bit rambunctious. In my advancing age, and quite frankly because .NET patches (knock on wood) have become so well behaved lately, I no longer have my previous concerns about accidental .NET patch installations. You can uninstall them, but more often than not I let them stay if the machine is not exhibiting any side effects or issues.

The sky is falling: TLS 1.0 and TLS 1.1 will soon be disabled in Windows — TLS 1.0 and TLS 1.1 were the first of many Secure Socket Layer (SSL) improvements making Internet communications more secure for transporting sensitive information such as credit card numbers and login credentials. These earlier TLS versions will be turned off in future versions of Windows in favor of the newer TLS 1.2 and 1.3 releases.

What does this mean for you? Absolutely nothing — if you are running a supported version of Windows. A possible problem is an application program that requires older TLS releases and that you wish to run on a newer machine. A good example would be the need for accounting professionals to install Turbo Tax for the years 2011 through 2018, so they could view older tax returns — programs that are too old to run properly on Windows 11. Admittedly, that’s an edge case. As a CPA, I can assure you that, unless you’ve committed fraud, the statute of limitations for 2018 and earlier returns has closed. So you should rarely need to review returns that old.

On the other hand, some older HP printers use older versions of TLS so they can work securely over the Internet. Forget about trying to update them — everyone should keep an eye on such older equipment. You may be able to disable TLS in the printer to solve the problem, but you’ll no longer have secure communications with it. On a personal note, I’m not charitably disposed toward HP these days because of its replacement-ink policies, so I’d just as soon chuck the thing and get something else with, of course, the most modern TLS.

Don’t let the headlines scare you.

I give up. I can’t keep track of all the dribbled hardening; tweaks; or second, third, and fourth deployments of this or that patch. I can’t devote time and space in the Master Patch list to keep track of these enforced mandates. Case in point: KB5025885 adds a third deployment phase to the first and second phases that began in May and were updated in July. No sooner than January 9, 2024 (that’s a lovely, specific date, isn’t it?), we will receive another rollout of Boot Manager mitigations. Clearly Secure Boot just plain isn’t secure at all. It’s a rabbit hole. I highly recommend reading a Rufus GitHub thread about how Microsoft finally acknowledged a problem with its earlier fix.

We are still waiting for BIOS updates to protect from a transient information attack called Downfall. But keep this vulnerability in perspective: servers and hosted workstations in data centers are most at risk for this attack, not standalone workstations. In addition, ensure you review your Linux installations; although Microsoft vulnerabilities have been in the headlines, Downfall affects other servers in data centers. Be vigilant on all platforms, not just Windows.

Back in June, the SANS Institute held an online Ransomware Summit. If you have not had a chance to review the talks online, I highly recommend that you check out its YouTube channel and spend a few hours wallowing in the information provided. With seminar budgets being tight in businesses, and ransomware not letting up, it’s a good reminder that we need to keep vigilant. We may patch, we may have firewalls, we may have security software, but often it comes down to the human factor. Take the time to encourage everyone in your organization to be aware and vigilant about email scams that evade the best security filtering every day.

Often, it comes down to one person clicking when they shouldn’t.

Resources

MS-DEFCON 2: Windows 11 21H2 nears end of life