MS-DEFCON 2: Windows 11 23H2 is out

By Susan Bradley

Trick or treat? Microsoft released Windows 11 23H2 on Halloween.

On top of that, November’s Patch Tuesday is just around the corner, and Copilot will continue to dribble out — even on 22H2 — in the November security releases. Therefore, I’ve raised the MS-DEFCON level to 2.

As with many changes Microsoft makes these days, 23H2 and Copilot for Windows will be phased rollouts, so there’s no telling when any individual user will see them offered in Windows Update. So remember that there are many tools to control the Copilot rollout, including a registry key and Group Policies (you can download our ADMX and ADML files).

For Microsoft’s complete statement about the Windows 11 updates, see KB5031455 (OS Builds 22621.2506 and 22631.2506) Preview.

What does all this mean for you?

First, Microsoft’s ISO for Windows 10 22H2 is no longer available, having been replaced by 23H2. If you did not grab a copy of 22H2 earlier, you’ll need to use Rufus to get it.

Second, you can keep 23H2 at bay if you have used InControl, Group Policy, or Registry methods to do so. That also applies to the Microsoft patch-control systems such as Windows Update, Intune, or WSUS. All these solutions block 23H2, so no other action is needed.

Third, keep in mind that pieces of 23H2 have been installed in the background for some time. So if you decide to let 23H2 install, it will not be particularly time-consuming.

Finally, and if you are looking forward to getting 23H2 on your Windows 11 PC, go to Settings | Windows Update and toggle on Get the latest updates as soon as they’re available. Then click the Check for updates button. Also note the enablement packages mentioned in the Tech Community post What’s new for IT pros in Windows 11, version 23H2. I’ve posted the direct links for these easy upgrades to 23H2 (should you want to jump there on a backed-up test machine) in this AskWoody forum post. All you need to do is click on the links to install 23H2 without waiting for Windows Update to offer it to you.

All that said, my very strong opinion is that it’s better to wait and make sure there are no unmanageable side effects. Let others (like me) endure the slings and arrows so you don’t have to.

Many of you will be looking forward to a long-requested change, “never combined.” This allows more control over the way the taskbar is presented, in that windows for one app will be displayed individually on the taskbar. The default for some time, including in Windows 10, is that one icon appears for the app, so you must hover over the icon to see the individual windows. Go to Settings | Personalization | Taskbar | Taskbar behaviors and set Combine taskbar buttons and hide labels to Never. There is also a separate setting for turning this on for other taskbars when you use multiple monitors.

As you scroll down the listing of “Highlights” on the KB5031455 Preview page, you may think these sound a lot like the features touted for 23H2. That’s because the are. Windows 11 23H2 will fully enable all these features, unlike the October update that started to make these changes under the hood, over time. I think the dribbling was deliberate, almost to make you feel as if the Windows 11 23H2 rollout were anticlimactic.

Windows 10 22H2’s security updates next week won’t be so full of changes. One overdue change I’m looking forward to is a printing fix with Outlook. Microsoft notes,

This update addresses an issue that affects Outlook. It stops responding. This occurs when you print to an Internet Printing Protocol (IPP) printer that has a slow response time.

I still don’t recommend the use of IPP or WSD (Web Services for Devices) printer connections. I prefer and recommend USB for home computers or TCP/IP (network) connections in office printers. This update for Windows 10 also includes a fix addressing an error that occurs when you print using v4 printer drivers. Even in a home setting, I recommend that you double-check printers to be sure they still work after installing monthly updates.

If you were planning to give yourself a Christmas present in the form of a new MacBook, be aware that Apple released its upgraded MacBook lineup in its October 20 event. The new lineup became available in stores on November 7. If you have an existing MacBook, don’t forget to check its trade-in value on the Apple website.

In watchOS 10.1, iOS and iPadOS 16.7.2, tvOS 17.1, iOS and iPadOS 17.1, Apple recently fixed an issue tracked as CVE-2023-42846. The vulnerability was an information leak leading to disclosure of the device MAC address, even when Wi-Fi MAC address randomization is enabled. As noted in that information leak post:

The information leak is only possible to exploit when a device is connected to the same network as the attacker. There is no way to access any port on the device until it is authenticated with the WiFi network and associated with an access point, or, in simpler terms, until the user connected to the network.

Passive tracking by sensors was prevented by MAC address randomization as designed. It was not possible to track mobile device presence without a user connecting to a WiFi network under threat actor control because each network scan came from a different, random MAC address.

Many in the news media called address randomization worthless. However, the failure of this feature is a problem for some businesses and government agencies. For you and me, not so much. Don’t believe the media hype: iPhones still have a very solid privacy stature.

For business users, I am still concerned about patching a Hyper-V or VMware host. I recommend it only if you have trust in your restoration processes, are not using secure boot in your processes, and have failovers and windows of maintenance ready. If you don’t have that luxury, I think it’s wise to hold back until we see the impact of the November updates before installing any of them on a host machine running a number of virtual machines. I don’t make it a habit to recommend that you not patch, but this is one to attend to carefully.

For those who do Windows patching of workstations, remember that Copilot for Windows will be disabled if the operating system senses that it’s in a “managed” state — which usually means that updates are being controlled by something other than Windows Update. You can enable it if you like, but you can also control these “dribbled” changes with various Intune and Group Policy settings, as described in Microsoft’s article Enterprise feature control in Windows 11.

Because of all these anticipated changes, I recommend that updates be deferred. I’ll let you know when it’s safe to install updates and, as usual, will be tracking side effects.

Resources