MS-DEFCON 3: A bumpy start to 2024

By Susan Bradley

The partition-sizing problem that emerged earlier this month is not yet fixed.

Fortunately, our deep examination of this bug has revealed nothing of a dangerous nature. Therefore, I am lowering the MS-DEFCON level to 3. It’s now time to carefully install the January updates.

We continue to monitor the problem, described in KB5034441 for Windows 10 22H2 and in KB5034440 for Windows 11. Some, but not all, Windows 10 PCs are affected. I have urged you to check your partitions for issues with installing this update. We have written extensively about the problems, and the forums have been very active (see the From the Forums article in yesterday’s newsletter).

But if you haven’t taken precautions, don’t worry. Even if the update fails to install, it will just give you an annoying error of 0x80070643. Then you can use the tools at BlockAPatch.com to hide the update. If you previously paused updates, you must resume them in order to hide this one. I’m still hopeful that Microsoft will come through with its promised “fix” of this issue. Going forward, I hope Microsoft greatly improves the update system so that it doesn’t push updates that are clearly not tested thoroughly.

The bulk of our attention has been on Windows 10, where I first noticed the problem. However, Windows 11 21H1 could have the same partition problem, as described in KB5034440. Nonetheless, I am not finding anyone experiencing side effects from this broken update on Windows 11. For Windows 11 22H2 and 23H2, the update is in the background and installs silently as part of the cumulative update, rather than being a separate release.

Windows 11 22H2 and later handle updates differently than prior versions. The update is behind the scenes and is similar to the servicing-stack components that update in the background but aren’t seen as a listed update. Although KB5034234 indicates this patching is occurring, there is no separate and visible update.

Microsoft’s Knowledge Base posts on this matter state that a minimum of 250MB of free space is required in the active recovery partition. Via a few experiments, we discovered that the update was applied without error, even if that free space requirement had not been not met. You may recall that Windows 11 21H2 made updates smaller, but we do not yet know whether that is a factor in this case.

Naturally, I’m watching this update very closely and will keep you posted about how Windows 11 handles it.

This lack of clarity from Microsoft makes me more confused, not less. That said, and after reviewing and monitoring patching on Windows 11 22H2 and later machines, I do not believe you will see this issue on those machines.

To recap what we should worry about in regard to January patches:

First, a bit of background. As you know, I work and patch systems in an office — an office that likes nice and boring, reliable technology that doesn’t change much. When we are trying to get a project done, we don’t need moving toolbars, changing menus, new icons, and other things that make us question where something we use regularly has gone.

Even though I may be testing and playing with Copilot on a personal level, the impact and evaluation of the risk to my business means that I want to limit the number of options and software that will enable Copilot features. As a business that handles sensitive information, we are urged to put in place an artificial intelligence policy that sets forth what our employees can enter into such software. As a result, and prior to going into our busy season, I have explicitly blocked Windows 11 23H2 from deploying in my office. I don’t have the time to evaluate the risk and privacy impact and will deal with the full analysis at a later date.

Meanwhile, in my personal computing environment and on selected devices, I have purchased and fully enabled Microsoft 365 Copilot so I can evaluate its issues, privacy concerns, and how best to create the policy for the office going forward.

I have not been tracking any major side effects with the Windows 11 23H2 release, but I still object to having beta code on my production workstations. When even Microsoft still considers the various editions and releases of Copilot to be a work in progress and is aggressively badging and branding, I do not recommend its use in a business setting at this time — unless you are specifically in charge of testing and evaluation.

If you are a consumer who accepts that Copilot is still in beta, and if you want to see what the fuss is about or wish to play with the latest and greatest, going to 23H2 will speed up the process — you will quickly be offered Windows Copilot. If you are purchasing Microsoft 365 Copilot Pro for consumers (US $20 per month) or Microsoft 365 Copilot for business (US $30 per month per user, yearly amount due up front), then I would recommend also opting for Windows 11 23H2. This will ensure that the underlying infrastructure that Microsoft recommends for Copilot is present. Also be aware that you need to move to the current channel of Office and away from the slower semi-annual enterprise channel that I regularly recommend because it has fewer changes and is less disruptive.

See how much opting into Copilot changes patching decisions that I recommend?

Because Windows 11 22H2 is supported until October 8, 2024, there is more than enough time to roll out 23H2 and evaluate its release at a later date. Thus I’m still recommending Windows 11 22H2 for both consumers and business users, especially for anyone who wishes to stay a bit longer on the sidelines, watching what occurs with Copilot.

To keep from being offered Windows 11 23H2, use a tool such as GRC.com’s InControl (Figure 1). But remember: This does not control monthly updates, only feature releases. Download the tool and select Windows 11 22H2 to keep your PC on that version. If you prefer other blocking methods, never fear — we’ve got you covered with registry keys or Group Policy.

Figure 1. InControl from Gibson Research

Depending on which patching tool you use, you may have to deal with some of these issues manually. Microsoft still has not placed KB5034441 on either the Microsoft catalog site for easy download or on WSUS or Microsoft Endpoint Configuration manager. Nor has it made it easy to determine which Windows 10 computers may fail. You may have to run various scripts from the community to get your systems protected.

If you’d like to confirm that your WinRE partition is actually patched, Microsoft provides guidance on the process.

Run REAgentC from an elevated prompt to determine exactly where the recovery partition is located:

The result of that command will provide a path containing the disk and partition numbers of the partition containing WinRE. Then use the DISM command, with the provided path, to determine the WinRE build number:

In my case, it matched build 3000. Consult KB5034234: Compatibility update for installing and recovering Windows 11, version 22H2 and 23H2: January 9, 2024.

I normally hold back on recommending updates, but Apple has released an update I’ll urge you to get sooner versus later. iOS 17.3 includes Stolen Device protection for an iPhone and helps to protect you when your device is stolen and the attacker knows your passcode:

When Stolen Device Protection is turned on, more sensitive operations require a Security Delay: a successful Face ID or Touch ID, an hour wait, then an additional successful biometric authentication. Security Delay helps prevent someone from making changes to settings that can lock you out of your iPhone or Apple ID account.

You may want to test out enabling it and see how it impacts you if you travel quite a bit. It also requires you to enable Face ID or Touch ID first. If you are traveling and want to enable extra protection, consider using this feature.

Resources

Source