Jump to content
  • MS-DEFCON 3: A bumpy start to 2024


    Karlston

    • 626 views
    • 8 minutes
     Share


    • 626 views
    • 8 minutes

    By Susan Bradley

    The partition-sizing problem that emerged earlier this month is not yet fixed.

    Fortunately, our deep examination of this bug has revealed nothing of a dangerous nature. Therefore, I am lowering the MS-DEFCON level to 3. It’s now time to carefully install the January updates.

    We continue to monitor the problem, described in KB5034441 for Windows 10 22H2 and in KB5034440 for Windows 11. Some, but not all, Windows 10 PCs are affected. I have urged you to check your partitions for issues with installing this update. We have written extensively about the problems, and the forums have been very active (see the From the Forums article in yesterday’s newsletter).

    But if you haven’t taken precautions, don’t worry. Even if the update fails to install, it will just give you an annoying error of 0x80070643. Then you can use the tools at BlockAPatch.com to hide the update. If you previously paused updates, you must resume them in order to hide this one. I’m still hopeful that Microsoft will come through with its promised “fix” of this issue. Going forward, I hope Microsoft greatly improves the update system so that it doesn’t push updates that are clearly not tested thoroughly.

    What about Windows 11?

    The bulk of our attention has been on Windows 10, where I first noticed the problem. However, Windows 11 21H1 could have the same partition problem, as described in KB5034440. Nonetheless, I am not finding anyone experiencing side effects from this broken update on Windows 11. For Windows 11 22H2 and 23H2, the update is in the background and installs silently as part of the cumulative update, rather than being a separate release.

    Windows 11 22H2 and later handle updates differently than prior versions. The update is behind the scenes and is similar to the servicing-stack components that update in the background but aren’t seen as a listed update. Although KB5034234 indicates this patching is occurring, there is no separate and visible update.

    Microsoft’s Knowledge Base posts on this matter state that a minimum of 250MB of free space is required in the active recovery partition. Via a few experiments, we discovered that the update was applied without error, even if that free space requirement had not been not met. You may recall that Windows 11 21H2 made updates smaller, but we do not yet know whether that is a factor in this case.

    Naturally, I’m watching this update very closely and will keep you posted about how Windows 11 handles it.

    This lack of clarity from Microsoft makes me more confused, not less. That said, and after reviewing and monitoring patching on Windows 11 22H2 and later machines, I do not believe you will see this issue on those machines.

    Consumers

    To recap what we should worry about in regard to January patches:

    • For those who have paused updates on Windows 10: Once you resume updates, download and use the WUShowhide tool to hide KB5034441.
    • It doesn’t matter whether the patch fails to install or starts to install; just hide it when you can.
    • Windows 11 machines prior to 22H2 may have the same issue. I recommend hiding KB5034440 if you have any problems installing it.
    • Attackers would need physical access to your computer, and BitLocker would need to be enabled — another reason I see no risks in not installing this update.
    • You are more likely to become totally confused and frustrated by this update release (like I am) than to actually be at risk from this vulnerability.
    Windows 11 feature release 23H2

    First, a bit of background. As you know, I work and patch systems in an office — an office that likes nice and boring, reliable technology that doesn’t change much. When we are trying to get a project done, we don’t need moving toolbars, changing menus, new icons, and other things that make us question where something we use regularly has gone.

    Even though I may be testing and playing with Copilot on a personal level, the impact and evaluation of the risk to my business means that I want to limit the number of options and software that will enable Copilot features. As a business that handles sensitive information, we are urged to put in place an artificial intelligence policy that sets forth what our employees can enter into such software. As a result, and prior to going into our busy season, I have explicitly blocked Windows 11 23H2 from deploying in my office. I don’t have the time to evaluate the risk and privacy impact and will deal with the full analysis at a later date.

    Meanwhile, in my personal computing environment and on selected devices, I have purchased and fully enabled Microsoft 365 Copilot so I can evaluate its issues, privacy concerns, and how best to create the policy for the office going forward.

    I have not been tracking any major side effects with the Windows 11 23H2 release, but I still object to having beta code on my production workstations. When even Microsoft still considers the various editions and releases of Copilot to be a work in progress and is aggressively badging and branding, I do not recommend its use in a business setting at this time — unless you are specifically in charge of testing and evaluation.

    If you are a consumer who accepts that Copilot is still in beta, and if you want to see what the fuss is about or wish to play with the latest and greatest, going to 23H2 will speed up the process — you will quickly be offered Windows Copilot. If you are purchasing Microsoft 365 Copilot Pro for consumers (US $20 per month) or Microsoft 365 Copilot for business (US $30 per month per user, yearly amount due up front), then I would recommend also opting for Windows 11 23H2. This will ensure that the underlying infrastructure that Microsoft recommends for Copilot is present. Also be aware that you need to move to the current channel of Office and away from the slower semi-annual enterprise channel that I regularly recommend because it has fewer changes and is less disruptive.

    See how much opting into Copilot changes patching decisions that I recommend?

    Because Windows 11 22H2 is supported until October 8, 2024, there is more than enough time to roll out 23H2 and evaluate its release at a later date. Thus I’m still recommending Windows 11 22H2 for both consumers and business users, especially for anyone who wishes to stay a bit longer on the sidelines, watching what occurs with Copilot.

    To keep from being offered Windows 11 23H2, use a tool such as GRC.com’s InControl (Figure 1). But remember: This does not control monthly updates, only feature releases. Download the tool and select Windows 11 22H2 to keep your PC on that version. If you prefer other blocking methods, never fear — we’ve got you covered with registry keys or Group Policy.

    ALERT-2024-01-30-bradley-fig-1.jpg
    Figure 1. InControl from Gibson Research

    Businesses

    Depending on which patching tool you use, you may have to deal with some of these issues manually. Microsoft still has not placed KB5034441 on either the Microsoft catalog site for easy download or on WSUS or Microsoft Endpoint Configuration manager. Nor has it made it easy to determine which Windows 10 computers may fail. You may have to run various scripts from the community to get your systems protected.

    If you’d like to confirm that your WinRE partition is actually patched, Microsoft provides guidance on the process.

    Run REAgentC from an elevated prompt to determine exactly where the recovery partition is located:

    • reagentc /info

    The result of that command will provide a path containing the disk and partition numbers of the partition containing WinRE. Then use the DISM command, with the provided path, to determine the WinRE build number:

    • Dism /Get-ImageInfo /ImageFile:\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE\winre.wim /index:1

    In my case, it matched build 3000. Consult KB5034234: Compatibility update for installing and recovering Windows 11, version 22H2 and 23H2: January 9, 2024.

    Apple patching

    I normally hold back on recommending updates, but Apple has released an update I’ll urge you to get sooner versus later. iOS 17.3 includes Stolen Device protection for an iPhone and helps to protect you when your device is stolen and the attacker knows your passcode:

    When Stolen Device Protection is turned on, more sensitive operations require a Security Delay: a successful Face ID or Touch ID, an hour wait, then an additional successful biometric authentication. Security Delay helps prevent someone from making changes to settings that can lock you out of your iPhone or Apple ID account.

    You may want to test out enabling it and see how it impacts you if you travel quite a bit. It also requires you to enable Face ID or Touch ID first. If you are traveling and want to enable extra protection, consider using this feature.

    Resources

     

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...