MS-DEFCON 3: Patch carefully

By Susan Bradley (AKA The Microsoft patch lady)

August can be a weird month where patching is concerned.

I’m lowering the MS-DEFCON level, but with caution. I usually hope to give time near the end of the month for patches to be applied, by lowering the level to 4 and sometimes 5. This time, I’m wishy-washy. Caution is the order of the day, so I’m lowering the level to just 3.

In my house, August represents a tradition — things occur that make me think technology wants to take a vacation, just like the rest of us.

This year, a limb dropped onto a cable line and broke the Internet connection to the house. You find out really fast how dependent you are on Internet, television, and phone when that happens. As I waited for the technician to come the next day, I used my Surface tablet and Lenovo laptop because they have cellular broadband connections. Those are not as fast as a wired connection, but at least I was able to write this article and connect to streaming services.

Outages instantly bring to mind Xfinity’s upcoming Storm-Ready Wi-Fi, which includes a built-in cellular connection as an automatic failover. It might be time to spring for that equipment.

It appears Microsoft had some technology mishaps this month as well. Although my home computers went through the updates just fine, as did the servers at the office, I can’t say the same for a business patcher dealing with Exchange this month. I’ll get to that in a minute. I’m also tracking some lingering issues with VPN side effects.

These are my primary reasons for caution and for my decision to set the level to 3. Patch, but afterward you must review your systems to make sure they are functioning properly. Don’t just patch, walk away, and assume everything’s fine.

For business patchers, the special registry keys that we were advised to use to deal with CVE-2023-32019 are now included in the August updates. If you recall, this was the infamous patch that was supposed to have side effects. I have not seen any. I don’t think Microsoft has, either, because the fix is now enabled by default. Note that you will not see any registry keys — this is apparently a “trust us, they are there” deployment.

I’ve been running Linux Mint “Victoria” Cinnamon version 21.2 for a while now, but for those of you who are more advanced, consider it similar to service packs or feature releases. Wait a bit for all the bugs to be worked out. Remember to check your system tray for alerts about new updates.

Apple Ventura received 13.5.1 on August 17. This is a bug fix for the 13.5 release and fixes an issue regarding location services settings on the Mac.

Since July, users have complained about an issue with the location privacy settings. The bug prevents you from accessing and controlling location permissions for first- and third-party apps. If you have been impacted by these bugs, you may wish to make this a priority — but remember to back up your system first.

For Windows 11 workstations, ensure that you have updated any third-party apps that modify the menu or file system on Windows 11. One of the reasons for delaying updates is to give these vendors time to deal with the changes each month may bring. As you read this, I think vendors have had time to deal with the side effects introduced by recent updates.

My Windows 10 workstations have been trouble-free this month and have handled the updates without a hitch.

For anyone looking for the firmware updates that will fix the Downfall vulnerability, identified as CVE-2022-40982, keep in mind that Intel will be releasing these updates over time. But don’t panic — this vulnerability enables a user to access and steal data from other users who share the same computer. This vulnerability will not be a risk for a home or consumer user. Computers in a hosted setting or a data center will be at risk, not you.

There is nothing more frustrating than receiving a confusing error message from Windows update, indicating that the system is having problems getting updated. I suggest you bookmark the Microsoft documentation page Fix Windows Update errors by using the DISM or System Update Readiness tool. It will give you a hint as to what the problem is, but not necessarily a solution.

In July, one of my servers received a message with the error code 0x80073712 (ERROR_SXS_COMPONENT_STORE_CORRUPT). It means the component store is in an inconsistent state. But how do I fix it? Any time there is an error hinting at something corrupt, I normally do a repair install over the top on any Windows 10 or Windows 11 machine. To do an over-the-top repair, refer to our own knowledge base guidance 6000015 – Repair install of Windows 10 22H2. You will not lose data or program files, and your system will be fixed.

But this wasn’t any old machine, it was a domain controller server — a special role in a network that needs a bit more care. Normally in large businesses, you would just deploy a new domain controller role, replicate the active directory information, and then remove and destroy the faulty domain controller. But I wanted to see whether I could use Microsoft’s own tools and instructions to get this server back into patching condition. When I ran sfc /scannow from an administrative command prompt, it confirmed that it was seeing issues but could not fix the problem. Then I attempted the DISM.exe /Online /Cleanup-image /RestoreHealth command. No go. It still would not fix the underlying corruption.

I ended up downloading an ISO image of the server operating system, in my case Server 2019, and mounting the ISO as a drive letter. You do this by clicking on the ISO; in my case, 😧 was assigned. Then you use the following command:

It took a while. Upon completion, it reported that the system was repaired. I tried installing the August updates; those were applied and worked.

Microsoft, fixing corruption should be easier than this. Granted, I don’t know the root cause of the corruption; but needless to say, a domain controller server is not a system on which I will be surfing the Internet and thus will not expose it to those types of threats.

August has been an absolute disaster for Exchange patchers. First, the updates wouldn’t install on non-English servers; then there were issues found in the English releases. Microsoft re-released all the Exchange updates. Also, there is a manual step that needs to be completed on all Exchange servers. Microsoft has provided a grid of exact steps, depending on where you are or where you left off. Ugh.

Microsoft is making the domain-join process more secure. In the process, this may cause issues — even with Windows workstations. KB5020276 documents the changes that have occurred that limit the ability to join a domain to only those workstations you intend and not to an attacker. As a result, Microsoft urges you to configure a new allow-list policy, using group policy on a domain controller, before September 2023. You’ll want to remove any legacy client-side workarounds before that date. Bottom line: Review that KB for impact on your network. I’ll have more on this in a future article.

Business users who use VPN with L2TP (Layer 2 Tunneling Protocol) on Windows 11 may be experiencing slowdowns. Some have reported that enabling Routing and Remote Services (look in the services snap-in) and changing the startup type from disabled to enabled sped up their VPN connection. It remains to be seen whether this is a permanent workaround or whether Microsoft will finally identify the root cause and issue a fix.

Resources

MS-DEFCON 3: Patch carefully