MS-DEFCON 4: Beware of clickbait

By Susan Bradley

Don’t be taken in by ‘The sky is falling!’ headlines.

It’s been my experience that what is purported to be news is often based on a limited number of users, not everyone on the planet. Based on my own research and testing, I’m comfortable in lowering the MS-DEFCON level to 4.

As a small case study, consider that Will Fastie and I each have several Windows 11 PCs. During the month, we compare and contrast the news with what we are seeing on our own equipment. For the most part, we don’t see the effects described by those headlines.

Importantly, neither of us is a gamer, over-clocker, dual-booter, or other type of exotic user. We’re more aligned with business computing. Our AskWoody work is at our homes, with peer-to-peer networking (not domain-joined environments such as Active Directory) and residential access to the Web. From that perspective, neither of us has seen issues with the February updates. Therefore, I do not anticipate that most AskWoody readers will, either. That’s not to say you shouldn’t be careful.

However, I remain nuanced in my advice:

If, after installing the February updates, you see any side effect, ask yourself whether you have any unusual third-party software programs installed that might be interacting with the updates. I especially suggest checking any software modifying or replacing Windows Explorer (aka File Explorer). Make sure you have the latest version of such programs.

Other side effects are often a result of having unique hardware. See, for example, KB5050021, regarding USB audio devices:

After installing this security update, you might experience issues with USB audio devices. You are more likely to experience this issue if you are using a USB 1.0 audio driver based DAC (Digital to Analog converter) in your audio setup. This issue might cause USB audio devices to stop working, preventing audio playback.

Resulting from this issue, the Device Manager might display the error “This device cannot start.”

If you install the February updates, this issue should be resolved.

Consumers

There are two “cosmetic” errors that Microsoft has yet to fix. The first has been around for a while and is one that you may see in your event log, complaining that Device setup manager metadata staging failed Event ID 131. This most often occurs in a mixed network with other third-party devices. I don’t recommend that you attempt any of the fixes in the 13 pages of comments in the answer forum post. The inability of the computer to get to a certain URL with metadata for a device will not trigger blue screens of death or other major side effects.

Too often, we equate a cosmetic error with a different problem in our computers. Always ask yourself, “When did it last work well?” and “What am I aware of that I changed?” Or even, “Did I run a Registry cleaner or a tweaking tool?” And finally, “Can I roll myself back to a backup prior to when this issue started occurring?”

That last question is often hard to answer. You must decide whether it’s worth it to roll back or attempt to find a solution otherwise.

The second cosmetic error started only after the January updates for Windows 10. As Microsoft notes:

The Windows Event Viewer might display an error related to SgrmBroker.exe, on devices that have installed Windows updates released January 14, 2025 or later. This error can be found under Windows Logs | System as Event 7023, with text similar to “The System Guard Runtime Monitor Broker service terminated with the following error: %%3489660935.”

This, too, is not fixed in the February security updates, but — again — the good news is that it is only cosmetic. These types of errors — precisely because they are cosmetic — often mean that Microsoft will take its time fixing them.

I’m not a fan of using unsupported operating systems to browse on the increasingly risky and threat-ridden World Wide Web. If you must do so, be aware that the Firefox ESR (extended security release) version will be supported on Windows 7 until September 2025. I am starting to see websites call out the ESR, in most cases indicating that it is not recommended. This behavior is not new. I do not recommend trying to trick a banking site by editing the user agent string to pretend to be another browser. Instead, get a new and up-to-date Android or iPhone, and do your online banking on a patched and secure device.

Businesses

This month brings changes to certificate-based authentication in Windows, something I’ve been warning you about for nearly a year. As documented in KB5014754, the February updates will showcase whether you will have issues once this certificate-mapping change becomes permanent. Use the script from the KB5014754 Certificate Authentication Event Analysis page at GitHub to review whether you will have issues. As noted, look for the following entries:

If in doubt, put in place the following mitigation in the Registry and reboot your domain controller:

Also included in the February updates is a fix for a vulnerability in the Windows disk-cleanup tool. Per CVE-2025-21420, an attacker could exploit this vulnerability and gain system privileges. Be aware that a proof of concept has now been released.

Do be patient when installing updates. Server 2016, in particular, has historically taken longer to update than its newer versions.

If you use HP printers in your organization, you’ll want to review the list of impacted printers that may trigger remote code execution and elevation of privilege unless patched. The vulnerability relates to Postscript printing and handling and thus impacts quite a few LaserJet and enterprise printers.

Resources

Source

Hope you enjoyed this news post.

Thank you for appreciating my time and effort posting news every day for many years.

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of January): 487

RIP Matrix | Farewell my friend