MS-DEFCON 4: Safe — for now

By Susan Bradley

The April updates have been relatively quiet, with some exceptions.

That’s why I’m lowering the MS-DEFCON level to 4. Most of my concerns lie not with this month’s patches but rather with the timing of future mandates.

In addition, Microsoft finally acknowledged an “oopsie” with Edge.

Microsoft has been in dribble mode, getting our workstations ready for Windows Copilot. Although we can control this through the use of registry keys and group policy, eagle-eyed Forum reader WHCS noted a few weeks ago that a “Microsoft Copilot” app had been installed. After a bit of investigation, it was found that the app was installed at the same time that a beta version of Edge received an update. In the next few weeks, we started to get more and more reports of this app’s being installed on operating systems ranging from Windows 10 all the way to Server 2022.

Just a few days ago, Microsoft fessed up:

Updates to Edge browser version 123.0.2420.65, released on March 28, 2024 and later, might incorrectly install a new package (MSIX) called “Microsoft chat provider for Copilot in Windows” on Windows devices. Resulting from this, the Microsoft Copilot app might appear in the Installed apps in Settings menu.

It is important to note that the Microsoft chat provider for Copilot in Windows does not execute any code or process, and does not acquire, analyze, or transmit device or environment data in any capacity.

This package is intended to prepare some Windows devices for future Windows Copilot enablement and is not intended for all devices. Although the component installed as part of this issue can cause the Microsoft Copilot app to be shown as part of the Installed apps, this component does not fully install or enable Microsoft Copilot.

As part of the upcoming resolution of this issue, the chat provider for Copilot in Windows component will be removed from devices where Microsoft Copilot is not intended to be enabled or installed. This includes most Windows Server devices.

Note: Edge browser version 124.0.2478.51, released on April 18, 2024, contains a change by which the chat provider for Copilot in Windows will not continue to be installed on every device.

Quite the mea culpa. Microsoft notes that the affected platforms are Windows 11 versions 23H2, 22H2, and 21H2; Windows 10 version 22H2; and Windows Server 2022.

Though it’s great that Microsoft owned up to a mistake, it concerns me that Redmond seems to be rushing these releases and, as a side effect, accidentally pushing things out to all platforms rather than just the ones with Microsoft Copilot licenses. I found this update on all unmanaged devices, whose updates come from Windows Update. Any machine managed by a patching tool such as WSUS or SCCM didn’t appear to get it.

Here’s where things stand.

Figure 1. Turn off Show suggestions occasionally in Start.

My Windows 11 OEM PC at home, with a local account, survived the April updates with no issues. So, too, did my older Windows 10 machine. So for this month, I feel confident in recommending that you install updates for April. This month does include updates for Secure Boot and BitLocker that require additional steps, but for consumer machines I advise you to ignore Microsoft’s recommendations and the six (yes, six) reboots that are required to fully implement those updates.

If you have a machine that does not have Secure Boot enabled, you won’t be at risk by skipping these steps. The only possible risk, once Microsoft finally enforces removal of certain boot certificates, is that you won’t be able to do a refresh. Personally, I don’t recommend refreshes and instead recommend that you perform repair installs to fix anything that your system has issues with — especially when it comes to updating issues.

If you are considering updating your Windows 10 PC to Windows 11, ensure that you update all sound drivers. Specifically, look for drivers for Intel SST Audio Controller prior to updating to Windows 11. Microsoft has found issues with these drivers and has placed a hold on these devices.

If you are not a fan of News and Interests, remember that you can adjust the settings. On Windows 10, right-click on the News and Interests entry on the Windows 10 taskbar. Select News and Interests on the menu that opens. To disable the feature entirely, select Turn off. You may, alternatively, reduce it to an icon-only display. You may also select Reduce taskbar updates, which lowers the frequency of taskbar updates.

For those of you with iPhones, hopefully you have by now installed iPhoneOS 17.4.1, which both fixes security issues and addresses complaints about battery life after the installation of 17.4. It’s always important to install updates — but at the same time, it’s discouraging when any vendor introduces bugs. Here’s hoping that all vendors will do a better job.

The April updates have not introduced new issues, but they haven’t fixed a lot of issues, either.

KB5037754 includes new steps to fully implement fixes. The April 9, 2024, and later updates include fixes to address elevation-of-privilege vulnerabilities with the Kerberos PAC Validation Protocol. For now, you’ll need to monitor the event logs to see which devices in your network are not updated.

Microsoft has updated KB5025885 to document the steps needed to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932. If you are lucky enough to have ConfigMgr, I strongly recommend reviewing the GARYTOWN blog post that shares a configuration script and provides guidance on how to manage this nearly unmanageable process.

This is definitely a long-term evolution. Microsoft will not enforce these changes until possibly later next year, but I predict that this timeline might change as they see the impact of our testing and as we provide feedback on how insanely complex and potentially disruptive this enforcement is. The company has pushed back the timeline on this implementation and added more manual steps. We will undoubtedly be revisiting this again.

Another reminder: KB5014754 will need to be monitored for long-term changes to certificate-based authentication on Windows domain controllers. In the support note, Microsoft says:

Unless updated to this mode earlier, we will update all devices to Full Enforcement mode by February 11, 2025, or later. If a certificate cannot be strongly mapped, authentication will be denied.

February 11, 2025, or later? It’s interesting how Microsoft states a firm date and then instantly pulls the rug out. My take? Microsoft isn’t giving us a firm date yet because it will be evaluating the long term-impact on our networks.

Last, but not least, last month’s bug that made Domain Controllers leak memory, triggered by the updates released March 12 and fixed with out-of-band updates released later in March, have had the fixes integrated into this month’s updates. If you held off installing the March updates on your domain controllers, you can hop over to the April updates and install them instead.

Resources