Woes mount for Microsoft Netlogon patch KB 3002657, SHA-2 signing patch KB 3033929

In good news: Microsoft patch KB 3032359 fixes last month's Poodle patch that broke Cisco AnyConnect VPN

Woes mount for Microsoft Netlogon patch KB 3002657, SHA-2 signing patch KB 3033929

This month's Black Tuesday was packed with patches, and the situation's become more complex overnight. Many problems with KB 3002657 are now surfacing -- difficulties that aren't confined to the issues with EMC Isilon clusters I reported yesterday. There's also Security Advisory 3033929, with an associated SHA-2 signing patch that affects all Windows 7 and Windows 2008 R2 customers, as well as a report that KB 3033395 isn't installing on Server 2003 R2 with Exchange 2007.

There's also good news: Very few consumers are reporting problems. That may be a temporary aberration -- sometimes it takes days for problems to surface. But it looks like most users have dodged the bullet this month.

First, the big bête noire: Complaints are mounting among admins that the Netlogon spoofing patch, MS15-027/KB 3002657 is causing more problems than the errors I detailed yesterday. In addition to log-on failures with EMC Isilon clusters, there are also problems with Outlook, SharePoint, and NAS drives.

Commenting on yesterday's post, hectorbandoni said it's "also affecting Outlook authentication using NTLM+HTTPS. Uninstalling the update solved the issue!" Tinyit commented: "Also affecting Dell FS Series NAS when authenticating across trusts." And Shinycolt45 said: "This update may have caused a connection problem with active directory permissions using a local IP for a local NAS drive."

In the same thread, Paulo Sergio Dutra de Rezende offered a fix that seems to have worked for several users:

To resolve the issue of authentication in network services (folders and printer) I've set the group policy "LAN Manager authentication level" to accept "Send LM & NTLM responses." Applied this group policy for the entire domain and now all client machines are accessing and logging in successfully network services. I believe it can help others with the same problem, without having to uninstall the update.

Below is a way to configure this group policy:

>> Computer Configuration >> Windows Settings >> Local Polices >> Security Options >>Network Security: LAN Manager authentication level >> Send LM & NTLM responses

Spiceworks also has a lengthy thread on this topic. No idea when/if Microsoft will pull the patch, but clearly it's causing lots of problems. (t/h SB)

Remember February's Poodle patch KB 3023607 that broke Cicso AnyConnect VPN on Windows 8.1, RT, and Server 2012 R2? Cisco has now confirmed that this month's KB 3040335 patch does indeed solve the "Failed to Initialize connection subsystem" error when establishing VPN connections in Windows.

Remember last October's botched SHA-2 patch, KB 2949927? Microsoft pulled the patch after it went out via Automatic Update, then told customers to manually remove it. Six months later, it's back with a new name -- Security Advisory 3033929 -- and an associated patch for Windows 7 and Server 2008 R2. It's billed as a "non-security" patch, and this time it appears to be working. (t/h ER)

Yesterday I mentioned that Microsoft had finally fixed the Excel 2007 VBA macro bug caused by a bad patch in the December's Black Tuesday crop. At the time it wasn't clear whether the analogous bugs in Office 2010 or 2013 had been fixed. Now we have confirmation, from the Excel Support Team blog, that Microsoft has finally patched the botched patch for Office 2007, 2010, and 2013. The company has also fixed Office 365 and Office 2013 Click-to-Run.

There are some very complex installation instructions, if you try to roll out the fixes manually, and I have no idea why they put this information in a support team blog post and not in the KB article. Those of you who make a living with VBA macros can now get your customers' systems working again. Hope you took advantage of your three-month vacation.

Posters on the Patchmanagement List are complaining about a detection problem with the kernel patch MS15-025/KB 3033395 installing on Windows 2003 R2 servers. Apparently the update mechanism fails to identify the patch once it's installed and offers it up repeatedly.

I also have confirmation on yesterday's report that the RDP patch MS15-030/KB 3036493 requires multiple reboots -- at least in some situations. It has been added to the official list of multiple-reboot renegades maintained in KB 2894518. Admins take note: Your patching sequences may get clobbered.

As you contemplate Weird Wednesday (which follows Patch Tuesday, as night follows day), take a look at KB 3048015, whose official title is: "Fix: Possibly incorrect DST start settings for Morocco in 2015." Now parse for me the phrase "possibly incorrect."

Finally, I'm seeing a lot of complaints about the size of this month's bundle of patches. Those of you with Office, for example, may see as many as 50 or 60 individual patches in a swollen download package of 400MB or more. There's a theory that the bloat is caused by Office language packs. I'll let you know if I get confirmation.

Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon