Patch Tuesday problems abound, Server 2016 crashes, and a .Net patch goes down in flames

The July Patch Tuesday crop teems with bugs — some of them acknowledged. Snooping patches KB 2952664 and 2976978 return. If you ever needed a good excuse for delaying patches, this month is it.

Broken window with band-aid patch
Thinkstock

You know it’s going to be an Alice in Wonderland month when some sites report that Microsoft plugged 54 vulnerabilities on Patch Tuesday, while others report 53. Fact is, patching has become so brutal — and so banal — that there’s no consensus on counting, much less on what’s good and bad.

Suffice to say that, once again this month, there was a huge number of security patches (129 individual patches, according to the Microsoft Update Catalog), with no pressing security fixes unless you’re using the Edge browser or Internet Explorer. Microsoft changed Win10 version 1803 to “Semi-Annual Channel,” but the term now means less than it ever has before. If that’s possible.

Moral of the story: Don’t use IE or Edge, and wait a few weeks to see if any of the other patches blow up — which is pretty close to the same Patch Tuesday advice I’ve doled out monthly for the past year.

For a comprehensive listing of all the patches, see Martin Brinkmann’s list on Ghacks. For the best in-depth analysis, see Dustin Childs’s review on the Zero Day Initiative blog.

An overview with a jaundiced eye

The SANS Internet Storm Center says there are no known exploits for any of the patches, although three of the exploits have been disclosed to the patching community. None of the three is particularly interesting, unless you use Edge.

There are “critical” fixes for Edge (12 critical) and Internet Explorer (four critical), but no “critical” fixes for any Windows version. It still amazes me how many major security problems crop up, month after month, for Edge.

Our evergreen snooping patches, KB 2952664 for Win7 and KB 2976978 for Win8.1 make a reappearance, this time marked “Important,” checked and ready to load. Similarly, KB 4023057 — an “update reliability” patch for older Win10 versions — has appeared again. Unless you want Microsoft to push you to a new version of Windows, you don’t need or want them — they only shuffle more telemetry data off to Microsoft.

Win10 1803 now “Semi-Annual Channel” — whatever that means

The craziest Patch Tuesday blip wasn’t a patch at all. Win10 April 2018 update — good ol’ version 1803 — now appears in the Windows 10 release information list as “Semi-Annual Channel.” What’s more the bizarre blurb that appeared as a footnote in that post on Tuesday morning is now gone:

(1) Windows 10, version 1803 designation has been updated to reflect the servicing option available in the operating system and to reflect existing deferral policies. We recommend organizations broadly deploy the latest version of Windows 10 when they are ready, and not wait until the “Targeted” designation has been removed.

… surely one of the worst cases of Microsoft bafflegab ever.

On June 14, Microsoft declared:

Based on the update quality and reliability we are seeing through our AI approach, we are now expanding the release broadly to make the April 2018 Update (version 1803) fully available for all compatible devices running Windows 10 worldwide. Full availability is the final phase of our rollout process.

Now, it seems, version 1803 has been kicked up from “(Targeted)” to, uh, "Not (Targeted)" — without fanfare, and with no explanation. How "Not (Targeted)" differs from “fully available” remains a mystery.

Here’s the best way I found to parse the current announcement:

  • Win10 1703 Pro/Enterprise computers set to “Current Branch” with 0 days feature deferral are now earmarked as being ready for upgrading to 1803. They’ll be pushed to 1803 as soon as telemetry confirms that the computer is compatible.
  • Win10 1709 Pro/Enterprise computers set to “Semi-Annual Channel” with 0 days feature deferral are also earmarked as ready for 1803, pending telemetry results.

At least, I think that’s what it means. Neither the “reflect existing deferral policies” footnote in the old KB article nor the June 14 declaration of “fully available for all compatible devices” mean much of anything, as best I can tell. Marketing pabulum.

If you want to keep 1803 off your machine, make sure the feature deferral setting is large. And pray that Microsoft doesn’t go rogue on forced updates again.

We’re slowly unraveling this knot on the AskWoody Lounge.

Server 2016 patch KB 4338814 stinks

Yet another patch that never should’ve made it through quality control: The KB 4338814 article says:

After installing this update on a DHCP Failover Server, Enterprise clients may receive an invalid configuration when requesting a new IP address. This may result in loss of connectivity as systems fail to renew their leases.

Currently, there is no workaround for this issue. Microsoft is working on a resolution and estimates a solution will be available mid-July.

The patch was reissued on July 11, but it looks like there was only a change in detection logic (“metadata”). An anonymous poster on AskWoody says it was yanked from WSUS. There’s an … entertaining … thread on Reddit that blasts Microsoft for releasing a patch that, knowingly, blows away fundamental Server functions. What on earth is Microsoft thinking?

Permit me to rephrase that. Is Microsoft thinking?

.Net patches and 0x80092004

If you tried to install KB 4340558, the “Security and Quality Rollup updates for .Net Framework 3.5 SP1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, and 4.7.1 for Windows 8.1, RT 8.1, and Server 2012 R2” and had it crash with an error 0x80092004, you aren’t alone. AskWoody poster macauln82 says he’s seen it happen on all of his Server 2012 R2 machines. Günter Born has a detailed explanation.

@abbodi86 offers this explanation and fix:

It’s caused by the .NET 4.x rollup component KB 4338419, which somehow conflicts with the last two rollups KB 4229727 (the Preview from June) and KB 4096417 (the May rollup).

The solution: Uninstall KB 4229727 & KB 4096417, then clean up the leftovers by running

Dism /Online /NoRestart /Cleanup-Image /StartComponentCleanup

(you may also run Disk Cleanup > Windows Update Cleanup)

Reboot and KB 4338419 will install successfully.

According to an anonymous poster on AskWoody:

If you’re on Windows 10 1803, Windows Update takes care of the botched up .NET 4.7.2 release shipped with that Windows version. If .NET 4.7.2 was installed before today on a previous Windows version, make sure to check out the offline installer and reinstall again from the updated installer! Re-running the updated .NET 4.7.2 should not cause any issues. In order to re-install .NET 4.7.2 without reboot, make sure to shut down all .NET apps (including Web apps running in IIS) before running the installer.

If the .NET 4.7.2 SDK was installed before today as well, make sure to download it and reinstall again.

This .Net patch is also failing, with the same error code, in Windows 8.1. That’s a remarkable achievement because Win8.1 continues to be the most stable version of Windows available.

Win7’s NIC problems go on and on and on

The old Win7 NIC problem — introduced by a security patch in March — still hasn’t been fixed. The KB article says:

Symptom: There is an issue with Windows and a third-party software that is related to a missing file (oem<number>.inf). Because of this issue, after you apply this update, the network interface controller will stop working.

Workaround:

  1. To locate the network device, launch devmgmt.msc; it may appear under Other Devices.
  2. To automatically rediscover the NIC and install drivers, select Scan for Hardware Changes from the Action menu.

a. Alternatively, install the drivers for the network device by right-clicking the device and choosing Update. Then choose Search automatically for updated driver software or Browse my computer for driver software.

If you can figure out that logic, yer a better hack than me, Gunga Din.

I’m beginning to think that Microsoft won’t ever fix this NIC problem. If it decides to pass on a solution, I hope Microsoft just comes out and says it, instead of burying the decision and doctoring old documentation to cover it up. It'd be nice if Microsoft would identify the offending NICs as well. Let's hear it for transparency.

Old snoops will out

This month marked a re-re-re…-appearance of the snooping patches KB 2952664 for Win7 and KB 2976978 for Win8.1. You remember the Microsoft Party Line:

This update performs diagnostics on the Windows systems that participate in the Windows Customer Experience Improvement Program. The diagnostics evaluate the compatibility status of the Windows ecosystem, and help Microsoft to ensure application and device compatibility for all updates to Windows. There is no GWX or upgrade functionality contained in this update.

Poster Bill C has a good take on the claim:

They say they will not do GWX again, OK, but the real question is what WILL they do?

We’ve seen, over and over again, that the Customer Experience Improvement Program settings have no bearing on these patches’ increased telemetry. If you’re even remotely tempted to install either of these “important,” checked patches, see @PKCano’s AskWoody KB article on the subject, AKB 2952664.

ProTip: Microsoft has no incentive to improve Win7. None. Unless you’re offered a clearly identified security patch, you don’t want it, checked or not.

Delta updates going away

Remember the Win10 “delta” updates? The ones that bricked many machines last October?  Now comes word that the experiment didn’t work. Or, at least, there’s a better alternative. Mike Benson, on the official Windows IT Pro blog, says:

We plan to stop shipping delta updates. Beginning February 12, 2019 Microsoft will end its practice of creating delta updates for all versions of Windows 10. Express updates are much smaller in size, and simplifying the cumulative options available will reduce complexity for IT administrators.

Bogus prompt for Win10 1703 updaters

@PKCano reports:

Updating my 1703 VM today (CU KB4338826, IE11 Flash, MSRT and C++) when I  got a popup saying “Your Windows Update is not working properly. You need the Update Facilitation Service. Click OK below.”

Oh, no you don’t! I clicked on the “X” and closed the box – it was not then listed in the downloaded updates.

A quick note for those who install Win10 patches manually

There are several Servicing Stack Updates this month. If you are going to install the Win10 updates manually, make sure you install the Servicing Stack Update first:

There’s no new SSU for Win10 version 1703. At least, not yet.

Obviously, it’s much too early to install the July patches — unless you want to join the ranks of the unpaid beta testers.

Thx to @PKCano, @BillC, @abbodi86, @NibbledToDeathByDucks and many more

Abandon hope all ye who enter the AskWoody Lounge.

Related:
How AI will change enterprise mobility
  
Shop Tech Products at Amazon