Microsoft pushes, then yanks, rogue kinda-security patch KB 4523786, ostensibly for Autopilot

Did you see a security patch for 'Autopilot on Win10 version 1903”'yesterday? Gotcha. Microsoft pushed it to many 1903 seekers — those who clicked 'Check for updates' — then pulled it overnight. It was supposed to go on Autopilot-enabled machines only, but got sprayed to all 1903 machines. Yes, you can manually uninstall it.

broken window with windows logo in clouds

Let’s put this in perspective.

Microsoft warned us at the beginning of the Win10 onslaught four-plus years ago that it wouldn’t dole out patches one by one. Except for emergency security fixes, patches would be released as part of cumulative updates. Over the years, that promise has evolved into a common pace of two cumulative updates per month: the first on Patch Tuesday, and a second “optional, non-security” cumulative update sometime later in the month.

It’s one of the ways “Windows as a service” is a service, doncha know.

Last month we were treated to an unholy pileup of Windows security patches as Microsoft released, then re-released, then finally pushed a fix to the Internet Explorer zero-day vulnerability known as CVE-2019-1367. Of course, nobody’s seen any widespread exploits attributable to that security hole, but the bugs — three different sets of them, corresponding to the three botched out-of-band patches — were breathtaking.

This month, it looks like we’re headed in a similar direction.

Yesterday, Microsoft released an odd patch for Win10 version 1903 that’s supposed to be a “Cumulative update for Autopilot in Windows 10 version 1903: October 22, 2019.” Whether it's a security patch or a non-security patch is debatable. But there are all sorts of problems:

  • It’s a standalone patch, KB 4523786. It isn’t part of a Windows cumulative update, security or non-security.
  • It’s supposed to be a cumulative update for Autopilot, but I’ll be hanged if I can find any earlier cumulative update for Autopilot. First of its lineage, no doubt, although poster Pejole2165 on Tenforums has found vestiges of earlier updates.
  • It’s for Autopilot (here’s a description; don’t worry, I had to look it up, too), which “is a zero-touch, self-service Windows deployment platform introduced with Windows 10, version 1703.” In other words, Autopilot (apparently?) only runs on domain-connected Win10 1903 computers. But the patch was installed on machines that had never seen Autopilot.
  • More than that, the patch was pushed on Win10 1903 Home machines — which can never be part of a domain.

Susan Bradley raised the alarm yesterday afternoon in her Patch Lady column on AskWoody:

On a standalone PC that’s never seen Windows autopilot I am getting KB4523786 pushed out if I click on check for updates. And I have never installed autopilot here. (proving once again NEVER ever click on check for updates). Thank You Michael M for reporting this … as I’m pretty sure this is a detection error. Hang loose and don’t install it.

Which prompted this response from a very knowledgeable, but anonymous, poster:

This patch is for the underlying TPM chip in computers with dedicated TPM chips and not the actual Windows Autopilot itself.

That clears up part of the mystery: This way-way-out-of-band patch was intended for Win10 1903 machines with TPM chips (Chris Hoffman has an excellent overview of TPM on How-To Geek). Most PCs shipped in the past decade have TPM chips. 

That said, there’s no official documentation — so it’s entirely possible that machines without TPM chips got the update pushed, too. (Martin Brinkmann at ghacks has details on how to tell if you have a TPM chip.)

So if you’re running Win10 version 1903 (Home or Pro) on a fairly recent PC, and you clicked “Check for updates” late yesterday afternoon or evening Redmond time, you probably got KB 4523786. Lucky you.

Of course, the KB 4523786 Knowledge Base article denies all responsibility:

This update is available through Windows Update. When an organization registers or configures a device for Windows Autopilot deployment, the device setup automatically updates Windows Autopilot to the latest version.

Note Windows Autopilot update is not installed on Windows 10 Pro or a later version when the device is not registered or configured for Windows Autopilot deployment. Windows Autopilot update is never offered to Windows 10 Home.

Which is not only inaccurate, it’s silly.

As best I can tell, there’s been no official announcement as of early on Friday morning, but it looks like Microsoft yanked the patch. I’m seeing many reports of people uninstalling the patch, clicking Check for updates, and not being pushed a replacement. I also don’t see KB 4523786 being offered on any of my test machines, early Friday morning.

Another anonymous poster confirms:

Yes, they did indeed [yank the patch]. Nobody who uninstalled it, got it offered back again. Mistakes can happen, but why don’t they communicate this, at least via Twitter? That’s what makes people angry, right?

Tell me again how Windows patching is getting better?

Raise a glass to the perplexed over on AskWoody.

Copyright © 2019 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon