A pre-Thanksgiving all-clear to install patches

In the U.S., we’re quickly coming up to the start of holiday season, meaning it’s time for, well, time off. I typically add technology maintenance jobs to the monthly mix of patching and maintaining servers and workstations. This month, I’m also taking time to better understand the impact of one specific security bulletin — I honestly can’t figure out exactly what I’m supposed to do to keep my network secure. 

The good news: for most readers, none of these concerns apply to you. I’m ready to give the all-clear to go ahead and install Microsoft’s November updates on laptops, desktops and workstations — especially if you are running the Windows 10 1909 feature release. That said, do your Thanksgiving Zoom get-together first and then install any updates. I’d hate to have you see nothing but the spinning wheel of Windows updates instead of your family and friends.

As always, before installation begins, make sure you have a back-up of your system, just in case of trouble.

2004 and 20H2: lingering installation bugs?

The first recent fix involves user and system certificates that go missing after using a business patching tool such as WSUS, SCCM or others to update from a prior feature release to Win 10 2004 or 20H2. (If you used the normal Windows Update process to go to 2004 or 20H2, you won’t be affected.) As noted on the Windows health release dashboard, this issue is now resolved, so you can safely roll out these versions using any of these patching tools.

The other issue that’s fixed is a bug that stopped users from doing a repair install over the top of Windows 10 if you had upgraded to Windows 10 20H2. The underlying issue was a problem with the ISO images hosted by Microsoft. This will be fixed in the upcoming December updates, according to Windowslatest.

If you haven’t yet installed 2004 or 20H2, make sure your antivirus vendor fully supports these two releases. I personally have found after a feature release is installed, that it’s best to uninstall third-party antivirus software then reinstall it. (If you are on Windows 10 Home and do not control the installation of feature releases, you’re better off with the native Windows defender. Because Microsoft tests its own antivirus on its own platform, it’s better suited to the twice-a-year update cadence often seen by Home versions of Windows 10.)  For better control over updates in general — and Windows 10 feature releases specifically —I always recommend that you upgrade to Windows 10 Professional.

My recommendation at this time for general use is to be running Windows 10 1909 or later. Its predecessor, 1903, will reach end of servicing on Dec. 8. I have not noted any issues with Windows 10 version 2004, but that’s not true for all users — especially those that use third-party antivirus.  Remember, you can use the targetedreleaseversion setting to ensure you stay on a specific version of Windows 10.

While there are always lingering issues, I’m not seeing anything major at this time that prompts me to urge you to keep updates at bay. As always if an issue pops up, reach out at Askwoody.com.

KB4023057 again?

Any time Microsoft comes out with a new feature release, it also has to re-release that old chestnut KB4023057.  It ensures that your computer is ready for the release by making sure you have enough hard drive space and checks that your windows update is ready for the process. If you don’t see it, it’s a sign your machine is ready for 20H2. If it is offered up, take it as a sign that you need to check hard drive space and ensure that your machine is otherwise healthy and ready.

Can’t see your Network attached storage?

If you are a user of Malwarebytes and are having issues “seeing” your network attached storage or NAS devices, make sure you are on the latest version of Malwarebytes. They recently fixed an issue where users reportedly lost connection (visibility) to the LAS or Network Neighborhood after upgrading to CU19.

Proactive Office recommendations

For those still using Office 2010, now that we think it’s out of support, I recommend making one key change that will go a long way to keeping you safe should you continue to use it after its end of life.  Totally disable Office macros.

Click on the File tab, then click Options, then click Trust Center, and then click Trust Center Settings. In the Trust Center, click Macro Settings. Choose the setting to Disable all macros without notification, or at a minimum, set it to Disable all macros with notification if it’s not already set at these values. Turning off macros on Office 2010 —and honestly, on all other versions of Office as well – goes a long, long way to keeping attackers from gaining a foothold into your computer. Only enable macros when or if you really use Office macros.  Otherwise, your best bet is to keep them disabled, especially on Office 2010.

Kerberos issues still confusing business patchers

For those who install and deploy updates to businesses in a domain where there is a Windows Server acting as a Domain Controller, I am confused by the November updates and their impact on domains. Windows domains use a protocol called “Kerberos” to provide authentication among workstations and servers called Domain Controllers. The November updates included a fix for CVE-2020-17049.  This vulnerability leaves me scratching my head as to what I’m supposed to do to ensure I’m protected. 

The vulnerability deals with constrained delegation, which could be present in a single domain or forest. If you use Federated Authentication Service in a Citrix environment, there is a known issue that has occurred causing issues after the November patch was installed. As a result Microsoft released several out of band updates to specifically address this issue for Servers.  As a result, Microsoft released several out-of-band updates to address this issue for servers:

• KB4594440 for Windows Server 2004;
• KB4594443 for Windows Server 1903;
• KB4594442 for Windows Server 2019;
• KB4594441 for Windows Server 2016;
• KB4594439 for Windows Server 2012 R2;
• and KB4594438 for Windows Server 2012. 

All of these updates address issues with Kerberos authentication related to the PerformTicketSignature registry subkey value in CVE-2020-17049, which was a part of the Nov. 10, Windows update.  All of them have to be manually installed on your domain controllers should you be impacted by this issue. 

The confusing part for me is the instructions in the original security bulletin. They indicate that in addition to installing the patch, you need to review the registry key of PerformTicketSignature located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc. (In my domain controller, this registry key was not there.)

Then the bulletin goes on to say that the registry key value of 1 will be default if it’s not set, adding, “When the registry key is set to 1, patched domain controllers will issue service tickets and Ticket-Granting Tickets (TGT)s that are not renewable and will refuse to renew existing service tickets and TGTs. Windows clients are not impacted by this since they never renew service tickets or TGTs. Third-party Kerberos clients may fail to renew service tickets or TGTs acquired from unpatched DCs. If all DCs are patched with the registry set to 1, third-party clients will no longer receive renewable tickets.” 

For now, I have only installed the updates without adding any registry keys. I am hoping for better guidance and will update you as soon as I better understand the issue myself. 

As always, if you have any issues with updating, find us at Askwoody.com.