[German]Microsoft has announced a new Windows driver evaluation policy for manufacturers who deliver Windows drivers for their hardware via Windows Update.

The ‘Only a few systems are affected’ syndrome

Poorly working drivers are a nuisance for Windows 10 users (and ultimately Microsoft). Although it is often said: Only few devices or users are affected when there are problems with a driver – possibly after a function update. But this is of little use to those affected.

Microsoft wants to change this and improve the quality assurance for drivers that are delivered via Windows Update. In this Techcommunity article, Microsoft has announced its ideas about the new measures that will apply to Windows drivers from hardware manufacturers from July 15, 2020. 

Telemetry data acquisition in kohorts/clusters

A driver can be developed by the manufacturer to support multiple systems and devices. According to Microsoft, it is therefore no longer sufficient to evaluate the quality of a driver by aggregating its stability across all its target devices.

In order to ensure the stability of drivers and to be able to monitor them better, Microsoft will map the telemetry data into clusters or classes (called cohorts). This will be done by looking at hardware IDs and revisions, the version of Windows 10 used, and some other parameters, and then forming ‘clusters’ of collected telemetry data.

Detect critical device and Windows combinations

This makes it easier to identify when there are driver problems with a Windows 10 version or device class. If a driver within such a cluster (or multiple clusters) is detected in telemetry and doesn’t pass the test criteria, the delivery of that driver can be stopped for the affected devices.

Similar articles:
Windows 10: News about driver updates from March 2020
Windows 10: Microsoft allows feature and driver update blocks

[German]First reports indicate that the planned Windows 10X operating system still has a problem running Win32 applications. The applications are lame or cause problems.

What is Windows 10X?

Windows 10X is Microsoft’s approach to managing dual-display devices under Windows. There is a slimmed down launcher on one screen, and on the second screen an app runs full screen. Both apps and Win32 applications should run on Windows 10X.

A few months ago the Redmond company released an SDK and a Windows 10X emulator for testing. I had published that within the blog post Install Windows 10X (Emulator Image) on bare metal. Martin Geuß took the trouble to torment himself with the emulator released by Microsoft and published this German article. I’ve learned that there is no desktop in Windows 10X. A launcher allows to start apps on a screen. The apps then run in full screen mode on the second screen. Windows 10X can only do UWP apps, but somehow has the possibility to support Win32 apps.

A few days ago Microsoft had to announce that the dual-screen Surface Neo would not be available this year. However, they want to release Windows 10X for single-screen desktops at the end of this year. It will be sold exclusively through OEMs, so you will only be able to buy devices with Windows 10X. I wrote a few days ago a critcal German blog post Windows 10X der nächste Flop für PCs?.

Win32 applications have a problem

Well, the whole thing is still under development and will certainly be improved by the end of 2020. As it looks, Microsoft still has a long way to go for the new concept to work at all. According to sources familiar with Windows 10X development, Microsoft is not satisfied with the performance of a number of Win32 applications when virtualized on 10X.

• These applications struggle with basic features such as screen sharing or docking in the notification area while minimizing the app. Then the features that are available in the notification area are missing.
• The Win32 applications run in containers and cannot send notifications. This is exactly what applications use intensively – although Microsoft will certainly get this under control at some point.

The charm of Win32 applications is that they have been developed for decades and are available for Windows in large numbers. The applications must be running if Windows 10X is to have any chance at all.

According to insiders, some older applications also have compatibility problems. All in all, not a good omen for the new operating system – it all reminds me of earlier flaws with Windows 10 RT and the ’emulator promise’ regarding the execution of Win32 applications. If you need some more information, you can get it from Martin Geuß (German).

[German]The takeover of a domain controller by stolen admin passwords is a popular approach of cyber criminals. I stumbled upon an article on Twitter, explaining where attackers could find passwords on SYSVOL and via GPO preferences.

I have no idea if and how this is relevant for administrators in this area – maybe it’s an ‘old hat’, then igonore it. Otherwise it might be worth of reading it.

Finding Passwords in SYSVOL & Exploiting Group Policy Preferences, by @PyroTek3https://t.co/d45cASXasa

— DirectoryRanger (@DirectoryRanger) May 14, 2020

The details can be found in the article linked in the above tweet. Maybe it is helpful.

[German]There is new evidence that Microsoft has already begun to integrate features that are scheduled for the autumn update (development branch 20H2) into the Windows 10 version 2004 (May 2020 update), which is expected to be released for general release at the end of May 2020. This means that Windows 10 20H2, which is expected to be released in the fall, will again be a ‘minor update’.

First hints on development found

At the weekend, two sites came to my attention where all this is discussed. The first hint can be found in the following Tweet.

The latest Windows 10 Version 2004 CU (.264) contains early hints towards the H2 update that’s in the works. If a package called Microsoft-Windows-20H2Enablement is present while installing the newest CU, Version 2009, Build 19042 is what you’ll be greeted with in winver. pic.twitter.com/co1CL22rQL

— Albacore (@thebookisclosed) May 16, 2020

Albacore writes that there are hints in the new Windows 10 version 2004 that features from the upcoming 20H2 are already integrated but not yet unlocked. If there was an enablement update when installing the latest cumulative update to .264, the new features would already be enabled. Then Winver would display build 19042.264. Build 19041.264 is the new RTM build of Windows 10 version 2004 (see Windows 10 Insider Preview Build 19041.264 as new RTM). In the replies to the tweet there is a hint that build 19041.264 already has corresponding manifest files. 

The second source is this German article of the colleagues from deskmodder.de, which refers to the user Aboddi. He discovered by chance that with the cumulative KB4556803 (dated May 15th, 2020 for insiders testing Windows 10 version 2004) registry entries and manifest files are already delivered which are intended for the feature update (20H2) expected in autumn 2020. However, these entries and files are not yet active.

Feature update 20H2 will be a small update

This seems to confirm the speculation that the feature update Windows 10 20H2, which is expected in autumn 2020, will be a ‘small update’ again. I had already mentioned that in the blog post Windows 10 20H2 will (probably) be a minor Update.

What does ‘small update’ mean for Windows 10 20H2?

For blog readers who might not be so familiar with the subject, here are some explanations. Microsoft releases two feature updates every year, one in spring and one in autumn. In the past, these releases were released as feature updates for a long time – with the result that a fat, several gigabyte package had to be downloaded and installed from the Microsoft servers. In the process, Windows 10 is completely replaced.

Due to the bad experiences with feature updates in 2018, Microsoft 2019 took a new approach. The spring update (Windows 10 Version 1903) came – in the old familiar manner – as a full feature update. But the autumn update (Windows 10 Version 1909) was realized as a ‘small feature update’. The code for the Windows 10 versions 1903 and 1909 is the same – even the same updates are used for both builds. Instead of downloading gigabytes of code for a feature update, Windows 10 version 1909 was rolled out as an enablement update. A small update package of about 500 kByte simply changes the version from 1903 to 1909. 

I had discussed some details about this in the blog post Windows 10 V1909 released, how to get this update? In November 2019 there was a mixer session with the Windows Insider team of Microsoft. I had prepared some information from this mixer cast in the blog post Insides: Windows 10 19H2 development/deployment (V1909). According to Brandon LeBlanc, it wasn’t clear at that time whether Microsoft would continue to use the 190x version of Windows 10 in 2020. But in January 2020 the first rumors appeared that Microsoft would do the same with the upcoming Windows 10 versions (see my blog post Windows 10: Rumors about 20H2 and deprecated Stores).

Similar articles:
Windows 10 Version 1709: Support extended till October 2020
Microsoft suspends optional Windows Updates from May 2020
Windows 10 V2004 is ready, rollout for Insider
Windows 10 Version 2004 supports DirectX 12 Ultimate
Will Windows 10 V2004 be general available on May 28, 2020?
Windows 10: Rumors about 20H2 and deprecated Stores
Windows 10 20H2 will (probably) be a minor Update

[German]Microsoft ships a tool (Packet Monitor) in Windows 10 that allows administrators to monitor and record network traffic. This has only now become more widely known, possibly because the feature was described a few days ago for insiders.

>I didn’t know about the tool pktmon.exe at all and I only got a bit blunt when I saw the tweet from Bleeping Computer on the weekend.

Windows 10 quietly got a built-in network sniffer, how to use – by @LawrenceAbramshttps://t.co/zHPKG7lXrU

— BleepingComputer (@BleepinComputer) May 16, 2020

According to Bleeping Computer, Microsoft has integrated the tool since the Windows 10 October 2018 update (version 1809). So I took a look what this is all about. The program pktmon.exe can be found with other help files in the Windows subfolder:

C:\Windows\system32\

There is also a driver file pktmon.sys that can be registered by the tool in Windows.

(Files of the Windows 10 program pktmon.exe)

Whether the tool is really integrated since the Windows 10 October 2018 Update (Version 1809), I can’t check ad-hoc because of missing installation. But in Windows 10 version 1903 the tool is available in the install.wim.

Packet monitor as console program

The pktmon.exe program is a command line application that can be called by administrators (the package monitor is not found in a command prompt opened with normal user permissions). If you run the pktmon command at an administrative command prompt, it displays the following help information.

(Help text of the command pktmon)

The command reports as ‘Internal packet forwarding and packet loss monitoring reports’ and is used for network diagnostics. The help page lists the possible commands for the program.

Bleeping Computer writes that the tool has not yet been described by Microsoft, they didn’t find anything. But on Wednesday, May 13, 2020 Microsoft published the Techcommunity article Windows Insiders can now test DNS over HTTPS. In this article, the command line utility pktmon.exe was described in detail for testing DOH functionality in Windows Insider build 19628 and later. The following command resets all network traffic filters that were already installed by PacketMon.

pktmon filter remove

The following command adds a network traffic filter for port 53. In the current example, this is the port used for classic DNS (with DNS over HTTPS, no more transmission should take place there).

pktmon filter add -p 53

The list of registered filters can be retrieved at the command prompt with the following command.

pktmon filter list

The following figure shows the output of the commands for registering the filter and the existing filters.

To start real-time logging of the data traffic (at all network adapters of the machine), execute the following command:

pktmon start --etw -m real-time

All network packets from port 53 are output on the command line. You can also use the command:

pktmon start --etw

to save the data records into the file PktMon.etl. This file is created under:

C:\Windows\system32\

By default, only the first 128 bytes of a packet are saved. The command reserves 512 megabytes of memory for the etl file and overwrites the oldest values if necessary.

Bleeping Computer writes, that you can capture network packets with the arguments -p 0 (capture entire packet) and -c 13 (capture only from adapter with ID 13) specifically from a network adapter. The IDs of the existing network adapters can be listed with the command following command.

pktmon comp list

To stop recording the network packet, type the following command at the command prompt.

pktmon stop

The recording from the PktMon.etl file stored under C:\Windows\system32\ can be imported into the Windows Event Viewer and then viewed. Alternatively, the .etl file can be converted to a text file by using the following command.

pktmon format PktMon.etl –o c:\test.txt

This text file can then be loaded and evaluated in a text editor. The following is an excerpt of such a protocol (in compact form).

Bleeping Computer suggests, to install the Microsoft Network Monitor  and use it to display the .etl file.

In the Windows 10 May 2020 Update (Version 2004) Microsoft extends the functionality of the Pktmon tool. Pktmon can then display monitored packets in real time and convert ETL files to PCAPNG format. Further details can be found at Bleeping Computer.

At the moment I’m not sure how useful the whole thing really is. If you want to monitor the network traffic, you could use Wireshark. You can download the software for Windows and macOS on this page. And administrators can use the netsh trace command in Windows for the same purpose (see the article at Bleeping Computer and this comment).

[German]A poorly patched vulnerability CVE-2019-0887 in Windows makes the systems vulnerable to attacks via third-party RDP applications. It could also allow a client used to establish the RDP connection to be attacked by malware on the remote machine.

RDP vulnerability CVE-2019-0887 in Windows

As of July 2019 patchday, Microsoft has closed the Remote Desktop Services Remote Code Execution vulnerability with security updates. Microsoft had published information about the vulnerability in this document.

A remote code execution vulnerability exists in Remote Desktop Services, formerly known as Terminal Services, if an authenticated attacker exploits clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim’s system. An attacker could then install programs, view, modify, or delete data, or create new accounts with full user rights.

To exploit this vulnerability, an attacker must already have compromised a system running Remote Desktop Services, and then wait for a victim system to connect to the Remote Desktop Services.

Microsoft had released an update to fix this vulnerability. However, the patch did not sufficiently close the vulnerability. I had published the blog post RDP vulnerability puts Hyper-V at risk in August 2019. It was about a vulnerability in Microsoft’s Remote Desktop Protocol (RDP) that could be exploited to break out from guest VMs running on Hyper-V in Windows 10/Azure.

New problem with third-party RDP solutions

The Hacker News already pointed out a few days ago that in July 2019, incompletely patched vulnerability CVE-2019-088 posed a risk. It turned out that security researchers could bypass the patch by simply replacing the backward slashes in the paths with forward slashes.

Microsoft acknowledged the improper fix and re-patched the bug in its February 2020 security update at the beginning of the year. The vulnerability is now reported as CVE-2020-0655.

Check-Point security researchers have now discovered that Microsoft has resolved the above issue by adding a separate workaround in Windows. However, they left the root cause in the API function “PathCchCanonicalize”, unchanged.

Apparently Microsoft’s solution for the RDP client integrated in Windows works quite well. But the patch is not foolproof enough to protect other third-party RDP clients from the same attack. Once they use the API feature, the system is vulnerable.

Microsoft Patch can be bypassed

“We have found that an attacker can not only bypass Microsoft’s patch, but can also bypass any check of the canonization that was performed according to Microsoft’s best practices,” said checkpoint researcher Eyal Itkin in a report he provided to The Hacker News.

A ‘path traversal’ attack is possible if a third-party RDP program accepts a file as input and does not verify it. This allows an attacker to store the file anywhere on the target system and thus expose the contents of files outside the application’s root directory. “A remote computer infected with malware could take over any client that attempts to connect to it. For example, if an IT worker tries to connect to a remote corporate computer infected with malware, the malware could also attack the IT worker’s computer,” write the security researchers.

Security researchers found the bug when they tried to investigate Microsoft’s remote desktop client for Mac. This RDP client was omitted in the first analysis in 2019. Interestingly, the macOS RDP client itself is not vulnerable to CVE-2019-0887 and since the main vulnerability is still not fixed, Check Point warned that this could pose a serious risk to many other RDP software products.

“Microsoft has failed to fix the vulnerability in its official API, so all programs written according to Microsoft’s best practices are still vulnerable to a path traversal attack,” said Omri Herscovici of Check Point. “We want developers to be aware of this threat so they can go through their programs and manually apply a patch against it”.

[German]Microsoft released version 0.18 of PowerToys for Windows 10 users a few hours ago. These tools are free and offer additional features for Windows 10. The new version 0.18 includes the new Run launcher.

PowerToys Background

PowerToys were free programs under Windows 95/98, with which certain Windows features could be optimized or adapted. Inspired by the PowerToys project under Windows 95, some developers dared to restart. The intended was to give power users the ability to get more efficiency out of the Windows 10 shell and customize it for individual workflows. The announcement tool place at the beginning of May 2019 (Windows 10: PowerToys will come as Open Source). More information can be found in the articles linked at the end of this blog.

(PowerToys Settings)

The PowerToys known from Windows 9x are also available in the version for Windows 10 Open Source and free of charge.

Update to Windows PowerToys 0.18

The announcement was made on Mai 19, 2020, during BUILD 2020, by developer Clint Rutkas – here is his tweet.

Today we shipped #PowerToys 0.18.0 today. We added in PowerToys Run, Keyboard remapper, and as always, fixed a lot of bugs :) https://t.co/sEKRCKTYVC #MSBuild pic.twitter.com/PSuKziGMTy

— Clint Rutkas (@ClintRutkas) May 19, 2020

The new version comes with PowerToys Run and a Keyboard manager. Here is a brief description:

• PowerToys Run, the new application launcher (use alt-space to activate). It’s designed to replace the existing Win + R shortcut and allows a quick search for apps and files across Windows.
• The Keyboard Manager (KBM) is a keyboard remapper that allows a user to redefine keys on their keyboard (ex. swapping the letter A and D) as well as shortcuts (Ctrl+C to Windows+C). You can use these remappings as long as KBM is enabled and PowerToys is running in the background. Details may be found here.

Within this version there is also an migrating to the new settings system. And it’s also the first time Microsoft will test out the auto-updating system. The details including the download can be found on this GitHub page. The Verge has published this article with a few more details about the new features. An overview of all PowerToys features may be found here.

Similar articles:
Windows 10: First Open Source PowerToys released
PowerToys v0.12 Beta released
PowerToys v0.13 released
PowerToys 0.14.0 released
PowerToys 0.14.1 released
Windows 10: PowerToys get QuickLauncher
PowerToys 0.15.0 released
Windows 10: PowerToys Version 0.16 released
Windows PowerToys 0.16.1 released
PowerToys 0.17 with Auto Update released

[German]ACROS Security has released a micropatch for the Windows Print Spooler Elevation of Privilege vulnerability CVE-2020-1048 in Windows 7 and Server 2008 R2 (without ESU license).

Vulnerability CVE-2020-1048

CVE-2020-1048 is an elevation of privilege vulnerability that exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft describes the vulnerability in this document and has released security updates for Windows 7 to Windows 10 on May 12, 2020. However, users of Windows 7 SP1 and Windows Server 2008 R2 who do not have an ESU license will no longer receive the security updates released by Microsoft.

0patch-Fix for Windows 7 SP1/Server 2008 R2

ACROS Security has developed a micropatch for the vulnerabilityCVE-2020-1048. Mitja Kolsek of ACROS Security has informed me privately that the micropatch has been released for Windows 7 SP1 and Windows Server 2008 R2. There is now also a message on Twitter.

Windows 7 and Server 2008 R2 users without Extended Security Updates have just received a micropatch for CVE-2020-1048, a privilege elevation vulnerability allowing a local non-admin attacker to create an arbitrary file in an arbitrary location. pic.twitter.com/OszjM6G6Le

— 0patch (@0patch) May 20, 2020

In further follow-up tweets ACROS Security provides some more explanations about the vulnerability and the micropatch. This patch is available for subscribers of the Pro and Enterprise version. Hints on how the 0patch agent, which loads the micro patches into memory at runtime of an application, works can be found in the blog posts (e.g. here), which I have linked below.

Similar articles:
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2

[German]On May 20, 2020, Microsoft has updated another batch of microcode updates for Windows 10 version 1507 to 1909 (but these are probably old updates that were already updated in February 2020 as well).

Blog reader Hans informed me by email that he got KB4497165 offered by Windows Update on Windows 10. This comment also mentions the microcode update. 

Yesterday evening/today I got a Windows Update KB4497165
Strangely enough described with “2020-01(!) Update for Windows 10 1909 for x64-based systems (KB4497165)”.

Quickly installed; reboot required. I guess now officially released firmware update.

According to the link Update KB4497165 “KB4497165: Microcode updates from Intel” (Last Edit in February)

However, this did not only happen with old notebook (i7-2xxx) and NUC (i3-5xxx) but also with the AMD Ryzen (2xxx)…

A further mention can be found in this German comment thread. In all messages only the microcode update KB4497165 for Windows 10 version 190x is mentioned. However, all still supported Windows 10 versions should have received updated versions of the microcode updates.

The list of microcode updates

Microsoft documents the microcode updates for Windows 10 on this page (which has the revision date April 6, 2020). The updates apply to Intel CPUs from the following series: Denverton, Sandy Bridge, Sandy Bridge E, EP, Valley View, and Whiskey Lake U. Only on these CPUs should the microcode updates be installed. Here is a short overview with links to the KB articles:

• KB4497165: Windows Server Version 1903, Windows 10 Version 1903, Windows Server Version 1909, Windows 10 Version 1909
• KB4494174: Windows Server Version 1809, Windows 10 Version 1809
• KB4494452: Windows 10 Version 1709
• KB4494453: Windows 10 Version 1703
• KB4494175: Windows Server 2016, Windows 10 Version 1607
• KB4494454: Windows 10 1507 (LTSC)

A quick check of the KB articles from the above list shows that the support articles have not yet been updated – so what has changed remains unclear. The download links for the updates can be found in the respective KB articles. My advice would be to wait and see if the microcode updates are offered for installation via Windows Update.

Today we have Bank holliday (Father’s Day) here in Germany. Therefor I like to present an easy to understand explanation, how Windows works. We already know Windows and his Start menu, the windows and double-click ooperation.

These days I stumbled across a small video which explains the handling of Windows in a very simple way. I think I don’t need to write much about it. The video embedded in the following tweet shows how Windows works. 

Start your week with this Start Menu… *checks notes* cosplay? pic.twitter.com/NKhHUY4KH5

— Windows Central (@windowscentral) May 18, 2020

Just demonstrating how to close a window has been forgotten. Happy Father’s Day.

[German]On May 22, 2020, Microsoft released the Windows 10 Insider Preview Build 19631 (20H2 development branch) for insiders in the Fast Ring. The announcement was made in the Windows Blog, where references to this build can be found.

[German]On May 22, 2020, Microsoft released also Windows 10 Insider Preview Build 19624 (20H2 development branch) as a ARM64 VHDX download. The announcement has been made in the Windows Blog, where you may found further details.

[German]Another small addendum to the Windows 10 Update KB4556799. The update was released on May 12, 2020, but seems to cause installation errors for some users. Other users run into audio issues after installation. Here is a short overview.

Update KB4556799 for Windows 10

Cumulative Update KB4556799 was released on patchday, May 12, 2020, and raises the OS build to 18362,836 (Windows 10 V1903) and 18363,836 (Windows 10 V1909). The update is available for Windows 10 version 1903, for Windows 10 version 1909, and for Windows Server version 1903 and Windows Server version 1909.

It contains quality improvements but no new operating system features. I reported about the changes and improvements in the blog post Patchday: Windows 10 Updates (May 12, 2020). Microsoft wrote at that time that no problems were known for this update. In the meantime, Microsoft has added the following text to the support article for update KB4556799.

We have seen social media and news reports related to various issues with KB4556799. We are actively engaged with customers who are reporting issues. To date, we have not seen widespread issues reflected in telemetry, support data, or customer feedback channels. We continuously investigate all customer feedback and are closely monitoring this situation.

According to Microsoft, these are probably only isolated messages, there is no apparent error pattern or accumulation of problems.

Installation error 0x800F081F

In the Microsoft Answers forum, the update is mentioned in this thead, and a user logged in with the message that the update fails with error 0x800f081f during installation. The error code 0x800F081F stands for CBS_E_SOURCE_MISSING, which means that the source files were not found.

Some time ago I had discussed the error code in the blog post Windows 10 V1909: Update KB4528760 drops error 0x800F081F. Microsoft has also published a support article associated with a .NET installation error. Microsoft provides information that a file or folder that is referenced by the update cannot be found.

In such cases you will first try to repair the system or the component store (see my blog post Check and repair Windows system files and component store). Microsoft’s advice for Windows 10 users who have this issue is to use the Windows 10 installation media in question as the source for repair. Some advice can be found in this Microsoft article.

Also the problem that users are logged on to a temporary problem after the update installation and cannot access their data in the old profile is reported sporadically.

Audio problems after update installation

But more annoying is the error pattern with users who can successfully install the update KB4556799, but after installation they find that the audio output does not work anymore. On reddit.com there is this thread which reports about audio issues with the ‘latest Windows 10 update’ on Realtek chips. Reinstalling the driver does not help. The advice in this thread is to turn off the sound enhancements in Realtek audio drivers. This is described in detail in this reddit.com thread.

1. Go to the sound options in the control panel and select the Realtek speaker.

2. Go to Properties and then go to the Advanced tab, there uncheck Sound enhancements

If the change is confirmed via the OK button, the audio output should work again. However, there are people who claim that it didn’t work.

In this comment to the German blog postPatchday: Windows 10-Updates (12. Mai 2020) a user also points out audio problems. Lenovo has posted the article Audio device missing or cannot find audio device – ThinkCentre M720s, M720t. There it says:

Audio suddenly does not function on the system, despite the Realtek audio driver being correctly installed. In Device Manager, a red X may be on the Sound Mixer, and Device Manager does not show Realtek Audio or Intel Display Audio devices under Sound, video and game controllers. Re-installing the Realtek audio driver does not restore sound function to the system. This may occur after Windows Update runs.

The solution to this problem is to update the Intel High Definition DSP driver in Device Manager. There is probably an updated version of the Intel driver.

Bleeping Computer  has collected in this article other problems reported with the update. All in all, there does not seem to be a critical accumulation of error clusters. 

Similar articles:
Patchday: Windows 10 Updates (May 12, 2020)
Windows 10 V1909: Update KB4528760 drops error 0x800F081F
Check and repair Windows system files and component store

[German]Here is another addendum about issues caused by Windows 10 Update KB4556799. The update was released on May 12, 2020, and appears to cause problems with LTE connections for some users, as Microsoft has acknowledged.

Update KB4556799 for Windows 10

Cumulative Update KB4556799 was released on patchday, May 12, 2020, and raises the OS build to 18362,836 (Windows 10 V1903) and 18363,836 (Windows 10 V1909). The update is available for Windows 10 version 1903, for Windows 10 version 1909, and for Windows Server version 1903 and Windows Server version 1909.

It contains quality improvements but no new operating system features. I reported about the changes and improvements in the blog post Patchday: Windows 10 Updates (May 12, 2020). Microsoft wrote at that time that no isues were known for this update. 

But the Update is causing issues

I reported recently in the blog post Windows 10: Audio-/ Install issues with KB4556799, that Microsoft has added the following text to the support article for update KB4556799.

We have seen social media and news reports related to various issues with KB4556799. We are actively engaged with customers who are reporting issues. To date, we have not seen widespread issues reflected in telemetry, support data, or customer feedback channels. We continuously investigate all customer feedback and are closely monitoring this situation.

According to Microsoft, it is probably only isolated reports in social media that point to problems. However, there is no pattern of error or accumulation of problems. When I was on the KB page yesterday, I found no indication of further problems. On May 23, 2020 Microsoft had to add the following note to the list of known problems:

After installing this update on a Windows 10 device with a wireless wide area network (WWAN) LTE modem, reaching the internet might not be possible. However, the Network Connectivity Status Indicator (NCSI) in the notification area might still indicate that you are connected to the internet.

If the KB4556799 update is installed on machines with a WWAN LTE modem, it will no longer be possible to connect to the Internet – even though the status display shows an Internet connection. Microsoft is working on a solution for the bug and will release it as an update on one of the following patchdays.

Similar articles:
Patchday: Windows 10 Updates (May 12, 2020)
Windows 10: Audio-/ Install issues with KB4556799

[German]Another addendum from last week. Microsoft has issued a security advisory regarding a DNS Server Denial of Service vulnerability in Windows.

The whole thing kind of stuck with me because it was flushed into my mailbox on 5/20/20/20. Here is the notification.

*********************************************************************
Title: Microsoft Security Advisory Notification
Issued: May 19, 2020
*********************************************************************

Security Advisories Released or Updated on May 19, 2020
=======================================================

* Microsoft Security Advisory ADV200009

– ADV200009 | Windows DNS Server Denial of Service Vulnerability
– Reason for Revision: Information published.
– Originally posted: May 19, 2020
– Updated: N/A
– Version: 1.0

The background is explained by Microsoft in ADV200009.Microsoft is aware of a vulnerability related to packet forwarding in DNS resolution for Windows servers. An attacker could exploit this vulnerability for DoS attacks, causing the DNS server service to stop responding.

The vulnerability from Microsoft’s perspective

To exploit this vulnerability, an attacker would have to have access to at least one client and one domain that responds with a large set of reference records without glue records that point to external victim subdomains. When resolving a name from the attacker’s client, the resolver contacts the victim’s domain for each reference record found. This action can generate a large number of communications between the recursive resolver and the victim’s authoritative DNS server to trigger a Distributed Denial of Service (DDoS) attack.

The NXNSAttack

If I haven’t got it wrong, this should be the NXNSAttack problem (amplification attacks on the name servers) linked in the above tweet

#NXNSAttack can abuse #DNS servers for amplifying #DoS attacks. Please patch #BIND (CVE-2020-8616), #Unbound (CVE-2020-12662), #Knot (CVE-2020-12667) und #PowerDNS (CVE-2020-10995) etc. – https://t.co/hFr0Tsp8SV pic.twitter.com/Ho4gilqbpk

— CERT-Bund (@certbund) May 21, 2020

Microsoft has outlined workarounds and workarounds that administrators can use to mitigate the problem in ADV200009. It boils down to the Response Rate Limit. Microsoft has described this in this document.

[German]Microsoft has released refreshed ISO install images for the Windows 10 May 2020 Update (Version 2004) for MSDN subscribers (MVS) on May 21, 2020. The general release of the spring feature update is expected this week.

I reported in the blog post Windows 10 Mai 2020 Update released at MSDN & for OEM about the release of the first ISO image files of the Windows 10 May 2020 Update (Version 2004) for MSDN subscribers and OEMs. This week I expect the general release of this Windows 10 version (see Windows 10 Version 2004 release between 26th & 28th May).

In preparation for this release, Microsoft has now updated the ISO installation images for the Windows 10 May 2020 Update (Version 2004). Blog reader EP points this out in this comment. The ISOs have titles like ‘Windows 10 (consumer editions) version 2004 (updated May 2020)‘ and were released on May 21, 2020. Microsoft has integrated the cumulative update KB4556803 and the SSU KB4557968 (see Windows 10 Insider Preview Build 19041.264 as new RTM). This means that Windows 10 Build 19041.264 is installed with these ISO files, so there have to be no more updates to install. Here are the details and issues that Microsoft reports for this ISO:

Windows 10 (business editions), version 2004 (updated May 2020)

This multi-edition Business media includes the following editions:
Windows 10 Pro
Windows 10 Pro N
*Windows 10 Pro for Workstations
*Windows 10 Pro N for Workstations
Windows 10 Pro Education
Windows 10 Pro Education N
Windows 10 Education
Windows 10 Education N
Windows 10 Enterprise
Windows 10 Enterprise N
*Windows 10 Pro, version 1709 or newer, will need to be installed before using the Window 10 Pro for Workstations product key to activate that edition.”

Veröffentlicht: 21/May/2020

SHA256: B0E2CF6EDAFE669AF0E0E4E0BC4A73C93FD309D36E4EA0114B4010C35835C660

Dateiname: en_windows_10_business_editions_version_2004_
updated_may_2020_x64_dvd_aa8db2cc.iso

Windows 10 (business editions), version 2004 (updated May 2020) (x64) – DVD (English-United Kingdom)

SHA256: B802A524E05C96EF805492CB0E41DDB9AEE8CFA9FC0AD3F779735BAD1A6C5BCD

Dateiname: en-gb_windows_10_business_editions_version_2004_
updated_may_2020_x64_dvd_783c55e0.iso

And for the consumer version the following information was published.

Windows 10 (consumer editions), version 2004 (updated May 2020) (x64) – DVD (English)

“For this multi-edition Consumer media, use a product key specific to the edition in the list you want to activate.
From the desktop, select the Start button > Settings > Update & Security > Activation. Select Change product key and enter your product key. If the key is valid, you’ll be asked to confirm the edition change, and Windows then performs it for you.
This multi-edition Consumer media includes the following editions:
Windows 10 Home
Windows 10 Home N
Windows 10 Core Single Language
Windows 10 Pro
Windows 10 Pro N
*Windows 10 Pro for Workstations
*Windows 10 Pro N for Workstations
Windows 10 Pro Education
Windows 10 Pro Education N
Windows 10 Education
Windows 10 Education N
*Windows 10 Pro, version 1709 or newer, will need to be installed before using the Window 10 Pro for Workstations product key to activate that edition.”

Veröffentlicht: 21/May/2020

SHA256: A9EFD2329ED805A6A58E0E0101F9B22AD4031E80E2C663C571CD004DB26D2F31

Dateiname: en_windows_10_consumer_editions_version_2004_
updated_may_2020_x64_dvd_36d61c40.iso

Windows 10 (consumer editions), version 2004 (updated May 2020) (x64) – DVD (English-United Kingdom)

Veröffentlicht: 21/May/2020

SHA256: 4D7D73409B36E44462C690EC58AE0DC6846B01307799432FBD542388D4AD30E7

Dateiname: en-gb_windows_10_consumer_editions_version_2004_
updated_may_2020_x64_dvd_1fc886bc.iso

Language Packs, the Hardware Lab Kit, Features on Demand, the Windows Driver Kit as well as the Software Development Kit (SDK) and the Assessment and Deployment Kit (ADK) as of May 12, 2020 for the 2004 version are also available on MSDN/MVS.

Similar articles:
Windows 10 V2004 is ready, rollout for Insider
Windows 10 Insider Preview Build 19041.264 as new RTM.
Windows 10 Version 2004 release between 26th & 28th May
Windows 10 Mai 2020 Update released at MSDN & for OEM

[German]It seems that HP has just released the ‘HP Software Component 4.1.4.3079’. The update is intended to remove the KMODE_EXCEPTION_NOT_HANDLED blue screen that some users got after the May 2020 patchday. Also, vulnerability in Realtek High Definition Audio Driver has been fixed.

The KMODE_EXCEPTION_NOT_HANDLED issue

Cumulative update KB4556799 released on May 12, 2020 for Windows 10 version 1903, for Windows 10 version 1909, and for Windows Server version 1903 and Windows Server version 1909 caused some problems. On some HP machines ist causes a blue screen KMODE_EXCEPTION_NOT_HANDLED.

(Source hp.com)

The contribution from hp.com shows the above image with the BlueScreen. I had pointed out such issues in the blog post Windows 10: Audio-/ Install issues with KB4556799. In this comment, German blog reader Lucifer pointed to this document from HP-Japan (where the above screenshot was taken). There were similar entries on the HP support pages – Woody Leonhard has taken up this in this post. Somewhere at Askwoody I read in the thread that there is probably a conflict with Windows Defender. If you deactivate Defender, the BlueScreen will not appear.

Update released

Another tweet from Woody Leonhard tells me that HP has released the ‘HP Software Component 4.1.4.3079’ as of 24 May 2020.

Looks like HP just released “HP Software Component 4.1.4.3079” to fix the conflict with Windows Defender that’s throwing BSoD “KMODE_EXCEPTION_NOT_HANDLED”. Thx FA Kramer https://t.co/MTYhqkNut1

— Woody Leonhard (@AskWoody) May 24, 2020

The reference of F A Kramer is located in this post. He received “HP Software Component 4.1.4.3079” for the OMEN desktop computer via Windows Update on Sunday. Since then the BlueScreens are gone.  

Vulnerability in Realtek High Definition Audio Driver

The audio driver has also been updated according to this security bulletin from HP. There was a vulnerability in the driver that allowed DLL preloading with corresponding risks. Maybe this will help affected users. 

[German]The Zero-Day Initiative (ZDI) has published a list of five unpatched vulnerabilities (0-days). Fortunately, most of the vulnerabilities are rather harmless and should not be fixed until June or July.

In May 2020 Microsoft’s reduced patch frequency took effect for the first time (see Microsoft suspends optional Windows Updates from May 2020). The following tweet caught my eye immediately.

Zero-Day Initiative (ZDI) has published this week summary details about five Windows zero-days.

These appear to be the most harmless 0-days in the history of 0-days, so no need to panic… and most likely the reason MSFT didn’t hurry to patch themhttps://t.co/aD5PM2xKoN pic.twitter.com/Etjy990fct

— Catalin Cimpanu (@campuscodi) May 24, 2020

The Zero-Day Initiative (ZDI) lists vulnerabilities in Windows for which Microsoft has not yet provided updates. Some of the vulnerabilities have only just become public. Microsoft has announced that they will not patch the vulnerabilities immediately (the risk of exploitation is considered low), so ZDI is now making them public.

[German]The release of the Windows 10 May 2020 Update (Version 2004) is expected to start soon. This is indicated by several websites that Microsoft has released hours ago.

The following tweet indicates that Microsoft has released the status page Windows 10, version 2004 and Windows Server, version 2004 for publishing known issues is now online. 

It looks like Windows 10 Version 2004, a.k.a the May Update, the next big Feature Update for Windows 10, is imminent. The release information page for the update has already been discovered, so it’s likely it’ll be out within the next 24 hours:https://t.co/C493OiOI24

— Koroush Ghazi (@KoroushGhazi) May 26, 2020

Currently this website does not contain any entries of known problems. Furthermore the web page Resolved issues in Windows 10, version 2004 and Windows Server, version 2004 has been released, as has recognized here. This page is also without information at the moment.

I already mentioned in some blog posts at the end of May 2020 that Windows 10, version 2004 and Windows Server, version 2004 will be released on May 28, 2020. For Visual Studio subscribers, an updated ISO file of this version has been available for a few days, which contains all the patches released so far.

An overview of various features of Windows 10 version 2004 can be found (with reference to the Insider Preview) in this article. There you will learn that support for special displays has been added for Windows 10 Enterprise and Windows 10 Pro for Workstations (see also). Microsoft writes about this:

Specialized Displays in Windows 10 Enterprise and Windows 10 Pro for Workstations

If you are running the Windows 10 Enterprise or the Windows 10 Pro for Workstations editions, you may have noticed a new feature under Settings > System > Display > “Advanced display settings” > “Remove display from desktop” that allows you to use your monitor as a Specialized Display. A monitor is categorized as “specialized” if it is neither intended to be used as a “desktop” monitor nor as a head-mounted display.

The Specialized Display feature enables a display to be dedicated to a specific purpose, such as:

• Fixed-function arcade/gaming rigs like cockpit/driving/flight/military simulators
• Medical imaging devices that have custom panels (e.g. grayscale X-ray displays)
• Dedicated video monitoring scenarios (e.g. Avid Pro)
• Monitor panel testing and validation (e.g. in the factory)
• Video walls

So Microsoft probably still has some plans for Windows 10. The article linked above has further hints on Cortana, a lower disk load for Windows search etc. According to this article it should also be possible to block unwanted apps. 

Similar articles:
Windows 10 V2004 is ready, rollout for Insider
Windows 10 Insider Preview Build 19041.264 as new RTM.
Windows 10 Version 2004 release between 26th & 28th May
Windows 10 Mai 2020 Update released at MSDN & for OEM
Refreshed Windows 10 V2004 ISOs released on MSDN/MVS
Windows 10 V2004: Microsoft started to add 20H2 features
No more 32-bit Windows 10 from V2004 on new devices

[German]A brief question to administrators who have installed cumulative update KB4551853 for Windows 10 version 1809 in May 2020. Are there issues. I have a report that an administrator had to stop the distribution in his corporate environment, due to serious start menu issues.

Update KB4551853 for Windows 10 Version 1809

Update KB455185 was released on May 12, 2020 and raises the OS build (according to MS) to 17763.1217. I had reported about it in the blog post Patchday: Windows 10 Updates (May 12, 2020). The update is available for Windows 10 version 1809 and Windows Server 2019. The update fixes some issues and includes improvements that are listed in the KB article.

A problem report

Yesterday I received several mails from German blog reader Markus, who administrates an IT landscape in a university environment. The case is also discussed on Patchmanagement.org (also available on Google Groups). Markus wrote:

Hello,
could just observe the behavior below and fix it by uninstalling the 1809 2020-05 CU.
But I have no starting point for what to look for :)
In the eventlog there is nothing useful to find.
Aggravating is probably the fact that we use roaming profiles.

The problem Markus is talking about is described on patchmanagement.org as follows:

Hi all,
we got several reports of a start menu critical error.
After uninstalling KB4551853 1809 2020-05 CU the start menu woks again.
Anyone has info on it, observes the same or has maybe even a solution?

For now we stopped deploying. All attempts to figure out what causes the error failed so far.

Best, Markus

In a follow-up mail Markus then reported the experience that unfortunately there are also computers that still have the start menu problem after uninstalling the 2020-05 CU (1809). And he wrote in another mail:

Hello,
I also noticed that event 1534 (source user profile service):
“Error in profile notification of the Unload event for component {B31118B2-1F49-48E5-B6F5-BC21CAEC56FB}.
Error code: See Tracelogging for error details. “,

occurs on the affected computers. You have already created a blog post about this, deleting the TDL key was unsuccessful.

Somehow I have the suspicion that only “migrated” OS have the problem. We migrated from 1703 or 1709 to 1809. Interestingly, I haven’t found a problem case that was installed with 1809.

I’m a bit perplexed, because the net doesn’t really give anything about this in connection with the cumulative May 2020 update.

On patchmanagement.org there was a hint that virus scanners are may be the cause – but in tis case, Windows Defender is used. Markus closed his mail with this remark: Unfortunately [I] still have no idea where the problem comes from. The suggestions from Microsoft to fix a start menu problem are more than poor. So I’m posting it here in the blog, hoping that another administrator can confirm this and/or even have a solution.

Similar articles:
Patchday: Windows 10 Updates (May 12, 2020)
Windows 10: Audio-/ Install issues with KB4556799
Windows 10 V190x: Update KB4556799 causes LTE issues
Windows 10: HP fixes KMODE_EXCEPTION_NOT_HANDLED