Windows Server 2016: Update KB4577015 throws a GPO MMC wsecedit.dll error

September 14, 2020, 3:19 am

≫ Next: Microsoft integrates Servicing Stack Updates (SSU) in cumulative Updates (LCU)

≪ Previous: Office 2016: Documents cannot be stored on network shares

[German]Security update KB4577015, dated September 8, 2020, causes problems on Windows Server 2016, which acts as the domain controller. The Group Policy Editor (gpedit.msc) throws a wsecedit.dll error when loading an MMC snap-in when changing security options.

I’ve been notified by serveral users about this issue (see e.g. this German comment), so I’m pulling it out separately here in a post.

Windows Update KB4577015 (Sept. 8, 2020)

Cumulative update KB4577015 was released by Microsoft on September 8, 2020 as a security update for Windows 10 1607 Enterprise STSC. The update is also available for Windows Server 2016. I had mentioned the update briefly in the article Patchday: Windows 10-Updates (September 8, 2020). It adds time zone information for Yokon (Canada) and fixes a number of security issues. Microsoft also adds the item Provides the ability to set a Group Policy that displays only the domain and username when you sign in. However, it seems that something has gone wrong with the various fixes.

Group Policy Editor on Windows Server 2016 broken

Besides the above comment there was already a call for help from another administrator, which I addressed in the blog post Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC. The administrator of a virtualized Windows Server 2016 Datacenter Edition encountered a wsecedit.dll error when loading an MMC snap-in while using the Group Policy Editor. Th attempts to traverse the following path in Group Policy:

Computer Configuration > Windows Setting > Security Settings > Local Policy > Security Options

fails with a gpedit.msc error message. A MMC snap-in cannot be loaded because a wsecedit.dll error has occurred.

gpedit.msc error

The hint to restart the Group Policy Editor or to ignore the error in the session does not help. The functions for customizing the security options can no longer be used. There is now a fresh entry GPMC error for “Security Options” after Updates 2020-09 in Windows Server 2016 Domain Controllers in Microsoft’s Q&A. There several users confirm the following error description:

We have found that if a Windows Server 2016 DC has been patched with the current Cumulative Update 2020-09 and Servicing Stack Update 2020-09, the “Security Options” in a policy can no longer be opened in the GPMC afterwards.

Cumulative update KB4577015 from September 8, 2020 is the culprit, as I have now been confirmed by various sources. It seems to affect all versions or variants of Windows Server 2016 – and probably also Windows 10 version 1607 Enterprise LTSC. Maybe this information will help.

↧

Microsoft integrates Servicing Stack Updates (SSU) in cumulative Updates (LCU)

September 14, 2020, 3:07 pm

≫ Next: Windows 10 Version 2004: Update KB4576754 forces new Edge browser install (Sept. 14, 2020)

≪ Previous: Windows Server 2016: Update KB4577015 throws a GPO MMC wsecedit.dll error

[German]Another small addendum from last week. Microsoft has announced it’s plans to include the required Servicing Stack Updates (SSU) in future Latest Cumulative Updates (LCU). This could eliminate one cause of update errors.

Service Stack Update (SSU) internals

Microsoft has been releasing so-called Servicing Stack Updates (SSU) for Windows 10 on a regular basis for quite some time now. What is behind this and what are these updates supposed to do? The purpose of installing a service stack update is to improve the installation process of the operating system, including the installation of the update program. Servicing Stack Updates (SSUs) must always be placed on the machine separately from the cumulative updates for Windows 10 (and before installing them). I had pointed this out several times in various blog posts about Windows 10 updates. If this is ignored, the cumulative updates may cause installation errors. SSUs are not uninstallable. I had detailled this in the article Windows 10 Service Stack Update (SSU) internal explained in 2018.

Infinite Theme Servicing Stack Updates (SSU)

It’s a tiresome topic: the requirement that Servicing Stack Updates (SSUs) must always be brought to the machine separately from the cumulative updates for Windows 10 (and before LCUs are installed). This only works if the administrators can control this manually in WSUS or via Windows Update. With the automatic update installation, there have been and still are ‘accidents’ because the LCU is installed before the SSU. The installation of the LCU then fails with an error.

In summer 2019 a user had raised the issue of update installation problems under Windows 10 due to ‘missing’ current Servicing Stack Update (SSU) in SCCM-UserVoice (see Windows 10: SSU issue addressed in SCCM UserVoice). It seems that there is no mechanism in Windows to control the order of update installations. So much for preliminary remarks.

Microsoft explains the changes

It took a long time for Microsoft to get into the hooves. But on September 8, 2020, Aria Carley of Microsoft published the article Simplifying on-premises deployment of servicing stack updates. And on September 11, 2020, Microsoft published the support article Description of Software Update Services and Windows Server Update Services changes in content for 2020.

Aria Carley’s article states that feedback from the user community has been heard and that steps will be taken to improve the update experience. The following is again confirmed:

To keep devices up to date, IT administrators who manage devices using on-premise methods must select and deploy the correct service stack update (SSU) with the latest cumulative update (LCU).
In some cases, a specific version of the SSU must already be installed to install the latest LCU. If the required SSU is not already installed on the device, the LCU cannot be installed.

This is confusing for many users and you have to make sure every month that the SSU conditions are met. Microsoft has therefore decided to bundle both the latest Cumulative Update (LCU) and the required Servicing Stack Update (SSU) in one package. The cumulative monthly update should then contain the cumulative fixes of the month and, if applicable, the corresponding service stack updates for that month. The update stack automatically orchestrates the installation so that both are applied correctly.

Microsoft wants to make sure that these ‘single update packages’ are also provided correctly in the Microsoft Update Catalog and via WSUS. When administrators use WSUS supported management tools, such as Configuration Manager, they must select and deploy the monthly cumulative update. The latest SSU is automatically applied correctly.

However, if Dynamic Update packages are purchased before deployment and applied to existing Windows 10 images, the latest SSU is no longer available as a separate package in the Microsoft catalog. If a process requires the SSU, administrators should simply use the new combined SSU and LCU package.

Important: For now, this applies to Windows 10 version 2004 and later. Later, Microsoft plans to extend this to other Windows 10 versions. There are no dates or details about this. Blog reader Karl also complains in the comments that Windows 10 2004 and 20H2 appear in the same category as Windows 10 190x in WSUS and asks for a separate category.

It remains to be seen whether these SSU-missing installation problems will be solved. And I’m already asking myself what the reasons are that Microsoft has to patch the servicing stack of Windows 10 all the time.

↧

Windows 10 Version 2004: Update KB4576754 forces new Edge browser install (Sept. 14, 2020)

September 14, 2020, 11:45 pm

≫ Next: 0patch fixes CVE-2020-1380 in Windows 7/Server 2008 R2

≪ Previous: Microsoft integrates Servicing Stack Updates (SSU) in cumulative Updates (LCU)

[German]Microsoft has begun rolling out the new Chromium-based Edge Browser on systems with Windows 10 version 2004 on Sept. 14, 2020. A re-release of update KB4576754 pushed this browser again to consumer systems.

History: Update KB4576754 for Windows 10 Version 2004

I had already wrote about the cumulative update KB4576754 in the blog post Windows 10 Version 2004: Update KB4576754 on September 3, 2020. After a test phase with Windows insiders, the patch was rolled out on Windows 10 version 2004 (and its server counterparts) in early September 2020. The update was offered at that time without a KB article with details released.

Later on, a KB article for update KB4576574, which was released on August 31, 2020, was put online. According to this German comment from moinmoin (deskmodder.de) the update was replaced by KB4562830 at that time – it was the update for the new Edge 84.0.522.52.

Update KB4576754 fpr Windows 10 Version 2004

Cumulative Update KB4576754 (Update for the new Microsoft Edge for Windows 10, version 1809, 1903, 1909, and 2004: August 31, 2020) installs the new Chromium based Edge browser on consumer machines with the Windows 10 versions mentioned in the previous sentence. Please note the following::

This update is not intended for devices managed by Windows Update for Business (WUfB).
To obtain this update for the new Microsoft Edge for Windows 10, version 1803, there is the support article KB4576753.

The update is therefore not intended for Windows 10 systems in a enterprise environment – Microsoft does not want to upset its customers. It is rather tested on private users with Windows 10 Home. According to the KB article, the update brings some quality improvements due to the new browser and includes the features to set up the Chromium Edge as the default browser on the system.

Note: I received this comment to the German blog post Windows 10 Version 2004: Update KB4576754 from Matthias T.:

Thanks for the explanation and in the meantime I have installed the update KB4576754. It installs the new Edge Chromium Browser. I still had the “old” Edge installed.

The whole thing is still strange, because I am running the Enterprise version and it is the case that the Chromium is NOT installed automatically by Microsoft, but has to be downloaded and installed actively. Or am I wrong?

In this comment Matthias reported also about trouble with the new Edge-Browser.

At the end of July 2020 Microsoft had revealed its plans for the rollout of the new Chromium Edge in the Techcommunity article Upgrading to the new Microsoft Edge through Windows Update (expanded).

Re release of Update KB4576754?

According to reports from US sites like Softpedia (see Tweet) or howto edge Microsoft has re-released the update KB4576754 again for Windows 10 version 2004. This will force consumer machines running this Windows 10 version to update to this new Chromium based browser.

It could be related to the fact that the Windows 10 20H2 build, expected in the fall of 2020, is nearing completion and Microsoft wants to make sure that all systems with Windows 10 20H1 build (2004 version) have the new Edge installed. In addition, Microsoft has announced the end of support for the old Edge browser in 2021 (see End of support for Internet Explorer 11 in Microsoft 365 and old Edge in Windows 10 from 2021) and intends to roll out the Chromium Edge in companies (see Microsoft Edge upgrade to be extended).

Anyone who was offered this update on September 14, 2020? My Windows 10 machine has had the new Edge browser installed for some time.

↧

0patch fixes CVE-2020-1380 in Windows 7/Server 2008 R2

September 15, 2020, 3:23 pm

≫ Next: Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking

≪ Previous: Windows 10 Version 2004: Update KB4576754 forces new Edge browser install (Sept. 14, 2020)

win7 [German]ACROS Security has released a micropatch for the vulnerability CVE-2020-1380 (Internet Explorer scripting engine memory corruption ) for Windows 7 and Server 2008 R2 (without ESU license). The vulnerability is now being exploited.

The vulnerability CVE-2020-1380

CVE-2020-1380 was issued for a scripting engine memory corruption vulnerability in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. Microsoft writes about this:

An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative privileges, an attacker who successfully exploited the vulnerability could take control of an affected system. The attacker could then install programs, view, modify, or delete data, or create new accounts with full user rights.

In a Web-based attack scenario, an attacker could set up a specially crafted Web site that uses Internet Explorer to exploit the vulnerability and then trick a user into visiting the Web site. An attacker could also embed an ActiveX control that is marked as “initialization-safe” in an application or Microsoft Office document that hosts the Internet Explorer graphics rendering engine. The attacker can also exploit compromised Web sites and Web sites that accept or host user-provided content or advertising messages. These Web sites may contain specially crafted content that could be used to exploit the vulnerability.

On August 11, 2020, Microsoft released a security update for Internet Explorer 11 that addresses the vulnerability and closes the vulnerability in the scripting engine. The fix is included in the Rollup Update for Windows 7 SP1. However, users of Windows 7 SP1 and Windows Server 2008 R2 who do not have an ESU license will no longer receive the security updates released by Microsoft.

0patch-Fix for Windows 7 SP1/Server 2008 R2

ACROS Security has developed a micropatch for the vulnerability CVE-2020-1380. I got aware of the information about the release of the micropatch for Windows 7 SP1 and Windows Server 2008 R2 via Twitter.

(0patch Fix for CVE-2020-1380 )

This micropatch is now available for 0patch users with PRO license and is already applied to all online computers with 0patch Agent (except in non-standard enterprise configurations). As always, there is no need to restart the computer and users’ work is not interrupted.

For information on how the 0patch Agent works, which loads the micro-patches into memory at runtime of an application, please refer to the blog posts (e.g. here) I have linked below.

↧

Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking

September 15, 2020, 4:07 pm

≫ Next: Microsoft 365: Multi-factor authentication bypassed

≪ Previous: 0patch fixes CVE-2020-1380 in Windows 7/Server 2008 R2

[German]Security researchers have uncovered a vulnerability in all versions of Windows Server that allows domain transfer with a simple approach. This vulnerability, called Zerologon (CVE-2020-1472), was closed with the security updates of August 2020. Those who have not yet installed this patch should react as soon as possible.

I had read it on Twitter yesterday and this German comment here in the blog somebody mentioned the so-called Zerologon vulnerability (CVE-2020-1472), which allows a domain takeover. Tenable has summarized it here.

Zerologon vulnerability (CVE-2020-1472)

On September 11, Secura researchers published a blog post on the critical Zerologon vulnerability. The blog post includes a white paper explaining the full impact and execution of the vulnerability identified as CVE-2020-1472. The vulnerability received a CVSSv3 rating of 10.0 (highest score).

CVE-2020-1472 is a Privilege Escalation vulnerability that is made possible by the insecure use of AES-CFB8 encryption for Netlogon sessions. The AES-CFB8 standard requires that each byte of clear text, such as a password, must have a randomized initialization vector (IV) to prevent passwords from being guessed. The ComputeNetlogonCredential function in Netlogon sets the IV to fixed 16 bits, which means that an attacker could control the decoded text.

An attacker could exploit this vulnerability to spoof the identity of any machine on a network when attempting to authenticate to the Domain Controller (DC). Further attacks are then possible, including the complete takeover of a Windows domain. The Securas white paper also points out that an attacker would be able to simply run the Impacket “secretsdump” script to obtain a list of user hashes from a target DC. Someone on GitHub has now published a Proof of Concept (PoC) here and Bleeping Computer has covered it within this article.

Patch from August 2020 closes CVE-2020-1472

The Zerologon vulnerability has been patched by Microsoft with the August 2020 security updates (see also link list at the end of this article). A reference to this patch from Tenable can be found in this Tenable article. Administrators should quickly install the relevant update. Here in the blog I had pointed out the implications of this update in the following two blog posts:

Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)
Windows 10 V1607: Update KB4571694 creates ID 5827 events, bricks MMC

↧

Microsoft 365: Multi-factor authentication bypassed

September 15, 2020, 10:10 pm

≫ Next: Windows 10 (64 Bit): Executing 16-bit programs

≪ Previous: Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking

[German]That does not sound very good. Newly discovered vulnerabilities in Microsoft 365 make it possible to bypass multi-factor authentication. Security researchers from Proofpoint have just released this information.

Proofpoint security researchers have recently discovered critical vulnerabilities in the implementation of multi-factor authentication (MFA) in cloud environments where WS Trust is enabled. The vulnerabilities were announced by Proofpoint and demonstrated at the Proofpoint Protect virtual user conference. It is highly likely that these vulnerabilities have existed for years. The security researchers tested several Identity Provider (IDP) solutions, identified the vulnerable solutions and resolved the security issues.

These vulnerabilities could allow attackers to circumvent multi-factor authentication (MFA). This makes it possible to access cloud applications that use the protocol. According to proofpoing, this particularly affects Microsoft 365.

Microsoft 365 MFA-Authentifizierung aushebeln

The security researchers write that because of the way Microsoft 365 session login is designed, an attacker could gain full access to the target’s account. This includes email, files, contacts, data, and more. Furthermore, these vulnerabilities could also be exploited to gain access to various other cloud services provided by Microsoft, including production and development environments such as Azure and Visual Studio.

The vulnerabilities arose from the inherently insecure protocol (WS-Trust) as described by Microsoft, combined with various flaws in its implementation by the IDPs. In some cases, an attacker could spoof his IP address to bypass MFA via a simple request header manipulation. In another case, changing the user-agent header caused the IDP to misidentify the protocol and believe it was using Modern Authentication. In all cases, Microsoft logs the connection as “Modern Authentication” because the exploit switches from the old protocol to the modern one. In ignorance of the situation and the risks involved, the administrators and security experts who monitor the tenant would consider the connection to have been made using “Modern Authentication”.

Vulnerabilities require some research, but once discovered, they can be exploited automatically. They are difficult to detect and may not even appear in the event logs, leaving no trace or indication of their activity. Since MFA can be bypassed as a preventative measure, it becomes necessary to take additional security measures in the form of detection and remediation of account violations. See the Proofpoint article for more details.

↧

Windows 10 (64 Bit): Executing 16-bit programs

September 16, 2020, 1:03 am

≫ Next: Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875

≪ Previous: Microsoft 365: Multi-factor authentication bypassed

[German]In a 64-bit Windows environment, 16-bit programs can no longer run because the Windows NT DOS Virtual Machine (NTVM) is missing. A Microsoft developer has now described an approach – quasi as a finger exercise – how to run 16-bit programs under a 64-bit Windows 10.

Until now, old 16-bit programs from MS-DOS times had to be run under 32-bit Windows. Only the 32-bit Windows operating systems contain the Windows NT DOS Virtual Machine (NTVM) (WOW16) – but it may have had to be installed as a feature. Under 64-bit Windows, Windows on Windows 16 (WOW16) is missing. The solution: A virtual machine with a 32-bit Windows has to be set up under the 64-bit guest operating system. And in this VM the 16-bit programs from MS-DOS and Windows 1.0, 2.0, 3.x times could run.

(16-Bit-Application Visual Basic 3.0 runs in a 64-bit-Windows 10 environment)

The colleagues of deskmodder.de now noticed a Techcommunity article, where an alternative way is described. Luis Henrique Demetrio from Brazil, a Windows Development Advocate in the Microsoft App Consult Team has described a proof of concept in the article Running 16-bit applications on Windows 10 64-bit. To do so, the open source 16-bit emulator otya128 – winevdm must be downloaded from GitHub, compiled and installed.

An artifact in the form of a ready-to-use ZIP archive file otvdm-master-1846.zip (expires in 5 months) can be downloaded from AppVeyor.

The framework can then be used with the emulator to install and run 16-bit programs like Visual Basic 3.0. The steps are described in the Techcommunity article. But the whole thing is a fiddle to get .exe programs to run. You have to call the applications from the emulator. But Demetrio describes an approach how to integrate the 16-bit emulator and the Visual Basic 3 16-bit applications into an MSIX package. Details about the whole approach can be found in the Techcommunity article.

↧

Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875

September 16, 2020, 3:15 am

≫ Next: Windows 10: New Information about Windows Update

≪ Previous: Windows 10 (64 Bit): Executing 16-bit programs

[German]Administrators of Microsoft Echange Server should take care of patching the remote code execution vulnerability CVE-2020-16875. The details or exploits have now been published. But patches has been available since September 8, 2020.

The vulnerability CVE-2020-16875

A remote code execution vulnerability exists in Microsoft Exchange Server, as Microsoft revealed on September 2020 patchday. In the vulnerability details CVE-2020-16875 Microsoft wrote:

A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments.

An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised.

Microsoft released security updates for the affected products (Exchange Server 2016 and 2019) on September 8, 2020. The respective security update 4577352 addresses the vulnerability by correcting the evaluation of cmdlet arguments in Microsoft Exchange. Microsoft classifies the vulnerability as low risk (Exploitation Less Likely). Here are the available patches.

Microsoft Exchange Server 2016 Cumulative Update 16
Microsoft Exchange Server 2016 Cumulative Update 17
Microsoft Exchange Server 2019 Cumulative Update 5:
Microsoft Exchange Server 2019 Cumulative Update 6:

Security researcher from Source Incide just published this post with PoCs about the vulnerability (I got the tip on Twitter). This was reported to Microsoft on May 22nd, 2020 and was fixed as of September 2020 patchday. In the post, Source Incide people do publish proof of concept exploits to exploit the vulnerability. So administrators should make sure that the Exchange servers are patched.

↧

Windows 10: New Information about Windows Update

September 16, 2020, 2:27 pm

≫ Next: Windows 10 V1809/190x: Preview Updates (September 16, 2020)

≪ Previous: Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875

[German]Microsoft has outlined some information aobut third-party update and Update for Business in a Techcommunity article. And they plan to provide better information about upgrade blockers. Here is a brief overview.

Third-Party Updates in Windows Update for Business

Windows Updates for Business (WUfB) is only available as an update control option in corporate environments. In a Techcommunity article, Microsoft addresses the issue of rolling out third-party updates. Updates for third-party products are not supported by WUfB to date. Therefore a solution like Microsoft Endpoint Manager Configuration Manager must still be used to complement WUfB. The Techcommunity article outlines how to configure this in WUfB and what you have to keep in mind. Perhaps of interest for administrators in this environment.

Better information about Windows 10 Upgrade-Blocker

On its status page for Windows 10, Microsoft provides an overview of when feature updates on machines are blocked due to known problems. However, if the upgrade is blocked on a system, the user receives little information about why it is blocked. Mary Jo Foley has investigated this question and in this ZDNet article, Foley discusses the rumors that are circulating on the floor. The tenor: Microsoft is trying to inform users in more detail about upgrade blockers in Windows 10. The message: Microsoft is working on making blocking problems in feature updates for Windows 10 more customized and more manageable.

↧

Windows 10 V1809/190x: Preview Updates (September 16, 2020)

September 16, 2020, 3:06 pm

≫ Next: Windows 10 Insider Preview Build 20215 released

≪ Previous: Windows 10: New Information about Windows Update

[German]On September 16, 2020 Microsoft released several cumulative updates as previews for Windows 10 versions 1809, 1903 and 1909. A first comment mentions these updates has already been given in the blog (thx for that). Here are some details about the respective updates.

A list of the updates can be found on this Microsoft website. I have extracted the details below. The update installation requires an existing current Servicing Stack Update (SSUs). Meanwhile, Microsoft publishes an overview of current Servicing Stack Updates (SSUs) under ADV990001 (if it is not up to date, please check the Microsoft Update Catalog for Servicing Stack Updates).

Important: From July 2020 all Windows updates disable the RemoteFX vGPU feature due to the CVE-2020-1036 vulnerability (see also KB4570006). After installing this update, attempts to start virtual machines (VM) with RemoteFX vGPU enabled will fail. More information can be found here.

Update KB4577062 for Windows 10 Version 190x

Preview update KB4577062 is cumulative and is available for Windows 10 versions 1903 and 1909 as well as for Windows Server version 1903 and Windows Server version 1909. It raises the OS build to 18362.1110 (Windows 10 V1903) and 18363.1110 (Windows 10 V1909). It includes quality improvements but no new operating system features. Here is the list of improvements, called highlights by Microsoft

Adds a notification to Internet Explorer 11 that informs users about the end of support for Adobe Flash in December 2020. For more information, see KB4581051.
Updates an issue that causes certain apps to go into an unwanted repair cycle. As a result, a user cannot use that app during that time.
Updates an issue that might display 4K high dynamic range (HDR) content darker than expected when you configure certain non-HDR systems for HDR Streaming.
Updates an issue to reduce the likelihood of missing fonts.
Updates an issue that causes a device to stop responding after you have been using a pen for several hours.
Reduces distortions and aberrations in Windows Mixed Reality head-mounted displays (HMD).

Additional the following fixes and improvements to Windows 10 version 1909, which are identical to version 1903 (update is also available for the Hololens) are provided:

Adds a notification to Internet Explorer 11 that informs users about the end of support for Adobe Flash in December 2020. For more information, see KB4581051.
Addresses an issue with Microsoft Edge IE Mode that occurs when you enable Configure enhanced hang detection for Internet Explorer mode in Microsoft Edge.
Addresses an issue that causes certain apps to go into an unwanted repair cycle. As a result, a user cannot use that app during that time.
Addresses an issue that, in certain scenarios, causes applications to stop working if they are created using Visual Basic for Applications (VBA). The error is, “Class not registered” error.
Addresses an issue that might display an empty black screen when a device is connecting to a Windows Virtual Desktop (WVD) machine.
Addresses an issue that might display 4K high dynamic range (HDR) content darker than expected when you configure certain non-HDR systems for HDR Streaming.
Addresses an issue that causes a stop error when the initialization of the graphics adapter fails.
Addresses an issue to reduce the likelihood of missing fonts.
Addresses an issue that causes a device to stop responding after you have been using a pen for several hours.
Addresses an issue that fails to recognize the first East Asian language character typed into a Microsoft Foundation Class Library (MFC) DataGrid.
Addresses an issue in which selecting I forgot my Pin from Settings>Accounts>Sign-in options fails in a Windows Hello for Business On-Premise deployment.
Addresses an issue that causes File Explorer to close unexpectedly when you use a Ribbon shell extension under specific circumstances.
Addresses an issue that affects default application associations during certain upgrade scenarios. This might cause numerous toast notifications to appear when you first sign in after the upgrade.
Addresses an issue that generates a “No features to install” message when you add a feature, even if you provide administrative credentials.
Addresses an issue that causes a stop error when using Microsoft Surface Slim Pen on certain editions of Microsoft Surface Pro X or Microsoft Surface Laptop 3.
Updates 2021 time zone information for Fiji.
Addresses stop error 0xC2 in usbccgp.sys.
Addresses an issue that causes random line breaks when you redirect PowerShell console error output.
Addresses an issue with creating HTML reports using tracerpt.
Allows the DeviceHealthMonitoring Cloud Service Plan (CSP) to run on Windows 10 Business and Windows 10 Pro editions.
Addresses an issue that prevents the content under HKLM\Software\Cryptography from being carried over during Windows feature updates.
Addresses an issue that displays an error that states that a smart card PIN change was not successful even though the PIN change was successful.
Addresses an issue that might create duplicate Foreign Security Principal directory objects for Authenticated and Interactive users in the domain partition. As a result, the original directory objects have “CNF” added to their names and are mangled. This issue occurs when you promote a new domain controller using the CriticalReplicationOnly flag.
Addresses an issue that prevents you from enabling BitLocker after installing the Server Core App Compatibility Feature on Demand (FOD).
Addresses an issue that causes an access violation in lsass.exe when a process is started using the runas command in some circumstances.
Addresses an issue in which Windows Defender Application Control enforces package family name rules that should be audit only.
Addresses an issue, which occurs after an update, that causes devices that have the Dynamic Root of Trust for Measurement (DRTM) enabled to unexpectedly reset when hibernating.
Updates the configuration of Windows Hello Face recognition to work well with 940nm wavelength cameras.
Reduces distortions and aberrations in Windows Mixed Reality head-mounted displays (HMD).
Ensures that new Windows Mixed Reality HMDs meet minimum specification requirements and default to a 90Hz refresh rate.
Addresses an issue that causes a stop error on a Hyper-V host when a virtual machine (VM) issues a specific Small Computer System Interface (SCSI) command.
Addresses an issue that prevents Always On VPN (AOVPN) from automatically reconnecting when resuming from Sleep or Hibernate.
Adds an Azure Active Directory (AAD) Device Token that is sent to Windows Update (WU) as part of each WU scan. WU can use this token to query for membership in groups that have an AAD Device ID.
Addresses an issue that fails to log events 5136 for group membership changes in certain scenarios. This occurs when you use the “Permissive Modify” control; for example, the Active Directory (AD) PowerShell modules use this control.
Addresses an issue with the Microsoft Cluster Shared Volumes File Systems (CSVFS) driver that prevents Win32 API access to SQL Server Filestream data. This occurs when the data is stored on a Cluster Shared Volume in a SQL Server failover cluster instance, which is on an Azure VM.
Addresses an issue that causes a deadlock when Offline Files are enabled. As a result, CscEnpDereferenceEntryInternal holds parent and child locks.
Addresses an issue that causes deduplication jobs to fail with stop error 0x50 when you call HsmpRecallFreeCachedExtents().
Addresses an issue that causes applications stop working when they use Microsoft’s Remote Desktop sharing APIs. The breakpoint exception code is 0x80000003.
Removes the HTTP call to www.microsoft.com that the Remote Desktop Client (mstsc.exe) makes at sign out when using a Remote Desktop Gateway.
Adds support for certain new Windows Mixed Reality motion controllers.
Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
Addresses an issue with setting the “Restrict delegation of credentials to remote servers” Group Policy with the “Restrict Credential Delegation” mode on the RDP client. As a result, the Terminal Server service tries to use “Require Remote Credential Guard” mode first and will only use “Require Restricted Admin” if the server does not support “Require Remote Credential Guard”.

This update is offered and installed via Windows Update, but is also available in the Microsoft Update Catalog (but not for WSUS). According to Microsoft the update is optional and can only be found when searching for an update. Microsoft strongly recommends that you install the latest service stack update (SSU) for your operating system before installing the latest cumulative update (LCU). Microsoft states that it is not aware of any known issues that this update causes.

In addition, Microsoft has released an update directly to the Windows Update client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates have not been blocked by GPO.

Update KB4577069 for Windows 10 Version 1809

Cumulative update KB4577069 is optional (preview) and raises the OS build (according to MS) to 17763.1490 and includes quality improvements but no new operating system features. Here is the list of improvements, called highlights by Microsoft :

Adds a notification to Internet Explorer 11 that informs users about the end of support for Adobe Flash in December 2020. For more information, see KB4581051.
Updates an issue to reduce the likelihood of missing fonts.
Updates an issue that causes applications to close unexpectedly when a user inputs East Asian characters after changing the keyboard layout.
Updates an issue that causes Microsoft Office applications to close unexpectedly when using a Korean Input Method Editor (IME).

Here is a full list of fixes and improvements to Windows 10 version 1809:

Adds a notification to Internet Explorer 11 that informs users about the end of support for Adobe Flash in December 2020. For more information, see KB4581051.
Addresses an issue with using Group Policy Preferences to configure the homepage in Internet Explorer.
Addresses an issue with Microsoft Edge IE Mode that occurs when you enable Configure enhanced hang detection for Internet Explorer mode in Microsoft Edge.
Addresses an issue that might generate the error ”0x80704006. Hmmmm…can’t reach this page” when using Microsoft Edge Legacy. This issue occurs when you attempt to reach websites on non-standard ports. Any website that uses a port listed in the Fetch Standard specification under bad ports or port blocking might cause this issue.
Addresses an issue that displays nothing on the screen for 5 minutes or more during the Remote Desktop Protocol (RDP) session.
Addresses an issue that, in certain scenarios, causes applications to stop working if they are created using Visual Basic for Applications (VBA). The error is, “Class not registered” error.
Addresses an issue that might display an empty black screen when a device is connecting to a Windows Virtual Desktop (WVD) machine.
Addresses an issue that causes Cortana to stop working on multiuser devices when you install, uninstall, and reinstall the same update.
Addresses an issue that causes a stop error when the initialization of the graphics adapter fails.
Addresses an issue to reduce the likelihood of missing fonts.
Addresses an issue that displays a black screen momentarily when an application calls the Desktop Window Manager (DWM) Thumbnail API.
Addresses an issue that fails to recognize the first East Asian language character typed into a Microsoft Foundation Class Library (MFC) DataGrid.
Addresses an issue that causes File Explorer to close unexpectedly when you use a Ribbon shell extension under specific circumstances.
Addresses an issue that generates a “No features to install” message when you add a feature, even if you provide administrative credentials.
Provides the ability to set a Group Policy that displays only the domain and username when you sign in.
Addresses an issue that affects default application associations during certain upgrade scenarios. This might cause numerous toast notifications to appear when you first sign in after the upgrade.
Addresses an issue that causes applications to close unexpectedly when a user inputs East Asian characters after changing the keyboard layout.
Updates 2021 time zone information for Fiji.
Addresses an issue that affects the Microsoft’s System Centre Operations Manager’s (SCOM) ability to monitor a customer’s workload.
Addresses a performance issue that occurs when PowerShell reads the registry to check if the ScriptBlockLogging registry key is in the registry.
Addresses an issue with creating HTML reports using tracerpt.
Addresses an issue that causes an access violation in lsass.exe when a process is started using the runas command in some circumstances.
Addresses an issue that prevents the content under HKLM\Software\Cryptography from being carried over during Windows feature updates.
Addresses an issue that prevents you from enabling BitLocker after installing the Server Core App Compatibility Feature on Demand (FOD).
Addresses an issue that might create duplicate Foreign Security Principal directory objects for Authenticated and Interactive users in the domain partition. As a result, the original directory objects have “CNF” added to their names and are mangled. This issue occurs when you promote a new domain controller using the CriticalReplicationOnly flag.
Addresses an issue that prevents a call to NCryptGetProperty() from returning the correct pbOutput value when pszProperty is set to “Algorithm Group” and you are using a Trusted Platform Module (TPM) 1.2 device.
Addresses an issue in which Windows Defender Application Control enforces package family name rules that should be audit only.
Addresses an issue in which the WinHTTP AutoProxy service does not comply with the value set for the maximum Time To Live (TTL) on the Proxy Auto-Configuration (PAC) file. This prevents the cached file from updating dynamically.
Addresses an issue that might redirect Software Load Balancing (SLB) traffic to a different host when that traffic goes through a multiplexer. This causes the connection to an application to fail.
Adds new functionality to the robocopy command.
Adds Secure Sockets Layer (SSL) certificate authentication over HTTP/2.
Addresses an issue that prevents Always On VPN (AOVPN) from automatically reconnecting when resuming from Sleep or Hibernate.
Addresses an issue that causes Microsoft Office applications to close unexpectedly when using a Korean Input Method Editor (IME).
Adds an Azure Active Directory (AAD) Device Token that is sent to Windows Update (WU) as part of each WU scan. WU can use this token to query for membership in groups that have an AAD Device ID.
Addresses an issue that fails to log events 5136 for group membership changes in certain scenarios. This occurs when you use the “Permissive Modify” control; for example, the Active Directory (AD) PowerShell modules use this control.
Addresses an issue that causes a deadlock when Offline Files are enabled. As a result, CscEnpDereferenceEntryInternal holds parent and child locks.
Addresses an issue that causes deduplication jobs to fail with stop error 0x50 when you call HsmpRecallFreeCachedExtents().
Removes the HTTP call to www.microsoft.com that the Remote Desktop Client (mstsc.exe) makes at sign out when using a Remote Desktop Gateway.
Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
Addresses an issue with setting the “Restrict delegation of credentials to remote servers” Group Policy with the “Restrict Credential Delegation” mode on the RDP client. As a result, the Terminal Server service tries to use “Require Remote Credential Guard” mode first and will only use “Require Restricted Admin” if the server does not support “Require Remote Credential Guard”.

This update is offered optionally via Windows Update, but is also available in the Microsoft Update Catalog. Microsoft strongly recommends that you install the latest service stack update (SSU) for your operating system before you install the latest cumulative update (LCU). Microsoft lists two known issues that the update causes. During update installation, you may receive the error 0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND. Details can be found in the KB article.

Microsoft has also released an update directly for the Windows Update Client to improve its reliability. This is rolled out outside of Windows Update if the machine is compatible and not an LTSC variant and updates have not been blocked by GPO.

↧

Windows 10 Insider Preview Build 20215 released

September 16, 2020, 3:47 pm

≫ Next: .NET Framework Preview Updates (Sept. 16, 2020)

≪ Previous: Windows 10 V1809/190x: Preview Updates (September 16, 2020)

[German]Microsoft has released the Windows 10 Insider Preview Build 20215 for Windows Insider on the Dev Channel on September 15, 2020. The announcement was made in the Windows-Blog, where you can read the list of new features, fixes and known issues. Microsoft has now added a dark theme to the search.

↧

.NET Framework Preview Updates (Sept. 16, 2020)

September 17, 2020, 2:42 am

≫ Next: Internet Explorer flags now the end of Adobe Flash Supports

≪ Previous: Windows 10 Insider Preview Build 20215 released

Windows Update [German]In addition to the preview updates for Windows 10 (see Windows 10 V1809/190x: Preview Updates (September 16, 2020))), Microsoft has also released various preview updates for the .NET Framework as of September 16, 2020.

KB4576947: .NET Framework 3.5 and 4.8 for Windows 10 Version 190x

Cumulative Preview-Update KB4576947 is a preview for .NET Framework 3.5 and 4.8 for for Windows 10 version 1903, Windows Server version 1903, Windows 10 version 1909, and Windows Server version 1909 that was released on September 16, 2020. It contains reliability improvements in .NET Framework 3.5 and 4.8. Here is an overview of the improvements:

Windows Communication Foundation (WCF): Addressed an issue with WCF services sometimes failing to start when starting multiple services concurrently.
Winforms:
_Addressed a regression introduced in .NET Framework 4.8, where Control.AccessibleName, Control.AccessibleRole, and Control.AccessibleDescription properties stopped working for the following controls:Label, GroupBox, ToolStrip, ToolStripItems, StatusStrip, StatusStripItems, PropertyGrid, ProgressBar, ComboBox, MenuStrip, MenuItems, DataGridView.
-Addressed a regression in accessible name for combo box items for data bound combo boxes. .NET Framework 4.8 started using type name instead of the value of the DisplayMember property as an accessible name, this improvement uses the DisplayMember again.
ASP.NET:
– Disabled resuse of AppPathModifier in ASP.Net control output.
– HttpCookie objects in the ASP.Net request context will be created with configured defaults for cookie flags instead of .NET-style primitive defaults to match the behavior of `new HttpCookie(name)`.
SQL: Addressed a failure that sometimes occured when a user connects to one Azure SQL database, performed an enclave based operation, and then connected to another database under the same server that has the same Attestation URL and performed an enclave operation on the second server.
Common Language Runtime (CLR):
– Added a CLR config variable Thread_AssignCpuGroups (1 by default) that can be set to 0 to disable automatic CPU group assignment done by the CLR for new threads created by Thread.Start() and thread pool threads, such that an app may do its own thread-spreading.
– Addressed a rare data corruption that can occur when using new API’s such as Unsafe.ByteOffset<T> which are often used with the new Span types. The corruption could occur when a GC operation is performed while a thread is calling Unsafe.ByteOffset<T> from inside of a loop.
– Addressed an issue regarding timers with very long due times ticking down much sooner than expected when the AppContext switch “Switch.System.Threading.UseNetCoreTimer” is enabled.

The update is provided via Windows Update and the Microsoft Update Catalog, but not via WSUS. We recommend that you apply this update as part of your regular maintenance routines. To apply this update, you must have .NET Framework 3.5 or 4.8 installed. The computer must restart after applying this update if affected files are in use. Microsoft recommends that you exit any .NET Framework-based applications before installing this update.

KB4577324: .NET Framework 3.5, 4.72 and 4.8 for Windows 10 Version 1809

Cumulative update KB4577324 is a preview of .NET Framework 3.5, 4.7.2 and 4.8 for Windows 10 version 1809 and Windows Server. Version 2019. Details about the content for this update can be found in the following support articles:

4576949 Description of the Cumulative Update Preview for .NET Framework 3.5 and 4.7.2 for Windows 10, version 1809 and Windows Server, version 2019 (KB4576949)
4576946 Description of the Cumulative Update Preview for .NET Framework 3.5 and 4.8 for Windows 10, version 1809 and Windows Server, version 2019 (KB4576946)

The update is provided via Windows Update and the Microsoft Update Catalog, but not via WSUS.

KB4576946: .NET Framework 3.5 and 4.8 for Windows 10 Version 1809

Cumulative update KB4576946 is a preview of .NET Framework 3.5 and 4.8 for Windows 10 version 1809 and Windows Server version 2019. It contains reliability improvements in .NET Framework 3.5 and 4.8, which are already described above for the preview update KB4576947 . The update is provided through Windows Update and the Microsoft Update Catalog, but not through WSUS. Details can be found in the linked KB article.

↧

Internet Explorer flags now the end of Adobe Flash Supports

September 17, 2020, 3:00 am

≫ Next: 0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2

≪ Previous: .NET Framework Preview Updates (Sept. 16, 2020)

[German]The time has come, Microsoft has integrated a notifcation bar, that indicates the end of Flash support, when using Internet Explorer in Windows 10 during visiting Flash pages.

Flash support will end in 2020

Most blog readers should be familiar with the facts. Already in the summer of 2017, Adobe, together with Apple, Facebook, Google, Microsoft and Mozilla, announced the end of life for Flash and the end of Adobe Flash support. The end of support for the Adobe Flash Player has been announced for the end of 2020 (see my blog post Adobe Flash: End-of-Live date again announced). Then there will be no more security updates for Flash and the Adobe Flash Player will no longer be available for download.

Flash in Microsoft browsers in Windows

Microsoft has integrated the Adobe Flash Player in both Windows 8.1 and Windows 10. The Flash Player can thus be used in Microsoft Edge and Internet Explorer browsers. As a user, there is no way to uninstall the Adobe Flash Player to get rid of this security risk. But Microsoft provides security updates for the Flash players in Windows 8.1 and Windows 10.

Support until the end

Microsoft wants to support the Flash Player until the end (see Microsoft: Flash Player will be removable in autumn, support will end in 2021), but has started some time ago with steps to restrict and remove the Flash Player.

In 2017 and 2018 Microsoft Edge asked the user to display Flash content in the browser, and Flash has been updated so far.
Since 2019, Flash is deactivated by default in Microsoft Edge and Internet Explorer. However, the user can activate Flash in both browsers. Then Microsoft Edge asks at each session whether Flash content of a site should be executed.
From late 2020, the ability to run Adobe Flash in Microsoft Edge and Internet Explorer will be removed in all supported versions of Microsoft Windows.
After December 2020, Microsoft will no longer provide a “Security Update for Adobe Flash Player” for Microsoft Edge Legacy and Internet Explorer 11.
Starting in January 2021, Adobe Flash Player will be disabled by default and all versions older than KB4561600 (released in June 2020) will be blocked.
Downloadable resources related to Adobe Flash Player hosted on Microsoft websites will no longer be available.

In summer 2021, all APIs, Group Policy, and user interfaces that specifically govern the behavior of Adobe Flash Player will be removed from Microsoft Edge (legacy) and Internet Explorer 11. This will be done via the latest “Cumulative Update” on Windows 10 platforms and via “Cumulative Update for Internet Explorer 11” or “Monthly Rollup” on Windows 8.1, Windows Server 2012 and Windows Embedded 8 Standard. The “Update to remove Adobe Flash Player” will also be included as part of the “Cumulative Update” and “Monthly Rollup” from this point on. I had discussed this in the blog post Microsoft: Flash Player will be removable in autumn, support will end in 2021.

Notifcation bar about End of Flash in Internet Explorer

On September 16, 2020, Microsoft released the preview updates KB4577062 for Windows 10 version 190x and update KB4577069 for Windows 10 version 1809. In both preview updates there is a point mentioned:

Adds a notification to Internet Explorer 11 that informs users about the end of support for Adobe Flash in December 2020. For more information, see KB4581051.

As soon as one of these updates is installed on the mentioned Windows 10 versions, Internet Explorer 11 can display a notification about the expiration of Flash support. This notification bar informs users visiting websites with Flash content that support for Adobe Flash Player will end on December 31, 2020, as shown in the screenshot below (I no longer have a Windows 10 version 1809 or 190x machine to test, the screen shot is from the colleagues of Bleeping Computer).

(Flash warning in Internet Explorer 11, Source: Bleeping Computer)

Disabling the warning

Enterprise customers who want to disable this notification bar in Internet Explorer 11 can do so by opening the following registry key:

HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Internet Explorer\Main

There the 32-bit DWORD value DisableFlashNotificationPolicy must be set to 1.

↧

0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2

September 17, 2020, 4:08 pm

≫ Next: Windows 10 2004: Microsoft confirms BSODs on ThinkPads caused by Updates

≪ Previous: Internet Explorer flags now the end of Adobe Flash Supports

win7 [German]ACROS Security has released a micropatch for the vulnerability CVE-2020-1472 (Zerologon) for Windows Server 2008 R2. This vulnerability is only closed by Microsoft starting with Windows Server 2012 R2.

The vulnerability CVE-2020-1472 (Zerologon)

CVE-2020-1472 was issued for an elevation of privilege vulnerability in Windows. The vulnerability could allow a domain controller to be taken over. Microsoft writes about this:

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.

To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

Microsoft fixes the vulnerability in a staggered two-part rollout. Updates from August 11, 2020 fix the vulnerability by changing the way Netlogon handles the use of secure Netlogon channels (see this Microsoft article). However, only updates for Windows Server 2012 / R2 and Windows Server 2016/2019 have been released.

Guidelines on how to manage the changes required by this vulnerability and more information on how to implement it step-by-step can be found in How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. I also reported on the blog (see links at the end of the article).

0patch fix for Windows Server 2008 R2

ACROS Security has developed a micropatch for the vulnerability CVE-2020-1472. I got aware of the information about the release of the micropatch for Windows Server 2008 R2 via Twitter. The ACROS Security blog post here contains more information.

0patch-Fix für Windows Server 2008 R2
(0patch Fix for CVE-2020-1472 )

For information on how the 0patch Agent works, which loads the micro-patches into memory at runtime of an application, please refer to the blog posts (e.g. here) I have linked below.

Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking
Windows Domain Controller suddenly generate EventID 5829 warnings (August 11, 2020)

↧

Windows 10 2004: Microsoft confirms BSODs on ThinkPads caused by Updates

September 18, 2020, 3:05 pm

≫ Next: Microsoft Defender: Download Feature removed …

≪ Previous: 0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2

[German]Users of Lenovo ThinkPads with Windows 10 Version 2004 and Lenovo Vantage software have been annoyed by BlueScreens (error SYSTEM_THREAD_EXCEPTION_NOT_HANDLED in ldiagio.sys) caused by updates since August 2020. Now Microsoft has confirmed the issue

Short review: BSODs on Lenovo ThinkPad

I had pointed out the problem in early September 2020 in the blog post August 2020 update causes BSODs on ThinkPads – Upgrade suspended on LTE systems. The August 2020 cumulative update KB4566782 for Windows 10 version 2004 caused problems. In the Lenovo Forum there is a post Win10 2004 KB4566782 breaks Intel ME, causes Vantage BSoD from August 24, 2020 which reports nasty problems with the August 2020 update KB4566782 for Windows 10 version 2004 machines.

Launching Lenovo Vantage results in a BSoD within a few seconds after the loading animation completes. This is 100% reproducible. The BSoD is always “SYSTEM_THREAD_EXCEPTION_NOT_HANDLED”, and most of the time, it implicates ldiagio.sys.

Lenovo gives the advice to uninstall the update KB4566782.

Confirmation by Microsoft

Through this tweet, I became aware of the latest support post from Microsoft titledStop error on Lenovo ThinkPad that has KB4568831 or a later update and Enhanced Windows Biometric Security enabled in UEFI. In this document Microsoft confirms a problem with Lenovo Thinkpad systems running Windows 10 version 2004.

ThinkPad devices running Windows 10 version 2004 that have received the July 31, 2020 preview update KB4568831 or a later update and Enhanced Windows Biometric Security enabled in UEFI are dropping blue screens. A condition for this error is, the device must also have Windows Advanced Biometric Security enabled in the UEFI and use Lenovo Vantage software. Then there is the stop error “SYSTEM_THREAD_EXCEPTION_NOT_HANDLED” (“0xc000000005 Access Denied”), caused by the ldiagio.sys.

The reason is that under certain conditions the mentioned updates restrict the possibilities of how processes can access the PCI device configuration space (Peripheral Component Interconnect). Processes that need to access the PCI device configuration space must now use officially supported mechanisms.

Enabling the Enhanced Windows Biometric Security option in the UEFI of Lenovo ThinkPad devices manufactured in 2019 or 2020 should meet the conditions. When running Lenovo Vantage software, some versions may attempt to access the configuration space of PCI devices in an unsupported manner. This will trigger the BlueScreen. The solution that Microsoft suggests is to disable Enhanced Windows Biometric Security in the device UEFI configuration (in the Security > Virtualization section).

↧

Microsoft Defender: Download Feature removed …

September 18, 2020, 3:39 pm

≫ Next: Windows 10 20H2 released as final build in Release Preview Channel

≪ Previous: Windows 10 2004: Microsoft confirms BSODs on ThinkPads caused by Updates

[German]But that was only a very short guest performance. Microsoft had added this ‘cool’ download feature to its Defender. But security experts wasn’t amused about that. All of a sudden the download feature is gone again …

Defender Download-Feature, that’s what we are talking about

For those blog readers who have not followed it closely, a few short sentences. Microsoft had given Defender a way to download arbitrary files. You can use the command:

C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe -DownloadFile -url <url> -path <local-path>

as administrator to download any file with Windows Defender. Microsoft had described the whole thing in this support article in mid-August 2020.

However, this download feature caused more headaches than enthusiasm among security experts. This is a nice feature for malware authors to download their malicious functions. In early September 2020, I addressed the issue in the blog post Security concerns about Microsoft Defender download feature.

It’s gone again …

I just read at Bleeping Computer that Microsoft has removed this feature in the Antimalware Client Version 4.18.2009.2-0 just released. The help does not show the command anymore and when using the option an error is reported. No idea what caused the developers to take this step.

↧

Windows 10 20H2 released as final build in Release Preview Channel

September 18, 2020, 4:37 pm

≫ Next: Windows 10: Search shows US Election Info in non US countries…

≪ Previous: Microsoft Defender: Download Feature removed …

[German]Microsoft has started to distribute the feature update for Windows 10 20H2 as ‘final build’ to Windows Insider via the Release Preview Channel. The general release should follow in October 2020.

The information reached me as a comment from EP in the English language blog (thanks) for that. Microsoft has announced the whole thing in the Windows blog.

Windows 10 October 2020 Update (Version 20H2)

According to Microsoft, the Windows 10 version to be released in autumn 2020 will be named the ‘October 2020 Update’. Microsoft is moving away from the 2009 scheme and using the nomenclature 20H2, where 20 indicates the year of release (2020), while H2 is the second functional update of the year.

Update KB4571756 for Insider in Release Preview Channel

Microsoft describes Windows 10 version 20H2 as ready for release. Therefore the update KB4571756 for Windows Insider has been released in the Release Preview Channel. How to join the Insider program and the Release Preview Channel is described in the Windows blog.

This update is the so-called Enablement Package. The update is only about 80 MB in size and enables the functions of the 20H2 (the code base is the same as the 20H1, also known as version 2004). Additionally, the Chromium Edge Browser from Microsoft is installed.

The update raises the OS version to build 19042.508 and Microsoft assumes that this is the final build for Windows 10 20H2. However, Microsoft will continue to improve Windows 10 version 20H2 through updates until it is released in the normal maintenance cycles. The colleagues from deskmodder.de have published an overview of the new features here.

To get this update offered in the Release Preview Channel as a Windows Insider, you have to go to Windows Update in the settings page and let it search for updates (Settings > Update & Security > Windows Update). Then the Windows 10 version 20H2 should be offered as a (feature) update. You can download and install this update. If a system has been updated to the October 2020 update, it will still automatically receive new maintenance updates via Windows Update (as with the monthly update process).

Microsoft writes that they are starting to automatically release the October 2020 update to insiders who are in the beta channel. So people there don’t need to search for updates. For Windows insiders who had not decided to install the October 2020 update before, it will be offered automatically via Windows Update.

A known issue

But in the now rolled out build there is a problem which is known for a long time (also for older Windows 10 versions) and was caused by updates (see my blog post here). Windows insiders who have installed build 19042.508 in the beta and release preview channels get problems with WSL 2. If the Windows subsystem for Linux (WSL) is started, it terminates with the error “Element not found”.

Microsoft states that they used insiders to identify the root cause of the problem and created a fix. This fix should be included in the next 20H2 service release soon. Further details can be found in the Windows blog.

↧

Windows 10: Search shows US Election Info in non US countries…

September 20, 2020, 3:04 pm

≫ Next: CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)

≪ Previous: Windows 10 20H2 released as final build in Release Preview Channel

[German] Microsoft runs once again an advertising action, this time a call to register for the US presidential election, under Windows 10. An US Election Info suddenly pops up during a Windows 10 search as an advertisement in the start menu. And this advertisement is shown also for non US countries. By the way, the search in Windows 10 is now done on the server side.

Search shows US Election Info in non US countries

Windows 10 as an operating system is simply broken and can no longer be taken seriously. If you are looking for something, you will see advertising in the start menu. So far so bad – you can hide it with the close button – but such a thing is annoying and has no place in an operating system (which wants to be taken seriously) and especially in the start menu.

And the approach from Redmond has of course gone downhill. A Dutchman has now been shown election ads for the US presidency when searching the Windows 10 start menu, as he writes on reddit.com.

Windows 10 prompted me to register to vote

Why? My region is the Netherlands?? The only reason that I would be from the US is that I use the US – International keyboard… I’ve never set a foot in the US…

Sorry for this random message but I think it’s weird how politics are even a part of an operating system and I think it’s dumb that it’s advertised outside of the US.

Werbung im Windows 10-Startmenü

The only ‘offence of the user’ was that he changed the keyboard to the US layout. The user questions, why something like that appears in the start menu under Windows 10. The thread is already quite extensive and other users confirm this advertisement for the US presidency when searching the start menu.

Normally, the advertising is played out on the basis of the location determination. But if the user has switched it off, it can also happen that the US election advertising is shown in the start menu of a German Windows 10 when searching. The user here confirms this in the reddit.com thread, and other users from other countries outside of the USA claim to have also received the advertisement. It also seems to be the case that only the tester animal under Windows 10 Home gets to see this kind of ads, in Pro and Enterprise the ads seem to be missing.

As one user writes so nicely: Windows 10 shell experience has become adware. Those features can be pushed from Microsoft end. The user gives the advice to block this with O&O ShutUp10 or Open-Shell, Startisback, Start10. The only advice would be to switch to another operating system.

Windows search is executed server side

In the thread there is another interesting information that I would like to get out separately – because it has been on my scrap of paper for a long time. Blog reader Karl had pointed out to me some time ago that the search in the Windows 10 start menu is now done on the server side. I even had the information that this had been discussed in the feedback hub under #20127 ‘Search server-side change’. Since the Feedbach-Hub app is quite broken in my eyes, I tried to search for it only now, but couldn’t find this info. But user cocks2012 confirms this on reddit.com:

Windows 10 search window is a web view. These changes are pushed server side. If you got web results turned on for search, then you will see it.

You should keep this in mind for two reasons. Reason 1: If you have a broken start menu search again, forget all the tips on how to fix something on your local Windows 10. The Redmond crackers will have to go and fix it on their servers. Has happened in the past (see here). Reason 2: What do we think about the fact that every search query is evaluated by Microsoft on the server side and I’m not sure if the GDPR allows something like that.

↧

CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)

September 21, 2020, 1:36 am

≫ Next: Windows: Edge Update KB4559309 replaced with KB4576754, fixes performance issues

≪ Previous: Windows 10: Search shows US Election Info in non US countries…

[German]The United States Agency for Cyber Security and Infrastructure Security (CISA) has issued an emergency order giving the U.S. government agencies a four-day deadline to implement a Windows Server patch against the Zerologon vulnerability (CVE-2020-1472).

Zerologon vulnerability (CVE-2020-1472)

The background to the CISA statement is the knowledge, that the Zerologon vulnerability (CVE-2020-1472) allows Active Directory Domain Controllers (DC) to be overtaken and that there is a publicly available exploit for the vulnerability. CVE-2020-1472 is a Privilege Escalation Vulnerability that is made possible by the insecure use of AES-CFB8 encryption for Netlogon sessions. See also my blog post Windows Server: Zerologon vulnerability (CVE-2020-1472) allows domain hijacking. CISA writes about it:

CISA has determined that this vulnerability poses an unacceptable risk to the Federal Civilian Executive Branch and requires an immediate and emergency action. This determination is based on the following:

the availability of the exploit code in the wild increasing likelihood of any unpatched domain controller being exploited;
the widespread presence of the affected domain controllers across the federal enterprise;
the high potential for a compromise of agency information systems;
the grave impact of a successful compromise; and
the continued presence of the vulnerability more than 30 days since the update was released.

CISA requires agencies to immediately apply the Windows Server August 2020 security update to all domain controllers.

This is a clear directive, so CISA sees an acute danger that the U.S. federal government systems will be attacked and taken over. Therefore, administrators in German-speaking countries should also become active if domain controllers based on Windows Server have not yet been secured in this regard.

Microsoft patch available since August 2020

The vulnerability is closed by Microsoft in two stages, as can be read in the support article KB4557222. With the security update of August 11, 2020 (see link list at the end of the article) the first stage of protection was initiated. So for the supported Windows Server variants a protection is possible. For Windows Server 2008 R2, however, the patch is only available for customers who have purchased the Microsoft ESU program for a fee (is virtually impossible without a volume license agreement). If you didn’t get a patch for Windows Server 2008 R2, I refer you to the alternative solution of 0patch (see 0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2). (via)

↧

Windows: Edge Update KB4559309 replaced with KB4576754, fixes performance issues

September 21, 2020, 2:43 am

≫ Next: Windows 10 Version ab 1809/190x: robocopy extensions

≪ Previous: CISA Warning: Patch your Windows Servers against CVE-2020-1472 (Zerologon)

[German]Microsoft has replaced the update KB4559309 for the new Edge Browser released in June 2020 with the new update KB4576754. The background was probably slow starting Windows 10 systems after applying the update KB4559309, but this was not documented in the support article.

Update KB4559309 from June 2020 slows down systems

Update KB4559309 is used to update the old Edge Browser to the new Chromium-based version and is rolled out since June 2020 for Windows 10 versions 1803, 1809, 1903, 1909 and 2004 (Home and Pro Edition). I had reported within the blog post Windows 10: Chromium Edge are rolled out to user about this update.

Note: This update is not intended for Windows 10 Enterprise or Windows 10 Pro systems in enterprise environments with WSUS or Active Directory. Users in enterprise environments are therefore not affected by the problems outlined here.

The problem with this update is that installing it can cause collateral damage to Windows 10 systems. I had pointed this out in the blog post Edge Update KB4559309 may slow down Windows 10. Some users noticed after installing the update that the Windows 10 systems booted very slowly. A community moderator at Microsoft Answers then confirmed that the Microsoft Edge development team is investigating the whole thing.

New Edge Update KB4576754

As of August 31, 2020, Microsoft had already released the update KB4576754 für for the upgrade to the new Chromium Edge browser. This update is also available for Windows 10 versions 1809, 1903, 1909 and 2004 in the consumer area (but not for enterprise environments). I had already reported about the update in the blog postWindows 10 Version 2004: Update KB4576754. Microsoft writes within the KB article:

This update replaces previously released updates KB4541301, KB4541302 and KB4559309.

I noticed that, but I didn’t notice anything else from the description of the fixes. The new update KB4576754 should also fix the problem with the slow startup of some Windows 10 systems, as Windows Latest reports. Maybe it will help the people who are affected by this problem.

↧