On June 15, 2017 Microsoft announced an Insider Preview program for Windows Server. Yesterday Microsoft released the first Insider Preview, Build 16237, of Windows Server to insiders. The announcements with all details may be found here. (via)

[German]Just a short note: The Folder Security Viewer is a viewer and reporter for NTFS permissions in domains and Active Directory environments. Tools Folder Security Viewer is now available in version 1.7.0.

FolderSecurityViewer (FSV) is an easy-to-use NTFS permissions reporter to get all effective security owners of your data in Active Directory and domain controller environments.

The tool has been created since a while by G-TAC Software. Now Version 1.7.0 is available. This version provides now the following reports:

• Permissions Report (former Trustee Report)
• Folder Report
• Owner Report

Permissions Report offers the ability to store and re-load reports within a local data base or on a central MS-SQL server. Within a local data base (located in %APPDATA%, values may be encrypted. Stored reports may be reloaded, deleted, and it’s possible to add descriptions to reports.

Folder Report delivers all information about the content of a folder and it’s sub-folders. It returns all sub-folders, their owners, the size of folders (including sub-folders), the number of files etc.

Owner Report contains the owner of folders – it’s possible to select a folder and select a user within AD Users & Groups. The report enlists all folders, a selected user is the owner.

It’s possible to view all reports within a central tab, or it’s possible to list all reports to a given folder. Stores reports may be compared against each other and the consolidated result may be exported. Version 1.7.0 offers also context menu entries to open folders from Folder Security Viewer (FSV) within Windows Explorer or view folder properties. The path may be copied into clipboard and it’s possible, to open a command line window from context menu. Updates may be loaded within FSV, and exports now are able as XLS, CSV or HTML files. The tool site of FolderSecurityViewer contains further details and also the ability to load a free trial. Guess this tool may be helpful for admins in AD domains.

[German]It seems, that an Update is causing iSCSI connection issues on Windows (Server) systems and causing event entries with ID 4231. In some cases, this error is causing a server to stall.

Stefan F., a reader of my German blog, send me an e-mail notifying me about an issue, he run into. He wrote:

… if an iSCSI connections stand at „try to connect“, the server refuses any connection after a while. Microsoft has confirmed, that a fix isn’t available and will take time. Also some of my colleagues are struggling with this error.

Stefan tried to connect iSCSI devices unter Windows Server, but this connection stalls multiple times a day. And it seems that this isn’t a single observation. Also Microsoft is aware of this issue, because they noted for Update KB4025336 for instance:

If an iSCSI target becomes unavailable, attempts to reconnect will cause a leak. Initiating a new connection to an available target will work as expected. Microsoft is working on a resolution and will provide an update in an upcoming release.

More error details

Stefan pointed me to this Technet forum post, dealing with Ephemeral port exhaustion – Event ID 4231. A user describes the error causing an event with ID 4231 on Windows Server 2012 R2.

“A request to allocate an ephemeral port number from the global TCP port space has failed due to all such ports being in use.”

The user reported, that Veeam Backup failed to work, because the device can’t reached. Also printer doesn’t work due to a connection failure on Windows Server 2012 R2, and RDP sessions to Windows Server wasn’t possible. Rebooting the Server solves the issue for a couple of hours.

Emmanuel Paré mentioned within this thread the reason for this issue: When the server try to reconnect it will use ephemeral ports to try to reconnect (multiple time) until it use all portsl.  The issue was discovered in our lab and we are holding the patch for production until Microsoft release a fix.

Emmanuel Parè could reproduce this issue within labs. He mentioned, that Microsoft is aware of the issue and is working on a fix. It seems, that an ‘April 2017 update’ has caused this behavior.

Waiting for a Fix and a nasty workaround

Dave Hallwas mentioned within the Technet forum, that Microsoft is working on a fix, but won’t release that before July Update Preview (3rd July week). And he mentioned a ‘workaround’: Just uninstalling all cumulative updates and rollup updates backward till March 2017.

Dave wrote, that he identified for his Windows Server 2016 Cluster Update KB4022715 as an issue. But uninstalling this update is causing a blue screen. So we have to wait for a fix released from Microsoft.

[German]Some users are missing their optical drives (DVD, CD) after upgrading from Windows 7/8.1 to Windows 10, or after a feature update. Here are some details how to fix it.

Check device manager

Fire up your device manager (press Windows+X and select the device manager entry) and check, if the DVD drive is available.

Double click the device entry and check on General property page, if driver errors are reported. If error code 19 is reported, use the following steps to delete the upper/lower filters

1. Launch Regedit.exe with admin rights
2. Navigate to registry key HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\Class\ {4D36E965-E325-11CE-BFC1-08002BE10318}
3. Delete sub keys LowerFilters and UpperFilters, if present

Restart and check, if the optical drives are back.

TSSTcorp CDDVDW SH-222AB ATA drive

If that drive hasn’t been recognized (see this MS Answers post), try:

1. Launch device manager, search the optical drive entry and double click this item.

2. Uninstall the driver for this device and reboot Windows

In some cases, the drive will be recognized and installed.

SATA controller isn’t supported

Modern boards are using SATA controllers to connect an optical drive. A SATA drive will be connected, using the small cable show below.

In some cases I’ve seen SATA driver errors after upgrade to Windows 10. So check in device manager, if SATA controller provides a driver error.

On some systems the DVD drive will be reported as working in device manager, but is not available in Windows explorer. My suggestion: Check for updated chip set drivers and BIOS update. I’ve seen a case, where the 1st disk drive need to be set as boot drive in BIOS to detect optical drives.

Tip#1: Many boards are using several distinct SATA controllers on a mainboard. So it may help to connect the SATA cable for the optical DVD drive with another SATA port.

Tip#2: Also updating chip set drivers may cure this issue. Some users reporting a missing AHCI driver as a root cause.

„Most of the time, if a drive is not detected properly, depending on your chipset, it helps to install the Intel Matrix Storage Manager / Intel Rapid Storage or the RAID drivers for AMD chipsets.

ATAPI drive isn’t detected

Older computers are using PATA ports to connect to ATAPI-DVD drives. Here is a PATA cable to connect such a drive.

In this case fire up regedit.exe with administrative privileges and search for the key:

HKEY_LOCAL_Machine\System\CurrentControlSet\Services
\atapi\Controller0

Set the DWORD value EnumDevice1 to 1 and reboot. In some cases the optical drive will be recognized.

Software blocks drive

I found several forum entries, where Toshiba devices has been shipped with Disc Creator-Tool and Recovery Media Creator. Both programs blocks optical drive detection. After installing these software, and rebooting, the DVD drive has been detected.

Also Sophos anti virus software has been mentioned. Older versions installs filter drivers, that blocks optical drive detection in Windows explorer.

[German]Microsoft has released on July 18, 2017, Preview Rollup Update KB4025335 for Windows 8.1 and Windows Server 2012 R2. This update addresses the iSCSI bug I mentioned a few days ago.

Windows 8.1 Update KB4025335

Update KB4025335 is a preview of Monthly Rollup for Windows 8.1 and Windows Server 2012 R2 (July 18, 2017).  It’s a none security update and contains all improvements and fixes from KB4025336 (July 11, 2017). This update preview addresses also quality improvements planned for August 2017 Monthly Rollup Update. Update KB4025335 fixes the iSCIS bug I mentioned within my blog post Windows Server: an Update causes iSCSI connection issues. Here are a list of all fixes.

• Addressed issue with a port and thread leak that can cause a broad array of symptoms including unresponsive systems and iSCSI target connection failures. This occurs after installing monthly updates released between April 11, 2017 (KB4015550) through July 11, 2017 (KB4025336). This issue was called out as known issue in the corresponding release notes for these releases.

• Addressed issue where LSASS.EXE encounters a deadlock and the server must be rebooted.
• Addressed issue where the Remote Desktop idle timeout warning did not appear after setting the idle time.
• Addressed issue with MSiSCSI where the system process has a very high number of threads or the server runs out of ephemeral ports. This causes the system to stop responding or throw an error.
• Addressed issue where when a failover cluster fails over from one server to another, a clustered IP address resource does not come online and causes the failover to stop functioning.
• Addressed issue where a DNS server may crash after the import of the DSSet file when configuring secure, delegated child zones.
• Addressed issue where Windows Server 2012 R2 servers might throw error 0x19 if the system has numerous iSCSI connections.
• Addressed issue where if there was an error on a storage controller, some paths could not fail over to other paths. Instead, access to the disk was completely lost.
• Addressed issue to prevent user logon delays when processes that have registered top-level windows fail to respond to BroadcastSystemMessages sent by the Group Policy Preference client-side extensions.
• Addressed issue where Windows Server 2012R2 throws error “STOP 0XCA (Duplicate PDO)” when redirecting certain USB devices using RemoteFX. To fix this, do the following:

1. Go to the registry location SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations.
2. Create a new DWORD value “fUniqueInstanceID ”.
3. Set the value to “1”.
4. Reboot after setting this registry.

• Addressed issue where enabling the policy “Display information about previous logons during user logon” prevents Remote Desktop Protocol providers from allowing logins with no user interaction.
• Addressed issue where the TsPubRPC service running in Svchost.exe experiences a memory leak when RemoteApp applications are configured with file type associations.
• Addressed issue where files and folders accumulate in the UvhdCleanupBin folder in Remote Desktop session hosts. These files are not deleted when a user logs off if the path limit is exceeded. In extreme cases, this issue can cause logon failures.
• Addressed issue where a Microsoft Enterprise CA cannot request that a Microsoft subordinate CA template be used for key encipherment. A single certificate can provide multiple usages like key encipherment and CRL signing.
• Addressed issue to allow NPS servers to accept certificates with multiple usages.
• Addressed issue where both transient and listener process TCP ports for the loopback sockets leak because of a leaked reference count. Such ports do not appear in NETSTAT.
• Addressed issue to enable logging to detect weak cryptography.
• Addressed issue with wireless network clients that disconnect from wireless access points after the EAPOL key retransmission timeout (5 minutes). This occurs because the M2 bit is incorrectly set during the four-way handshake.
• Addressed issue where a request to a website results in a 503 response when IIS runs in “Dynamic Site Activation (DSA) Mode”. This occurs when the default app pool identity is a specific user/password and a specific app pool’s identity is configured to use “ApplicationPoolIdentity”.
• Addressed issue where NetInfo_list may not contain all the network interfaces information. Additionally, the DNS client cannot use all the connected network interfaces while sending the query. This occurs when the host is running in low memory when the NetInfo_Build gets started.
• Addressed issue where if an interface is unavailable during the NetInfo_Build, the DNS client will not use that interface to send queries for the next 15 mins even if the interface comes back before 15 minutes.
• Addressed issue to implement a callback function to receive a notification when an interface comes back after an unavailable state. This callback prevents a host from going into the sleep state.
• Security updates to Windows kernel, ASP .NET, Internet Explorer, Windows Storage and File Systems, Windows Virtualization, Datacenter Networking, Windows Server, Windows shell, Microsoft NTFS, Microsoft PowerShell, Windows Kernel-Mode Drivers, and Microsoft Graphics Component.

Microsoft isn’t aware of any issue caused by this update. This optional update is distributed via Windows Update and may be downloaded via Microsoft Update Catalog. A list of files changed by this update may be found here as csv file.

Microsoft has released a Preview Rollup Update KB4025332 for Windows Server 2012 at July 18, 2017. This update addresses a NTFS bug causing stop error 0x24.

[German]Microsoft  July 18, 2017 cumulative update KB4025334 for Windows 10 Version 1607 (Anniversary Update). Other Windows 10 builds did not receive updates.

Update KB4025334 is available for Windows 10 Version 1607 and Windows Server 2016 and changes build number to 14393.1532. The update addresses the following items.

• Addressed issue with a port and thread leak that can cause a broad array of symptoms including unresponsive systems and iSCSI target connection failures. This occurs after installing monthly updates released between April 11, 2017 (KB4015217) through July 11, 2017 (KB4025339). This issue was called out as known issue in the corresponding release notes for these updates.

• Addressed issue where faulty silicon in Solid-State Drives impacted the performance of the Microsoft Standard NVM Express Driver (stornvme).

• Addressed issue where the Windows NVDIMM driver will attempt to dismount any volumes on the device and transition into a read-only state when NVDIMM devices lose persistence. 
• Addressed issue where WinRM reports an unnecessary error in the event log (ID 10119) after a clean OS installation. 
• Addressed issue where when you use SCVMM to manage virtual servers, if any CSV is offline, SCVMM cannot enumerate or locate the CSVs on the clusters. 
• Addressed issue where when you switch from a wired connection to a wireless connection, a file (.ppt, .xls, etc.) that is being edited gets marked as “Read-Only”. 
• Addressed issue where when you enable deduplication on a volume larger than 10 TB, optimization may stop prematurely and never complete. 
• Addressed issue where when you use folder redirection with only defined primary computers, folder redirection is enabled for all users on all machines. 
• Addressed issue where you cannot add Work and School accounts in Windows Store and you may get an error that reads, “We encountered an error; please try signing in again later.” 
• Addressed an issue where Windows Multipoint Server (WMS) 2016 does not allow you to configure per device licensing. 
• Addressed issue in Windows Multipoint Server 2012 where DisplayToast() fails when using a custom shell. 
• Addressed issue where File Explorer does not refresh changes automatically when using RemoteApps on Windows Server 2016. 
• Addressed issue where I/O recursion caused Unified Write Filter to deadlock. 
• Addressed issue where a BT LE device is not enumerated correctly, which throws an error in the Device Manager. 
• Addresses issue where an LDAP search evaluating transitivity on a large number of objects uses an excessive amount of memory. An example of such a search is with a filter of memberof:1.2.840.113556.1.4.1941:=cn=GroupA,Ou=Accounts,DC=Contoso,DC=Com and a scope of subtree. 
• Addressed issue where launching a published application using an application server system fails intermittently. Additionally, logonui.exe crashes during the process. 
• Addressed a reliability issue where inserting into the IncomingDependencies list without acquiring LoaderLock resulted in an unresponsive system. 
• Addressed issue where the “Removable Storage Access > Deny write access” policy was not honored. 
• Addressed issue where a task’s repeat trigger stopped working after reboot. 
• Addressed issue where users could not update spooler settings for an hour after restarting it. 
• Addressed issue where the combination of Unified Write Filter and a legacy driver might cause Point-of-Sale devices to deadlock. 
• Addressed issue where a LUN connection that was received after the buffer allocation during iSCSI statistic collection overflowed the buffer and caused error 0x19. 
• Addressed issue where an MPIO path failure on a Hyper-V host might lead to complete loss of disk access.
• Addressed issue where a missing break statement might cause an MPIO LUN to be unexpectedly removed. 
• Addressed issue where NTFS referenced an invalid parameter when using Task Scheduler, resulting in Stop Error 0x24. 
• Addressed issue where the system would throw an error when attempting to mount a corrupt ReFS volume in Read-Only mode. 
• Addressed performance issues in ReFS when backing up many terabytes of data. 
• Addressed issue where a stuck thread in ReFS might cause memory corruption. 
• Addressed issue where the health of S2D clusters was inconsistently reported. 
• Addressed issue where frequent loading and unloading when Unified Write Filter is enabled might cause a system crash. 
• Addressed issue where touch screen and fingerprint swiping stopped working when multiple users were logged in. 
• Addressed issue where tasks launched for a service user with a stored password fail with ERROR_LOGON_FAILURE. 
• Addressed issue by changing the handling of certificate replacement from a separate “remove” -> “add” calls to a single atomic “update” call.

The update is distributed via Windows Update and may be downloaded from Microsoft Update Catalog.

Microsoft released on July 18, 2017 also July 2017 Preview Quality Rollups for das .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 8.1, Windows Server 2012 R2 and Windows RT 8.1.

The Quality Rollups for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 for Windows 8.1 and Windows Server 2012 R2 are detailed here:

• 4024847 July 2017 Description of Preview of Quality Rollup for the .NET Framework 4.6, 4.6.1, 4.6.2, and 4.7 for Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1: July 18, 2017
• 4024843 July 2017 Description of Preview of Quality Rollup for the .NET Framework 4.5.2 for Windows 8.1 and Windows Server 2012 R2: July 18, 2017
• 4014598 May 2017 Description of the Quality Rollup for the .NET Framework 3.5 for Windows 8.1 and Windows Server 2012 R2 (KB4014598): May 16, 2017

It’s a slow rollout: Figures from AdDuplex shows, that Windows 10 Creators Update has reached just 50.1% of all Windows 10 systems. But we are just 2 Months away from Windows 10 Fall Creators Update. This is the result of Microsoft’s rollout, that carefully to avoid trouble on systems. After 4 months it may be possible, that MS tries a more aggressive rollout, as MS PowerUser writes here.

Just a short addendum to July Preview Patchday: Microsoft has released also Update KB4033428 on July 18, 2017 for Windows Server 2012 R2.

Update KB4033428 (Windows Server 2012 R2 processor generation detection reliability update: July 18, 2017) shall improve the reliability of processor generation detection and hardware support on Windows Server 2012 R2.

This optional update is available for: Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Foundation, Windows Storage Server 2012 R2 Workgroup, and Microsoft Hyper-V Server 2012 R2. The package is available via Windows Update and as download via Microsoft Update Catalog. For WSUS Microsoft’s kb article holds instructions to import this update.

The recommendation is: If you don’t have had issues, I would delay installing this update and wait, until it’s clear, that there are no additional issues.

A few days ago, there has been rumors that Microsoft ends support for Clover Trail-CPU based Windows 10 Anniversary Update machines. Now Microsoft detailed how this hardware will be supported.

The ‘Windows 10 no longer supported’ problem

Users of Clover Tail machines installing Windows 10 Anniversary Update on these hardware had a problem. An attempt to upgrade to Windows 10 Creators Update stalls with a message, that Windows 10 is no longer supported on that PC.

(Source: ZDNet.com)

The screenshot shown above suggest ‘uninstalling an app’ to make the machine compatible to Windows 10. But that isn’t the truth – instead Windows 10 Version 1703 doesn’t support Clover Trail CPUs anymore. Ed Bot has written about that within his ZDNet article Microsoft cuts off Windows 10 support early for some PCs.

Microsoft agrees to extend Support to 2023

After Ed has published this article, the message has been spread trough many web pages. Ed Bot now received a statement from Microsoft detailing the situation a bit more. Within his ZDNet article Microsoft agrees to extend support deadline for Clover Trail PCs, Ed outlined, what Microsoft told him.

In short: Microsoft is delivering security updates to Clover Trail devices for six years (up to 2023). The existing policy says, security updates will end in early 2018. Here is the full statement, Ed Bot received from Microsoft:

With Windows 10, we introduced Windows as a Service, a model for continuous value delivery via twice annual feature updates and monthly quality updates. Along with this updated delivery cadence, we adjusted our support lifecycle policies to reflect the Windows as a Service model. Recognizing that a combination of hardware, driver and firmware support is required to have a good Windows 10 experience, we updated our support lifecycle policy to align with the hardware support period for a given device. If a hardware partner stops supporting a given device or one of its key components and stops providing driver updates, firmware updates, or fixes, it may mean that device will not be able to properly run a future Windows 10 feature update.

This is the case with devices utilizing Intel Clover Trail Atom Processors1 today: they require additional hardware support to provide the best possible experience when updating to the latest Windows 10 feature update, the Windows 10 Creators Update. However, these systems are no longer supported by Intel (End of Interactive Support), and without the necessary driver support, they may be incapable of moving to the Windows 10 Creators Update without a potential performance impact.

We know issues like this exist and we actively work to identify the best support path for older hardware. As part of our commitment to customers, we will be offering the Windows 10 Anniversary Update to these Intel Clover Trail devices on Windows 10, which we know provides a good user experience. To keep our customers secure, we will provide security updates to these specific devices running the Windows 10 Anniversary Update until January of 2023, which aligns with the original Windows 8.1 extended support period.

This affects devices with Intel Atom Processors Z2760, Z2580, Z2560, Z2520.

[German]This blog post describes a list of (unofficial) security updates from July 11, 2017, useable for Windows Vista. But the update installation has to be done manually.

Windows Vista – out of support

Support for Windows Vista has ended in April 2017 (see Windows Vista reached End of Live (April 11, 2017)). So Microsoft doesn’t provides security updates via Windows Update anymore.

Nevertheless it’s possible, to patch security holes in Windows Vista, downloading updates for Windows Server 2008 from Microsoft Update Catalog and try a manual install in Windows Vista. I’ve covered this within my blog post Windows Vista: Patching beyond EOL till January 2020.

Unofficial July 2017 updates for Vista

Below is a list of security updates for Windows Server 2008, also useable for Windows Vista.

• KB4025252: Cumulative Security Update for Internet Explorer from July 11, 2017. Fixes IE crashes after installing June 2017 updates.
• KB4022746: Security Update for the Kerberos SNAME security feature bypass vulnerability in Windows Server 2008: July 11, 2017
• KB4022748: Security Update for the Windows kernel information disclosure vulnerability in Windows Server 2008: July 11, 2017
• KB4022914: Security Update for the Windows kernel information disclosure vulnerability in Windows Server 2008: July 11, 2017
• KB4025240: Security Update for the Microsoft browser security feature bypass vulnerability in Windows Server 2008: July 11, 2017
• KB4025397: Security Update for the Windows Performance Monitor information disclosure vulnerability in Windows Server 2008: July 11, 2017
• KB4025398: Security Update for the MSINFO.exe information disclosure vulnerability in Windows Server 2008: July 11, 2017
• KB4025409: Security Update for the Windows elevation of privilege vulnerability in Windows Server 2008: July 11, 2017
• KB4025497: Security Update for the Windows Explorer remote code execution vulnerability in Windows Server 2008: July 11, 2017
• KB4025674: Security Update for the Windows Explorer denial of service vulnerability in Windows Server 2008: July 11, 2017
• KB4025877: Security Update for Windows Server 2008: July 11, 2017
• KB4026059: Security Update for the Windows CLFS elevation of privilege vulnerability in Windows Server 2008: July 11, 2017
• KB4026061: Security Update for the WordPad remote code execution vulnerability in Windows Server 2008: July 11, 2017
• KB4032955: Security Update for the Windows Search remote code execution vulnerability in Windows Server

All updates are also mentioned within my blog post Microsoft Office security updates (July 11, 2017).

[German]It seems that Updates KB4025336 for Windows Server 2012 R2 and KB4025331 for Windows Server 2012 are breaking WSUS and SCCM. Here are a few details.

I’ve been contacted by German blog reader Marco R. by e-mail – but I noticed some issues already within Microsoft forums.

Updates KB4025336 for Windows Server 2012 R2

Updates KB4025336 is a monthly rollup füor Windows 8.1 and Windows Server 2012 R2, released on July 11, 2017. Beside the iSCSI connection issue, I ‘ve mentioned within my blog post Windows Server: an Update causes iSCSI connection issues (fixed with Windows 8.1 Preview Rollup Update KB4025335), the update also breaks client’s connection with WSUS.

I’ve addressed this issue within my blog post Botched Updates KB4025252 and KB4025336 (July 2017). German blog reader JohnRipper mentioned within a comment, that update KB4025336 (Monthly Rollup for Windows 8.1/Windows Server 2012 R2) blocks the client’s connection to WSUS. I found also a 2nd post within German heise.de forum, dealing with the same issue. All clients reports suddenly error 0x80244008 during update search. This error code stands for (see):

WU_E_PT_SOAPCLIENT_PARSEFAULT – 0x80244008 – (16392) – Same as SOAPCLIENT_PARSEFAULT_ERROR – SOAP client failed to parse a SOAP fault.

It seems, that this update breaks something within SOAP client. The only solution known yet is uninstalling the botched update. The topic is also discussed within technet forum.

Update KB4025331 for Windows Server 2012

Update KB4025331 is a monthly rollup update for Windows Server 2012, issued at July 11, 2017. This patch shall fix Internet Explorer 10 crashes and other issues. Blog reader Marco R. informed me via e-mail about a serious issue with this update for Windows Server 2012 and WSUS. Marco wrote (I freely translated his German text):

Here is an information, that caused a lot of time to investigate. Beside KB4025336 for Windows 2012 R2 also Update KB4025331 for Windows Server 2012 … breaks WSUS.

He did send me a screen shot with entries from WindowsUpdate.log, that he found on all Windows 7 x64 clients of a customer.

(Click to enlarge)

The log file reports several error 0x8024400D which stands for WU_E_PT_SOAP_CLIENT (Same as SOAP_E_CLIENT – SOAP client found the message was malformed; fix before resending). It indicates, that something went terrible wrong with SOAP client connection within Windows Update. I guess, the hints given here and here won’t help. Marco R wrote:

After installing no more Office and Windows updates could be installed from clients via SCCM. After uninstalling update KB4025331 from Windows 2012 WSUS Server, the error has been gone.

Within this Spiceworks community thread somebody addressed a similar issue, but mentioned other updates. But within this Technet thread update KB4022720 (see) has been identifies as a root cause for WSUS error 0x80244008 (WU_E_PT_SOAPCLIENT_PARSEFAULT, same code as for SOAPCLIENT_PARSEFAULT_ERROR – SOAP client failed to parse a SOAP fault). Within this this MS forum thread user LiquidVipe reported update KB4025331 breaks WSUS aon Windows Server 2012.

My Wsus runs in Windows Server 2012 R1. Same problem here but different KB: 4025331.

Uninstalling solved the problem.

The thread deals with the issue, that clients could not connect to WSUS to receive updates. I published these cases here, perhaps other admins can confirm this issue. If a solution is known, please feel free to drop a comment.

Similar articles:
Windows Server: an Update causes iSCSI connection issues
Windows 8.1 Preview Rollup Update KB4025335
Botched Updates KB4025252 and KB4025336 (July 2017)

[German]Microsoft plans to release Windows 10 Fall Creators Update within the next two months. Now Microsoft told us, what’s deprecated and what will be deleted in the upcoming Windows 10 build.

Well, Microsoft has postponed some features like Timeline in Windows 10 Version 1709. But there is more, that will be removed. Within the support article Features that are removed or deprecated in Windows 10 Fall Creators Update Microsoft says what’s obsolete.

Things never used, like the 3D Builder app will be removed from standard install, but can be obtained from Windows Store. Also Reader app and Reading list (never used) will be removed and replaced by Microsoft Edge functionality.

The file Apndatabase.xml has also been removed, because Windows 10 is using a new COSA format to store APNs. Some organizations could be surprised, that EMET will be blocked on Windows 10 Fall Creators Update. The background: Some EMET features will be part of Windows Defender Exploit Guard.

Beside removed things (like the dead Outlook Express code, left over from Windows XP), Microsoft has declared other features as deprecated. Beside PowerShell 2.0 (Version 5.0 is the current version) they also mentioned MS Paint (that has been part of Windows since Windows 1.0 als Paintbrush) as obsolete. Maybe some future Windows 10 release will come without those deprecated features.

The most remarkable announcement was, that System Image Backup (SIB) will be removed. Microsoft suggest, to use solutions from third party vendors. BTW: What they at Microsoft not mentiones within the support article is SMBv1, that won’t be installed by default on new Windows 10 V1709 installations.

[German]Microsoft has releases several updates in July 2017 for Windows and Office. Several of these updates are causing serious issues and/or confusion. Here is a collection of issues I found so far.

Update KB4033428 – no details yet

First of all, Microsoft released Update KB4033428 for Windows Server 2012 R 2 on July 18, 2017. In it’s best manner Microsoft wrote “Windows Server 2012 R2 processor generation detection reliability update”, but no more details yet. My MVP colleague Susan Bradley asked on Microsoft partner net Why should we install KB4033428? without receiving an answer till yet. Also at AskWoody is a post without details enlighten the reason why we should install this update. So my suggestion is, to block this update until Microsoft give us details what this update is for.

Update KB4025335 bricks NAP

Recently I published the blog post Windows 8.1 Preview Rollup Update KB4025335. A German blog reader GB left a comment within the German blog post:

Unter Server 2012 R2 legt das Update die zertifikatsbasierte Computerauthentifizierung des NAP lahm. Leider lässt es sich auch nicht deinstallieren.

Freely translated: Update KB4025335 bricks certificate based authentification for NAP, an the update can’t be installed. Microsoft writes about Network Access Protection (NAP):

 Network Access Protection (NAP) is designed to help administrators maintain the health of the computers on the network, which in turns helps maintain the overall integrity of the network. 

In Windows 10 the NAP client has been removed (see).

A workaround is available

Searching the web yesterday, I came across a Technet forum thread, where the issue is also under discussion. A Microsoft employee described yesterday a workaround:

As a workaround, create the following registry on your server:

Create DWORD registry key under:
SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13\
New_DWORD: DisableEndEntityClientCertCheck
and set value to 0

It seems that this registry entry will fix the issue. 

Updates KB4025336 and KB4025331 bricks WSUS

Users operating Windows Sever Update Service (WSUS) at Windows Server 2012 (and R2) will facing issues with updates KB4025336 and KB4025331. Both updates are blocking the clients update search, so WSUS can’t deliver updates for Office and Windows. I’ve covered this issue within my blog post July 2017 Updates KB4025336/KB4025331 breaks WSUS. The solution: Uninstall the updates – I some scenarios it helps to change the port used. 

Unfixes June 2017 update Outlook bugs

On June 13, 2017, Microsoft released Office security updates, that are causing serious issues in Outlook. From a broken search or missing iCloud synchronization up to blocked  RTF attachments. I’ve published several blog post about those issues (see link list at articles end). After failing with several repair attempts, Microsoft pulled several updates on July 12. 2017 (see Microsoft pulls Updates for Outlook 2010/2013/2016). Till now I haven’t seen a fix.

The IE 11 security/printing dilemma

The is also a dilemma for admins in enterprise environments. Microsoft released a critical security update (KB402155) for Internet Explorer in June 2017. Then they released additional updates to fix this printing issues (see IE11 printing issues in Windows are fixed (June 2017)). But this ended with IE crashes.

Woody Leonhard has published this ComputerWorld article, dealing with the patch history. Microsoft has released fixes for the fixes, so the IE printing and crashing issues has been resolved. But those updates are disabling the code to fix the security issues within Internet Explorer. A discussion my be found here, and there is this link to Microsoft’s CVE-2017-8529-Advisory. The wrote for 07/11/2017 (Revision 4.2):

Please note that the protection for CVE-2017-8529 is not yet available with the release of the July security updates, as we continue to work on a solution for the known issue customers may experience when printing from Internet Explorer or Microsoft Edge after installing Internet Explorer Cumulative update 4021558. Customers who receive automatic updates will not be protected from this CVE. Microsoft is continuing to investigate a solution for this known issue and will notify customers as soon as an update is available.

Currently no patch to fix this dilemma are known.

Excel quick access bar

Woody Leonhard has also this article at askwoody.com, reporting issues with Excel’s quick access bar. This should be fixed in Windows 10 Version 1706 (Build 8229.2103) with an update, according to this thread – and Bill Jelen has published also a workaround.

Overall, a lot of unsolved issues are still open. I fear, I lost track, what’s still open too. Is something missing – is something fixed, I’m not aware of?

Similar articles:
Outlook issues after June 2017 security updates
Microsoft Outlook: Fix for iCloud Sync problem
Microsoft pulls Updates for Outlook 2010/2013/2016
Fixing Microsoft Outlook Search Bug after June 2017 Update
IE11 printing issues in Windows are fixed (June 2017)

[German]Windows users are facing several update errors. Update error 0x80070020 may occur in Windows 10 during update install and also during feature updates. Here are a few details how to fix this error.

What is error 0x80070020?

Error 0x80070020 stands for ERROR_SHARING_VIOLATION, the update process can’t access a file, because it’s in use. I’ve covered this error within several blog post (for instance the German article Windows 10 Build 15019 Insider Preview: Installationsprobleme).

Fix #1: remove Antivirus software

A common case for this error is antivirus software that access some files during scans and block it for installs. Microsoft has released a KB article dealing with this error (for Windows XP or Vista). My recommendation: Try a restart – and if that don’t fix it, deactivate or uninstall your antivirus software.

Fix #2: Clean your profile list

Another root cause for this update error are orphaned profiles within an installed system. These profiles prevents upgrades. This MS Answers forum thread proposes to clean the profile list as a solution.

Fix #3: Uninstall graphics driver

Sometimes a faulty graphics driver is causing error 0x80070020 during an update or upgrade. Within my German blog post Windows 10: Ärger mit Update KB3140745 / KB3140768? I mentioned a graphics driver ( nVIDIA) as a possible root cause.

Fix #4: Windows Defender is causing trouble

Because Microsoft ‘improves’ Windows Defender in Windows 10, we see more and more cases, where real time protection, cloud protection and other features are the root cause auf install errors. So it’s a good idea to disable Windows Defender, reboot and check, whether the update error is still present.

Similar articles:
Windows 10: Analyze upgrade errors
Windows: How to decode update 0x8024…. errors
Windows 10: How to fix update error 0x80080008
Windows 7/8.1/10: error side-by-side configuration is incorrect
How to decode Windows errors?
Windows 10 error ‘Device not migrated’
Windows 10: Windows Defender drops error 0x80070578

Microsoft has released Build 16251 of Windows 10 Insider Preview for PCs in Fast Ring. This Insider Preview Build is avalaible in two branches (Redstone 3 (for Fall Creators Update) and Redstone 4 (for Spring 2018 release). The new Build has been announced within Windows-Blog, where you will find more details.

Kaspersky has announced it’s free antivirus product, Kaspersky Free, for Windows systems. It’s a basis protection for your Windows and will be rolled out in a 4 month interval.

Kaspersky has announced Kaspersky Free within this blog post. The free antivirus won’t have the extra features of the paid-for versions from Kaspersky. The paid-for versions from Kaspersky comes with Parental Control, Online Payment Protection, and Secure Connection (VPN).

The free version provides essentials protection: file, email and web antivirus; automatic updates, self-defense; quarantine; and so on. This features ensures convenient and safe web surfing, working with USB sticks and other portable storage media, and protection against both phishing and infected files being run.

Kaspersky piloted this product last year in the Russia-Ukraine-Belarus region, in China, and also in the Scandinavian countries. On July 25 – for Kaspersky’s 20th birthday – the product will start being officially launched! The roll-out is going to be done over four months in waves as per different regions.

• The first wave will be the U.S.A., Canada, and many of the Asia Pacific countries.
• September: India, Hong Kong, Middle East, Africa, Turkey and Latin America.
• October: Europe, Japan and South Korea.
• November: Vietnam and Thailand.

Kaspersky Free is also lighter, according to Kaspersky, on system resources and quicker than its big (paid) brothers. So Windows users has probably a chose between the Windows build in Defender and Kaspersky Free. What’s still open: How reliable is Kaspersky Free during Windows 10 feature upgrades?

Microsoft has released the ISO files of Windows 10 S for MSDN subscribers at July 27, 2017. This enables developers an early access to this Windows 10 variant.

Windows 10 S is a variant, that will be offered for education (schools, universities) and is upgradeable to Windows 10 Pro. Windows 10 S is restricted to Windows Store apps and signed Microsoft drivers. Also some system tools from Windows 10 are missing, to make Windows 10 S more secure.

Now the ISO files for 32 bit and 64 bit of Windows 10 S are available for MSDN subscribers. There is only an English version available, but it’s possible, to install other language packs from Windows 10 S. Windows 10 S N is a special variant without media feature, developed for the European Union (EU). Apps requiring media feature, can’t be run on this version.

Recently there are reports about Windows 10 didn’t support Intel Clover Trail devices from Creators Update onward. Perhaps you asked why this is the case.

What’s the matter?

In the past several vendors shipped devices (mostly Windows 8 Tablet PCs) with Intel Atom processors from Clover Trail family. These systems could be upgraded to Windows 10 (RTM), And it was possible, to install feature update till Windows 10 Anniversary Update.

But users are facing install issues at Windows 10 Creators Update (Version 1703) on the following Clover Trail CPUs.

• Atom Z2760
• Atom Z2520
• Atom Z2560
• Atom Z2580

Those processors are shipped between 2012 and 2013 (according to this article). I found this article naming some non compatible devices. If you install a new Windows 10 Build on so am device or try an upgrade, the install wizard will show this warning.

The device is no longer quoted as compatible with Windows 10. Acer has published this support article about this topic. The ‘Intel Clover Trail processors are not currently supported in Windows 10 Creators Update’ within the Acer article seems to be ‘never supported’. Microsoft won’t offer feature upgrade for those processors, but servers security updates for Windows 10 Anniversary Update till 2023. I’ve mentioned that issue within my blog post Windows 10 support for Clover Trail machines till 2023. 

All I could find was statements like: ‘Intel doesn’t deliver drivers for this processors, so Microsoft won’t support these Clover Trail CPUs from Windows 10 Creators Update upward’.

Why does it require for a CPU?

Perhaps somebody is wondering, why it needs a driver for a CPU? My Windows Insider MVP colleague Ingo Böttcher left a German comment within my blog pointing to the right direction. in die richtige Richtung gelenkt.

The problem with the Atoms isn’t the CPU, it’s the integrated graphics core (GPU). The drivers are causing issues under newer Windows build. Intel supports these driver only for Windows 8.

Driver support is the task for hardware vendor… so: Intel doesn’t provides drivers nor support, but Microsoft get bashed.

Then I searched the web and found a few more details.

The problem is the GMA (SGX 545) driver

Wikipedia says that the Atom processor family was designed as SoC (System on Chip) for mobile devices like Smartphones and Tablets, and has been introduced 2012 as an ARM competitor.

The issue with Windows 10 is the Intel Atom GMA (SGX 545) driver required for Clover Trail CPUs. GMA stands for INTEL Graphics Media Accelerator – a graphics extension. Intel doesn’t provides drivers for Windows 10, as we could read in August 2015 within this Intel forum thread.

(Source: Intel forum)

It’s possible, to install the Microsoft Basic Video adapter driver for Windows. But Windows 10 needs also the GMA driver. This Intel page lists the supported Windows versions –  ‘Intel Atom® Processor Z2700 Series with Intel® Graphics Media Accelerator’ from  Cloverview family launched September 2016 are supported only in Windows 8/8.1.

Drivers for Windows 8.1 or drivers provided via Windows Update for Windows 10 are causing issues (see here). In Microsoft Answers there is a long forum thread with mixed feedback, that the driver offered via Windows Update failed or worked. Also OEMs (Lenovo) has forum entries discussing this, and there is a discussion on Twitter. Depending on the CPU several GMA drivers are discussed.

To sum it up: Microsoft needs an Intel GMA driver for Windows 10, but this driver isn’t available from Intel. Existing Windows 8.x drivers are not suitable for Windows 10, if I don’t missed something.

Final words

We can quote devices sold 2012 as ‘old’ and they reached end of support. But from a customer view it’s the failure of soft- and hardware vendors. I still remember Microsoft’s promise before Windows 10 release: Windows 10 will run on all devices capable for Windows Windows 7 or Windows 8.1. And it’s not forgotten, that Microsoft force many Windows 7 and 8.1 system to upgrade to Windows 10 – although it was known, that Windows 10 was delivered ‘as a service’.

Having a look into the list of supported Intel graphics driver, we will have similar cases with devices using Intel graphics in future. Intel has released now new processors (SoCs) for IoT and Embedded Systems – and Microsoft will ship Windows 10 variants for those processors. Will be interesting, how long it takes, until such systems will reach end of support.

I also found this web page, where somebody enabled Linux for GMA support. He investigated how to install the Intel GMA 3600 driver in Windows 10. He wrote:

The first solution which I came across was to remove the System Apps and Windows App from the system then reinstall the driver.

Then he was able to run the GMA driver, but the start menu in Windows 10 won’t work. Microsoft’s approach to rip off the old Windows 7 start menu code in Windows 8 and re-implement the Windows 10 start menu with WPF is causing this issue. The Classic Shell seems to work.

So Intel and Microsoft are causing this dilemma. And I see no real advantage, using store apps and the modern start menu within Windows 10. Wearing the hat of a maintenance engineer working for industry automation, I must say, that is a no go. Systems are projected to run many years, and we need to be sure, that hard- and software will work for the planned period. Overall it seems that marketing has killed reliability for future investments.

And I was wondering how administrators manage it today to get time between struggling with bad Windows updates, rollout of new software to investigate, how current and coming hardware will influence current and coming Windows 10 as a service versions. It seems that we will have a lot of joy with Industry 4.0, IoT and other buzzwords propagated from marketing. I don’t see, how they fit the market’s requirements. What’s your opinion?