Microsoft is heading to release Windows 10 Version 1903 soon (I guess in April 2019). But what’s with Windows 10 Version 1809? It seems that Microsoft tries to drop this version and let Windows 10 V1803 users upgrade directly to V1903.

Microsoft released Windows 10 Version 1809 in October 2018, and now are six months gone. But this update had to be withdrawn for weeks and later on, several patches has to be released, to fix numerous bugs and upgrade blockers, as you can read in several posts here in the blog.

It has already been announced several times by Microsoft, that Windows 10 version 1809 is ‘now generally available and will be distributed to all compatible machines’. I had discussed this in the blog post Windows 10 V1809 announced as ‘general available’ from January 2019. Microsoft has also updated KB article 4028685 on March 20, 2019. They announces that Windows 10 will automatically download the October 2018 update to appropriate devices if the automatic updates are enabled in the Windows Update settings.

However, Windows 10 version 1809 does not arrive on the machines. I am reluctant to blog about the distribution of Windows 10 versions based on AdDuplex reports (too insecure). But AdDuplex has published its monthly report for March 2019, which provides an interesting insight into the Windows 10 distribution. The figures was calculated from more than 5,000 Microsoft Store apps that contain the AdDuplex SDK v2 or higher and provide data on the Windows 10 operating system version. The values refer to March 26, 2019.

(Windows 10 distribution March 2019, Source: AdDuplex)

Even if you don’t think the numbers are accurate, the latest AdDuplex report on the distribution of Windows 10 versions or the diagram above still provides an interesting trend. Windows 10 Version 1809 runs after 6 months only on about 1/4 of all Windows 10 machines. While Windows 10 Version 1803, which was released a year ago, is installed on about 2/3 of the systems. Since the last AdDuplex report in February, Windows 10 V1809 has only increased by about 5% in distribution.

On the other hand, since Microsoft always writes that the Windows 10 October 2018 update is ‘automatically distributed to suitable machines’, something might be wrong. Either the AdDuplex numbers are completely wrong (I don’t think it’s likely, even if the values were wrong by 10%), or Microsoft’s statement about the general availability isn’t true (I think it’s likely). I believe, that Microsoft declares that Windows 10 V1809 is generally released. But the distribution is made with ‘handbrake on’ so that only a few machines get the update. Since Windows 10 V1903 is expected to be released as a spring update in April 2019, Windows 10 V1809 is unlikely to become widely distributed. It will be the ‘Failure Feature Update’ in the annals, I guess. So I believe, users will upgrade from Windows 10 V1803 to V1903.

BTW: Microsoft’s marketing chief Chris Capossela has warned all employees not to participate in April Fools’ Day pranks. So it’s unlikely, that Microsoft release Windows 10 V1909 on April the 1st, I guess ;-).

Microsoft published Windows 10 Insider Previews Build 18865 in Skip Ahead Ring on 26.3.2019. This is a version in development branch 20H1, which we expect to receive in spring 2020 as a Windows 10 release. The new Insider Preview only contains bug fixes. The announcement and a description of the changes can be found in the Windows Blog.

Windows Insider, who run Insider Preview Build 18356.16 in Slow Ring can’t upgrade to Build 18362 updaten. Microsoft has stopped the distribution of Build 18362 in Slow Ring, until a fix is available. But there is a workaround, to force the ugrade to Build 18362. I’ve added details within my blog post Windows 10 Insider Build 18362 stopped in Slow Ring – Workaround.

[German]In Windows 10 V1903, Windows Defender receives tamper protection. Here are a few details, what this is and how it affects administrators in enterprise environments.

Microsoft has just introduced Windows Defender Tamper Protection again and released some more details (I became aware about the new article via).

What is Defender Tamper Protection?

Microsoft intends to protect the Windows Defender included in Windows 10 against malware tampering. It should not be possible for a malicious program to switch off Windows Defender. The Insider Previews (Build 18305 and later) of Windows 10 V1903 introduced the so-called Windows Defender Tamper Protection (see this article on Preview Build 18305 in the Windows Blog). Martin Brinkmann from ghacks.net reported briefly about this new feature in this article in December 2018. 

(Windows Defender Tamper Protection, Source: Ghacks.net)

Also this tensforum post discusses the question of how to switch this function on or off. Microsoft has published in Feb. 2019 the article Prevent changes to security settings with Tamper Protection. They wrote about Windows 10:

Tamper Protection in Windows Security helps prevent malicious apps from changing important Windows Defender Antivirus settings, including real-time protection and cloud-delivered protection. If Tamper Protection is turned on and you’re an administrator on your computer, you can still change these settings in the Windows Security app. However, other apps can’t change these settings.

Tamper Protection is turned on by default. If you turn off Tamper Protection, you will see a yellow warning in the Windows Security app under Virus & threat protection. Tamper Protection doesn’t affect how third-party antivirus apps work or how they register with Windows Security.

More details about Windows Defender Tamper Protection

Microsoft’s Eric Avena provided now more details within the blog post Tamper protection in Microsoft Defender ATP.

Tamper protection is a new setting available in the Windows Security app which provides additional protections against changes to key security features, including limiting changes that are not made directly through the app.

Then Eric Avena describes, who can switch the Tamper Protection status and what’s the default settings:

(Defender options for Tamper protection, Source Microsoft)

• Home users can toggle the setting from the Virus & threat protection settings area in the settings app.
• For enterprise environments, the setting can be managed centrally through the Intune management portal. There is also an opt-in required for these environments.

Enabling this feature prevents other (including malicious applications) important protection features such as:

• disable the real-time protection, which is the core feature of Microsoft Defender ATP Next-Gen protection,
• disable the Cloud-delivered protection, which uses Microsoft’s cloud-based detection and prevention services to block never-before seen malware within seconds
• disable the IOAV protection (stand probably for Internet On-demand Antivirus, see here), die die Erkennung verdächtiger Dateien aus dem Internet übernimmt,
• disable the behavior monitoring, which uses real-time protection to analyze and determine whether active processes are behaving suspiciously or maliciously and blocking them.

The feature also prevents Security Intelligence updates from being deleted and the entire anti-malware solution from being deactivated. The feature is currently undergoing a limited preview test. Microsoft writes that the feature is supported by the current Windows Insider Build from March 2019 or later published builds. If you want to test the function, you can contact Microsoft via the Feedback Hub.

Collision with Group Policy?

German blog reader David Xanatos informed me a few days ago about an observation with Tamper Protection. David wrote:

In the new Windows Build 1903, Windows Defender has a new Defender Tamper Protection feature.

The problem is that as long as [Tamper Protection] is active, it seems that it is not possible to turn off Windows Defender via GPO.

David used the GPO “Turn Off Windows Defender Antivirus”. Maybe Microsoft provides another GPO to turn off Tamper Protection, so Windows Defender GPOs are working again. The Microsoft blog post doesn’t answers these questions – so let’s wait what the final of Windows 10 V1903 brings within this area. Administrators should keep an eye on this feature.

[German]Shortly before the release of Windows 10 V1903 (guess, we will have it sometimes in April), Microsoft took an unexpected move and declared Windows 10 V1809 ready for ‘wide use’, i.e. ‘business ready’.

Microsoft’s announcement

The announcement of Microsoft employee John Wilcox can be found in the article Windows 10, version 1809 designated for broad deployment.

Based on the data and feedback we have received from consumers, OEMs, ISVs, partners, and business customers, Windows 10, Version 1809 has been released for widespread use. This means that the half-yearly channel (SAC) for version 1809 is now displayed on the Windows 10 version information page. We will continue to communicate the transition from targeted to broad deployment status.

According to the Life Cycle Policy, Windows 10 Enterprise and Windows 10 Education version 1809 receive support for 30 months (see also Windows 10 Support extended to 30 months (sometimes)). This support period is not counted from October 2, 2018 (1st release). Microsoft is using November 13, 2018 (date of the second release, after the rollout was stopped due to fat bugs), to count that support period. Microsoft publishes the information about the end of support of Windows 10 in the Windows lifecycle fact sheet – see also the following figure.

(Windows 10 Life-Cycle, Click to zoom)

The move comes as a bit of a surprise to me, but is formally in line with the Microsoft rules – even if you had to ‘bend’ them a bit. Surprising because this is the third time I’ve read from Microsoft that Windows has been released for widespread use (see Windows 10 V1809 announced as ‘general available’ for instance). Since Microsoft did not force the distribution of this version, however, there is the situation that the October 2018 update has arrived only on approx. 1/4 of all Windows 10 machines (see also Will Microsoft drop Windows 10 V1809?). 

(Windows 10 distribution March 2019, Source: AdDuplex)

Yesterday’s announcement by Microsoft, on the other hand, is a formal step that gives the go-ahead for the rollout of this version in companies. In other words: Windows 10 V1809 has now arrived in the Semi-Annual Channel (SAC). Previously Windows 10 V1809 had the status SAC-T (stands for Semi-Annual Cannel targeted), i.e. the build was provided only on certain machines (targets).

Microsoft wants to make this distinction between SAC-T and SAC obsolete, as I explain in the article Windows 10: SAC-T is dead for Windows Update for Business.

The date on which a Windows 10 build gets SAC status is relevant because the support period for cumulative updates is determined.

Is Windows 10 V1809 really business-ready?

I used the term business-ready in the text here, because it was earlier Microsoft speech. While reading the announcement I noticed that the term ‘business-ready’ no longer appears in the article Windows 10, version 1809 designated for broad deployment. Microsoft only speaks of ‘designed for broad deployment’ – and even companies are only indirectly mentioned.

But Windows 10 V1809  comes along with some legacy issues. A look at the Windows 10 update history shows that Microsoft has fixed a bunch of upgrade blockers, but there are still some update blockers for the V1809. Even more revealing is a look at the list of known problems in the cumulative update KB4489899 of March 12, 2019. 

• There are authentication issues with Internet Explorer 11
• Audio devices may not work after update installation
• Applications no longer react due to a problem in the XML parser MSXML6
• Group Policy Editor might stop responding to policy settings for IE 10
• User-defined URI schemas for application log handlers may cause problems when calling the assigned application.
• There may be problems with the Pre-Boot eXecution Environment (PXE) of devices

Details can be found in the linked KB article. And it isn’t mentioned at known issues, there is also a bug in network search with SMB1 switched off with Realtek network interfaces via LAN. Here the service FDResPub (automatic start) must be started a second time to make the PC visible in the network.

However, most of the above issues are relevant to enterprise environments. So I could imagine that administrators in companies wait a few more days before rolling out the V1809 more widely. Or how do you handle that?

Media-Refresh for Windows 10 V1809

In a separate paragraph of this article Wilcox has announced a media refresh for the ISOs in the Volume License Servicing Center for April 2, 2019. This means that the ISOs will then be on the respective update status (specifically Build 17763.379 with updates from March 12, 2019). German site deskmodder write here that the Media Creation Tool then also generates updated installation files when downloading. 

Similar articles:
Will Microsoft drop Windows 10 V1809?
Windows 10 Support extended to 30 months (sometimes)
Wow! Windows 7 get extended support until January 2023
Windows 10 support for Clover Trail machines till 2023
Windows 10 V1809: Available via update search
Windows 10 V1809 announced as ‘general available’
Windows 10 V1903 get Windows Defender Tamper-Protection
Windows 10: SAC-T is dead for Windows Update for Business

[German]After the March 2019 cumulative Windows updates has been installed, the Dell Encryption encryption solution fails on Windows 7 through Windows 10 with error messages such as _UNMNGD. Now Dell has released some information.

What is Dell Encryption?

Dell Encryption (formerly Dell Data Protection | Encryption) is a Dell solution for Windows (Windows 7 up to Windows 10). Dell Encryption consists of a number of applications that make it possible for you:

• Detect data security risks on desktops, laptops and external devices.
• Protect data on these devices by allowing administrators to enforce access policies, authentication, and encryption of confidential data.
• Use centralized data management with policies using collaborative tools that integrate with existing user directories.

The solution also supports key and data recovery, automatic updates, and tracking for protected devices. Details can be read in this Dell document – drivers are available here.

The Problem with Dell Encryption

The Dell Encryption Local Management Console might not display any information and the activation status might be _UNMNGD_ after you install the March 2019 cumulative update. This applies to all current versions of Microsoft Windows and Dell Encryption.

THE LATEST from @Dell & @DellCares on THEIR CONSOLE PROBLEMS:

ICYMI: @SBSDiva @AskWoody @AdminKirsty @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @SwiftOnSecurity @pcper @MalwareJake @tweet_alqamar @JobCacka @etguennihttps://t.co/rYHqiqMmjy

1/2

— Crysta T. Lacey (@PhantomofMobile) 27. März 2019

@PhantomofMobile has informed me via the tweet above that Dell has published this support article about the issue.

The March 2019 cumulative update prevents Dell’s Encryption Local Management Console from properly communicating with services that provide the encryption status of the device. This causes problems in the console’s user interface because various components of the user interface cannot start properly or display accurate information.

Affected devices display a “Shield ID” with “_UNMNGD_” and a “Machine ID” set to “_UNINITIALIZED_” in an “About” text screen:

(Source: Dell)

Within the support article, Dell describes further details on the error image that occurs under Windows 7 to Windows 10 after installation of the March 2019 updates. Dell recommends upgrading to Dell Encryption 10.2.1 or later to fix the issue. These versions are available here.

Microsoft has fixed an issue with anti-cheat software in Windows 10 Insider Preview Build 18362. This issues has been there for months in Insider Preview-builds.

Anti-cheat software is used in games to detect whether a player is cheating in multiplayer mode. In the announcements of several Windows 10 Insider Previews it was said that games using anti-cheat software could crash.

In the announcement of Windows 10 Insider Preview Build 18362, the text The launch of games that use anti-cheat software can trigger a bugcheck (GSOD) is striked out. Instead it says:

UPDATE 3/28: Many games that use anti-cheat software have released fixes for the issue causing PCs to bugcheck (GSOD). The upgrade block that prevents Windows Insiders from updating to the latest build will be removed soon.

Many games that use anti-cheat software have now received an update. This prevents the crash with a Green Screen of Dead (GSOD, the equivalent to the Blue Screen of Dead in finals).

The Windows update experience isn’t the best for some Windows users. Install errors, pulled updates and many more incidents happens in the past. Now Microsoft is eager to obtain the opinion of Windows users about the update experience.

Dona Sarkar has asked for feedback, according the tweet below published by @PhantomofMobile.

ANYBODY IN LOVE with WINDOWS UPDATE EXPERIENCE? HERE IS A CHANCE TO EXPRESS IT:

ICYMI: @SBSDiva @AskWoody @AdminKirsty @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @SwiftOnSecurity @pcper @MalwareJake @tweet_alqamar @JobCacka @etguennihttps://t.co/Gngp1GnWoz

— Crysta T. Lacey (@PhantomofMobile) 28. März 2019

So take the chance to express your update experience with Windows on this form.

Similar articles:
Survey: Slow Windows Server 2016 Update installs?
Windows (10) Update Survey and an open letter to Microsoft
Survey: Satisfaction with Windows Update in Business?
Windows 10 Fall Creators Update Survey
Windows Server 2016: Empirical proof of slow Update installs

Exclusive: Between all the struggle with the scattered accessibility of my blogs due to the server change at the weekend, a message almost went down. I got a hint from my internal sources, that told me the name of the upcoming Windows 10 version.

Microsoft always assigns a version number such as 1607, 1703, 1709, 1803, 1809 and now probably 1903 for Windows 10 feature updates. The first two digits reveal the year of publication, the last two digits stand for the planned release month (whereby 03 can also be a release in April). In addition, Microsoft often gives the Windows 10 build its own name. That was in the past:

• V1607: Windows 10 Anniversary Update
• V1703: Windows 10 Creators Update
• V1709: Windows 10 Fall Creators Update

In 2018 these additional names were no longer announced. The background was probably discussions about the name ‘Fall Creators Update’. First of all the name sounds rather negative in certain languages (Fall = Fail). Besides, in autumn on the northern hemisphere of the earth it’s actually spring in the southern hemisphere. So that choice of that name from Redmond was a bit unfortunate.

But, according to my source, Microsoft’s marketing need a name for the upcoming Windows 10 build, to attract consumers. Google made a clever trick with Android and use for each version the name of a sweet (Oreo, Nougat etc.). And even Apple has nice names for their macOS like Snow Leopard, Mojave and so on. Only Microsoft is using boring version numbers like 1803, 1809 – no more XP, Vista or even 7, 8 or 8.1. No one of the consumers like to buy a new computer with a ‘Windows 10 1903’ – names like Windows 10 Creators Update sounds even better.

So marketing in Redmond decided to search a new name for the upcoming Windows 10 feature update. According to my source, the name ‘Fools Creator Update’ got the most votes. So I guess, they will use that name. But nobody can be for sure – I’ve seen cases, where Redmond’s upper management cancelled a thing in last minute. A Microsoft spokesman refused any comments about that naming thing for the next Windows 10 version.

[German]Windows users can be spoofed into importing .reg files, as I just verified. You can send manipulated messages to the user via the dialog box shown before a .reg file is imported.

What is it about?

.reg files are small text files, that can be created and saved with an editor. The files may contain commands to set or delete entries in the registry. In Windows such .reg files may be imported using the Windows registry editor regedit.exe. This allows you to import the contents of a .reg file by double-clicking on it. 

Then the dialog box shown above will be displayed to warn the user about the import of the .reg file. And the user have to agree to the import via the Yes button. For certain keys,  also administrative rights are necessary for the import. So the Registry Editor must request increased rights via the User Account Control.

Spoofing the import dialog box

Spoofing  is a situation in which a person or program successfully masquerades as another by falsifying data, to gain an illegitimate advantage. Security researcher John Page (aka hyp3rlinx) has now discovered that the registry editor regedit.exe can be used to create a .reg file with a specially designed filename. This file name can be used to manipulate the text shown within the displayed dialog box.   

The above dialog shows a manipulated text message when importing a .reg file. Text parts of the original message were simply suppressed.  Using such a manipulated message, attackers could trick inexperienced users to click the Yes button to import a .reg file containing dangerous content. In addition, Windows 10 seems to offer the ability to suppress the display of the second status dialog box, which indicates that an import was successful. 

Spoofing attacks

To delete the default text displayed and display your own text in the dialog box, you can use %-encoded characters such as %n or %r and %0 in the .reg file name. For example, the text passages “Do not trust …” and “Do you want to continue?” shown within the default warning messages can be removed by using %0 characters.

Normally, after a successful import, the Registry Editor opens another window with a corresponding status message. This can be suppressed by inserting a (zero) value directly before the dot at the end of the file name. This can be achieved with %1 or %25. The file name:

“Microsoft-Security-Update v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%b%1%0.reg”

not only suppresses the second status window that displays the successful import. It also creates a dialog box with the manipulated test shown above in the display. Here is a list of characters that can be used for manipulation.

• % – can be used for obfuscation e.g. %h%a%t%e = hate
• %b will create white-space
• %n makes a newline
• %r makes a newline
• %1 creates (null) – important as we prevent the second registry dialog from
  appearing after a successful import!
• %0 Important terminates string
• %25 (Windows 10) creates (null) – Important as we prevent the second
  registry dialog from appearing after a successful import!
• %3 – Important as we prevent the second registry dialog from appearing
  after a successful import! (but shows asian char)
• %5 (Windows 10) duplicates the default registry dialog box message by “n”
  amount of times per amount of %5 injected into the filename
• %25 (Windows 7) duplicates the default registry dialog box message by “n”
  amount of times per amount of %25 injected into the filename
• %2525 prevents registry editor from opening
• %169 will show our junky filename in the dialog box (we don’t want that)
• %3, %197, %17 and some others change the default language shown in the
  registry dialog box to asian characters etc.

The security researcher describes the details and some attacks on Seclists.org, and and has also published there the above list with characters for the manipulating the dialog box message. Below is a video demonstrating such a spoofing attack.

Windows .Reg File Dialog Box Spoofing 0day from hyp3rlinx on Vimeo.

[German]As awaited, Microsoft has released a new cumulative update for Windows 10 version 1809. Currently it’s available only for Windows Insiders in Release Preview Ring. Italian site aggiornamentilumia.it has spotted cumulative update KB4490481, which raises the OS to build to 17763.404. There is no revised change log. This update had been offered on March 21, 2019 in release preview ring and caused issues. I few more details may be read within my German blog post linked above.

[German]Currently, users are reporting very strange notifications with test messages that appear on Windows 10. Either there’s a trainee with keyboard issues on the road at Microsoft, or there’s a security issue so that third parties can send notifications.

The site hothardware.com has published the story here. Basically, everything is said in the above paragraph. In the Microsoft News section, Windows 10 users are suddenly shown test messages that are at least ‘strange’.

(Source: hothardware.com)

At reddit.com there is this thread, where someone’s raising these notifications and asking if this could be a virus.

I just got two notifications coming from the notification tab that’s in the lower right hand corner (next to the time and date). The first one popped up as “Microsoft movies – this test notification” and then 5 minutes later it popped up again as “Microsoft movies – thsi test notification”. The typo was there as it popped up. I clicked on it both times and it sent me to the Microsoft News app but nothing showed up other than an error message.

Anyone else experience this? What steps should I take if it’s a virus?

Several users who have received similar messages report to the thread. One then posted this image as a document.

(Source: Imgur)

A user writes that he is using Windows 10 Pro Version 1809 (OS Build: 17763.379). Here is another thread on this topic. Some users said they were so scared by the notifications that they were about to reinstall their machines. But they came across the thread mentioned above. The pop-up notifications have been reported for Windows 10 versions 1803 (April 2018 update) and 1809 (October 2018 update). Apparently the whole thing is limited to the USA – or has any of you received such a notification?

[German]Microsoft’s developers continue to fix bugs within the Windows 10 19H1 development branch, which (hopefully) will soon be released as Windows 10 Version 1903. Now an update has been released that fixes the upgrade bug in build 18356.16. 

At the end of March 2019 Microsoft had to stop the distribution of the Windows 10 Insider Preview Build 18362 in the Slow Ring. The reason was installation problems with users who were using build 18356.21 on the road. I had discussed details within my blog post Windows 10 Insider Build 18362 stopped in Slow Ring – Workaround. They also suggested a workaround to perform the upgrade.

Microsoft fixes the upgrade bug

In an addendum from April 2, 2019, Microsoft has announced the following in the Announcing Windows 10 Insider Preview Build 18362:

UPDATE 4/2: We have released Build 18356.21 (KB4496796) to Windows Insiders in the Slow ring who are currently on Build 18356.16. This update will get Insiders who are on Build 18356.16 back into a good state so they can update to Build 18362. We are allowing a few days for this update to roll out before offering Build 18362 – so that means Insiders will still not see Build 18362 offered after updating to Build 18356.21. But stay tuned!

So the upgrade blocking bug in Insider Preview build 18356.16 seems to be fixed. (Thanks to EP for the comment).

[German]Microsoft has released the cumulative update KB4490481 and a Servicing Stack Update KB4493510 for Windows 10 V1809 on April 2, 2019. KB4490481 is an optional update.

The update has been tested with insiders during the last weeks in the Release Preview Ring. Yesterday I reported about it in the article Windows 10 V1809: new cumulative Update in Release Preview Ring.

Now Microsoft has released the cumulative update KB4490481 for Windows 10 V1809 and Windows Server 2019 in general. The update raises the Windows build to 17763.404. The update contains quality improvements and addresses the following issues:

• Addresses an issue that occurs on machines that have multiple audio devices. Applications that provide advanced options for internal or external audio output devices may stop working unexpectedly. This issue occurs for users that select an audio output device different from the “Default Audio Device”. Examples of applications that may stop working include Windows Media Player, Realtek HD Audio Manager, and the Sound Blaster Control Panel.

• Includes a fix for Game Mode that ensures the feature will no longer impact your experiences when using the industry’s top streaming and recording software.

• Enables activation of insider builds of Windows 10 Enterprise for Virtual Desktops in Microsoft Azure. Microsoft Azure is the only tested and supported platform to host Windows 10 Enterprise for Virtual Desktops, which is a key part of Windows Virtual Desktop.

• Addresses an issue that may cause the loss of Favorites or the Reading List in Microsoft Edge after updating the operating system. 
• Addresses an issue that causes Internet Explorer to randomly stop working while browsing. 
• Addresses an issue with scrolling ActiveX content in a window in Internet Explorer 11 during a user-triggered scroll operation. 
• Addresses an issue that prevents the operating system from loading new icon files if it encounters a badly formatted icon file. 
• Updates time zone information for São Tomé and Príncipe. 
• Updates time zone information for Kazakhstan. 
• Updates time zone information for Buenos Aires, Argentina. 
• Addresses an issue that prevents the “Turn off app notifications on the lock screen” policy from working. The path is “Computer Configuration\Administrative Templates\System\Logo”. 
• Addresses an issue in which the graphics device interface (GDI) DeleteObject() may cause the calling process to stop working when both of the following conditions are true:
  • The calling process is a WOW64 process that handles memory addresses larger than 2 GB.
  • The DeleteObject() is called with a device context that is compatible with a printer device context.
• Addresses an issue that prevents applications and callers from connecting to destination endpoints when they use network interfaces that don’t have a default gateway. This issue affects the following:
  • Internet access fails on devices with DSL modems and PPPoE dial-up Internet connections (commonly used with DSL modems).
  • Modern and Microsoft Store apps behave as if there is no Internet access on devices with DSL modems.

Web browsers and Win32 applications that are connected to the Internet are not affected by this issue. 

• Addresses an issue that causes Windows to reuse an expired Dynamic Host Configuration Protocol (DHCP) lease if the lease expired while the OS was shutdown. 
• Addresses an issue that causes the RemoteApp window to come to the foreground and to always remain active after closing a window. 
• Addresses an issue that prevents the authentication credentials dialog from appearing when an enterprise web server attempts to connect to the Internet. 
• Addresses an issue that may prevent Modern apps icons from appearing in the Taskbar and the Task Switcher during a RemoteApps connection. 
• Addresses an issue that causes certain Microsoft Store applications to fail to launch or stop working, including WeChat on the Universal Windows Platform (UWP). 
• Addresses an issue that fails to register USB cameras correctly for Windows Hello after the out of box experience (OOBE) setup. 

• Adds a new Group Policy setting called “Enable Windows to soft-disconnect a computer from a network”. This determines how Windows will disconnect a computer from a network when it determines that the computer should no longer be connected to the network.

  • If enabled, Windows will soft-disconnect (disconnection is not immediate or abrupt) a computer from a network.
  • If disabled, Windows disconnects a computer from a network immediately.
  • If not configured, the default behavior is soft-disconnect. For more information about soft-disconnect, see Understanding and configuring Windows Connection Manager.

Path: Computer Configuration\Policies\Administrative Templates\Network\Windows Connection Manager

• Addresses an issue that prevents a virtual smart card from starting when running in conjunction with Citrix 7.15.2000 Workstation VDA software. 
• Addresses an issue that prevents users from configuring their screens for high-dynamic-range (HDR) video playback. 
• Addresses an issue with the Windows lock screen that prevents users from unlocking a device after multiple smart card users have used the same device. This issue occurs when you attempt to use a workstation that another user has locked. 
• Addresses a memory leak that occurs when a system processes logon sessions. 
• Addresses an issue that causes Always-On VPN exclusion routes to only work for link-local exclusions. 
• Addresses an issue that causes certificate renewal to fail when using CERT_RENEWAL_PROP_ID with the ICertPropertyRenewal interface. 
• Addresses an issue that mutes the sound of single-use applications, typically used in kiosk scenarios, after the system resumes from Sleep. 
• Addresses an issue to meet GB18030 certificate requirements. 
• Addresses an issue that slows server performance or causes the server to stop responding because of numerous Windows firewall rules. To enable this solution, use regedit to modify the following and set it to 1:
  • Type: “DeleteUserAppContainersOnLogoff” (DWORD)
  • Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    SharedAccess\Parameters\FirewallPolicy
• Addresses an issue that prevents the decryption of data using Windows 10, version 1703 or later versions of Windows. This issue occurs if you encrypted that data using DPAPI-NG or a group-protected PFX file on Windows 10, version 1607, Windows Server 2016, or earlier versions of Windows. 
• Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.

• Addresses minor issues with unknown options (unknown OPT) in the Extension Mechanisms for DNS (EDNS) for the Windows DNS Server role.

• Addresses a timing issue that may result in an access violation when configuring Switch Embedded Teaming (SET).

• Addresses an issue with the Remove-StoragePool PowerShell cmdlet that fails to clear pool metadata on NVDIMM physical disks.

• Enables X2APIC support for AMD platforms to support 256 or more logical processors on Windows Server 2019.

• Addresses an issue that prevents date parsers from converting future and past dates (Gregorian and Japanese) in compound documents (formerly OLE) to a relevant Japanese Era date. For more information, see KB4469068.

• Addresses an issue that prevents users from enabling gan-nen support for the Japanese Era. For more information, see KB4469068.

• Addresses an issue that causes slow screen refresh rates when an application creates and destroys many child windows.

• Address an issue that causes the Start menu layout to reset or reset at every logon after an in-place upgrade to Windows 10, version 1809 from previous versions of Windows.

• Addresses an issue that causes Wdiwifi.SYS to stop working with the error “7E (0xc0000005)”. This issue occurs when a client device is roaming between wireless access points (WAP) that have the same BSSIDs on the 2.4 Ghz and 5 Ghz bands.

This is an optional update that is downloaded and installed only when you manually run the update search (Settings App, Update & Security > Windows Update and then select Check for Updates). You can also download and install the package via Microsoft Update Catalog.

The installation requires that the latest Servicing Stack Update (SSU) is installed. If you are using Windows Update, you will automatically be offered the latest SSU (KB4493510). To obtain the stand-alone package for the latest SSU, visit the Microsoft Update Catalog.

Known Issues

Update KB4490481 however, comes with a long list of known issues, an installation is not recommended.

Similar articles:
Microsoft Office Updates (Patchday April 2, 2019)
Windows 10 V1809: Updates KB4490481 and KB4493510

On April 2, 2019, Microsoft released a cumulative security update KB4489192 for .NET Framework 3.5 and 4.7.2 for Windows 10, version 1809, and Windows Server 2019.

The list of improvements and fixes for the KB4489192 cumulative security update is pleasingly short:

• Addresses an issue in which the Framework throws an exception if the year in the parsed date is greater than or equal to the start year of the next era. Now, the framework will not throw such exception.
• Updates Japanese Era dates that are formatted for the first year in an era and for which the format pattern uses the “y年” characters. The format of the year together with the symbol “元” is supported instead of using year number 1. Also, formatting day numbers that include “元” is supported.
• Allows the output of Gannen characters in Japanese Era formatting of first year dates regardless of whether the format pattern includes single quotation marks around the “年” character.

So once again we are talking about patching the Japanese calendar. There are no known problems with this update. The update must be triggered in the settings page via > Settings > Update & Security > Windows Update, and select Check for updates.

PowerShell is available as a script environment on all Windows systems and is not only popular with administrators. Attackers also appreciate PowerShell to run malicious scripts in Windows environments.

When evaluating security incidents at customers, security researchers at Red Canary found that PowerShell was at the top of the list of cybercriminal preferences. This is the conclusion of  Hackers Are Loving PowerShell, Study Finds.

Data collected from 10,000 confirmed attacks shows that PowerShell, Scripting, Regsvr32, Connection Proxy, Spearphishing Attachments and Masquerading were the most common techniques. The most commonly used attack technique is PowerShell, and the reason is clear. PowerShell has been standard on virtually every Windows operating system for a decade. PowerShell provides access to the Windows API and is rarely restricted, so attackers cannot perform management and automation tasks.

Attackers can use PowerShell to control the execution of a local script, retrieve and run remote resources using various network protocols, encode payloads passed from the command line, or load PowerShell into other processes.

Easily available PowerShell libraries allow deployments to take full advantage of PowerShell functionality in any process. PowerShell’s open source and cross-platform availability has also led to the development of tools that are capable of creating malicious code for Windows, macOS, and Linux. More details can be found in Hackers Are Loving PowerShell, Study Finds.

[German]The recently released cumulative update KB4490481 also fixes various issues with group policies and adds further group policies in Windows 10 V1809. Here are a few details.

I’ve addressed cumulative update KB4490481 within my blog post Windows 10 V1809: Updates KB4490481 and KB4493510. Microsoft released that update on April 1,/2, 2019, after testing it for week with Windows Insider. This update is now general available for Windows 10 V1809 and Windows Server 2019. Within the update description says:

Adds a new Group Policy setting called “Enable Windows to soft-disconnect a computer from a network”. This determines how Windows will disconnect a computer from a network when it determines that the computer should no longer be connected to the network.

• If enabled, Windows will soft-disconnect (disconnection is not immediate or abrupt) a computer from a network.
• If disabled, Windows disconnects a computer from a network immediately.
• If not configured, the default behavior is soft-disconnect. For more information about soft-disconnect, see Understanding and configuring Windows Connection Manager.

German blog reader and MVP Thomas Bittner pointed out this cjamge to me and sent me the following text ‘New and Fixed Group Policy Setting with Windows 10 KB4490481’ via mail:

Microsoft has just released a new rollout KB hotfix for Windows 10 on the 1st April (not joking). What is notable about this update is there is a couple of Group Policy settings that have been fixed and added.

First one is only minor and they have resolved an issues with the policy setting “Turn off app notifications on the lock screen” which can be found under Computer Configuration > Administrative Templates > System > Logo.

The second Group Policy change is they have now added support to configure “Enable Windows to soft-disconnect a computer from a network”. What is “soft-disconnect” you ask? Put simple its a way for a computer to notify application to stop using a specific network interface. If there is an active TCP connection then it will not interrupt that connection. Then after 30 seconds if it still sees that someone or something is using the connection in a significant way (e.g. Skype Call) it will not close the connection. This is far better experience for users, however it can also lead to computer not swapping from wireless to wired connections. It is a default option for Windows 8 and later, so if you want to ensure that network connection are closed then you should disable this policy.

The update can be obtained via Windows Update or as a download via Windows Update Catalog. At End Point Central, MVP colleague Alan Burchill has posted an article New and Fixed Group Policy Setting with Windows 10 KB4490481 about that topic.

Problem with this patch: The cumulative update KB4490481 as an optional update for Windows 10, but the update has a whole bunch of known issues (see my post Windows 10 V1809: Updates KB4490481 and KB4493510). So I don’t recommend to install that patch. Thanks to Thomas B. for the hint.

Microsoft has released a new cumulative update KB4497464 to the Windows 10 Insider Preview in the 19H1 development branch. This is available for Fast- and Slow Ring machines.

The announcement was made on April 4, 2019 as a supplement to the article introducing the Windows 10 Insider Preview Build 1836, which now reads:

UPDATE 4/4: We have released Build 18362.30 (KB4497464) to Windows Insiders in the Fast AND Slow rings. If you have updated to Build 18356.21 – this build will be offered. Build 18362.30 includes the following fixes:

• We fixed an issue where AAD users were not able to sign-in after updating to 19H1 on AAD-joined PC not enrolled into MDM.
• We fixed an issue where users were unable to enable\disable .NET Framework or other optional feature- on-demand (FODs) after installing recent Cumulative Updates.
• We fixed an issue where a user’s PC may get into a unbootable state after installing a Cumulative Update and then installing a optional feature-on-demand (FOD).

[German]Surprisingly Microsoft has now revealed the name of the upcoming Windows 10 version, announced the delivery schedule and announced more control over the update installation.

It’s called Windows 10 May 2019 Update

Within the blog post Improving the Windows 10 update experience with control, quality and transparency Microsoft’s Mike Fortin, Corporate Vice President, Windows, announced the new Windows 10 feature update with his name. It will be called Windows 10 May 2019 Update (or Germanized May 2019 Update).

When is Windows 10 May 2019 Update available?

The next surprise will be the deployment of Windows 10 May 2019 Update. It will be available for Windows insiders in the Release Preview Ring next week. According to current plans, this version will be tested with Windows Insiders for one month. Microsoft also plans to roll out the May 2019 update internally and to OEM partners for extensive testing.

‘End of May 2019’ Microsoft plans general availability (ga) for Windows 10 May 2019 Update. Users then can search for updates and if the feature update is offered, also install it. For enterprise customers, Microsoft says:

Our commercial customers can begin their targeted deployments in late May, which will mark the beginning of the 18-month servicing period for Windows 10, version 1903 in the Semi-Annual Channel. We recommend IT administrators start validating the apps, devices and infrastructure used by their organizations at that time to ensure that they work well with this release before broadly deploying. The May 2019 Update will be available in late May through Windows Server Update Services (WSUS), Windows Update for Business, the Volume Licensing Service Center for phased deployment using System Center Configuration Manager or other systems management software.

Within the blog post, Microsoft also promises to revise the Machine Learning Model (ML) for the rollout and to focus intensively on bugs that only affect a small number of users. Any upgrade blockers found will be documented on the Windows 10 Update History page (as with the V1809). In my opinion, Microsoft thus takes into account the (painful) experiences made with Windows 10 V1803 and V1809.

Take back control over updates?

User pressure who asking for to take back control of updates since the release of Windows and the ‘update accidents’ of recent years have made Microsoft to change it’s position slightly. Microsoft writes that regular updates are crucial for the security and smooth operation of modern devices. Nothing will change with security and quality updates in this matter.

But for feature updates, Redmond has accepted, that users have clearly communicated that they want more control over updating the operating system. That’s what the Microsoft says now:

we have heard clear feedback that the Windows update process itself can be disruptive, particularly that Windows users would like more control over when updates happen.

Within the article linked above, Fortin now announces ‘significant changes in the Windows update process’ that give users more control. In earlier Windows 10 Feature Update rollouts, the update installation was automatically started on a device as soon as Microsoft’s telemetry data indicated that this Windows 10 feature update could somehow be brought to the machine.

From the Windows 10 May 2019 Update onwards, users have more control over initiating the installation of a feature update.

(Feature updates in Windows 10 May 2019 Update, Source: Microsoft)

• Users are automatically notified when a feature update is available for the machine and is considered recommended by Microsoft. The above screenshot shows a separate section under Windows Update where the feature update is displayed.
• The user only a bit more control when installing updates. This is because they can click the Download and install now link in the Windows Update settings to initiate the feature update installation process. Users can still click Check for Updates to receive monthly quality and security updates.
• However, there is a special condition for machines that have a Windows 10 build installed that has reached or will soon reach the end of support (will get no more updates). Microsoft will then automatically install the feature update on that machine (if it appears compatible). This is to ensure that the machine continues to receive security and quality updates.

The user also gains more control when installing updates. In all Windows 10 variants, it is now possible to choose whether the system is to be updated by an update search or whether updates are to be postponed for up to 35 days for installation.

• Extended ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. Windows 10 May 2019 Update making it possible for all users to pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, users will need to update their device before pausing again.
• Intelligent active hours to avoid disruptive update restarts. The active hours feature, introduced in the Windows 10 Anniversary Update, relies on a manually configured time range to avoid automatically installing updates and rebooting. Many users leave the active hours setting at its 8 a.m. – 5 p.m. default. To further enhance active hours, users will now have the option to let Windows Update intelligently adjust active hours based on their device-specific usage patterns.
• Improved update orchestration to improve system responsiveness. This feature will improve system performance by intelligently coordinating Windows updates and Microsoft Store updates, so they occur when users are away from their devices to minimize disruptions.

But the ‘sensation’ had been announced in the Insider Preview-Builds since a while, where the option to delay updates by 7 days was also available for Windows 10 Home (see this tweet).

(Source: Microsoft)

My 2 cents

It’s all a little surprising, I think. However, I still have the thought in my head that Microsoft is letting ‘just a little pressure out of the kettle’, but really don’t change to much. Because nothing changed compared to previous builds. In the Pro/Enterprise you could postpone updates too (in Home, there are tools to block updates) and the rollout of Windows 10 V1809 was also postponed after the first faulty release.

Also the ‘take back control’ thing hyped worldwide in in blogs and internet sites is just a blue pill. Yes, we have an option, that let users suspend updates for 7 days, and that may be repeated up to five times. The delay for max. 35 days is owed to the hope, that Microsoft has fixed an issue within a (feature) update or has pulled that faulty update. And we (hopefully) have the possibility not to install a feature update for 18 months, if we avoid not to click the Download and install link. But why so complicated? We already have had an option in previous Windows 10 builds, that allow us to suspend updates in Pro and Enterprise (CBB) for up to 30 days for quality updates and up to 365 days for feature updates. So why they haven’t ported that to all SKUs of Windows 10 May 2019 Update? And we still have no choice to block a faulty update forever, as we can do in Windows 7/8.1. How often Microsoft has shipped quality updates with known bugs for months? To block such an update, we still need the wushowhide.diagcab tool. My guts feeling says ‘to less to late’. Let’s wait and see what we can report about the new Windows 10 in the near future.

BTW: Mike Fortin has written a very long article with a lot of redundant information that you have to read three times to understand. But he didn’t tell you if Windows 10 will get version 1903. That’s about Microsoft’s credo ‘we provide transparency’.

[German]Cumulative update KB4490481released by Microsoft on April 2, 2019, for Windows 10 V1809 and Windows Server 2019 is causing BlueScreens on some systems.

Microsoft released the KB4490481 cumulative update on April 2, 2019 for Windows 10 V1809 and Windows Server 2019 after a long testing period with Windows Insiders. The update includes quality improvements and raises the Windows build to 17763.404. It should be noted that this update also still contains numerous bugs.

I had listed the fixes in the blog post Windows 10 V1809: Updates KB4490481 and KB4493510. This update also introduces new Group Policy for Windows 10 V1809 (see my blog post KB4490481 fixes/adds group policies in Windows 10 V1809). However, I also wrote in the linked posts that this update has a number of known issues. Therefore I cannot recommend an installation.

Update KB4490481 causes Blue Screens

And now there’s the blue screen problem. Blog reader EP pointed out this problem in this comment. Martin Brinkmann gave a clear warning on Twitter. 

Don’t install KB4490481 for windows10 version 1809 without proper backup / system restore. Reports of System Service Exception loading errors after update installation emerge (maybe Intel related?). #windows10 #update #microsofthttps://t.co/wdJZD4Sz57

— ghacksnews (@ghacksnews) 4. April 2019

You should not install this update without a backup. Martin Brinkmann ran into a ‘System Service Exception’ error after the installation. Martin writes:

Ran into a System Service Exception error on restart after installing the update on one machine. System Restore fixed the issue, Startup repair did not.

Martin is not the only user who reports problems or BlueScreens in connection with this update. In a comment to his blog post there is a confirmation by another user and also the user EP mentioned above is plagued with a blue screen. Woody Leonhard has collected more findings at askwoody.com in this article.

Within tenforums user doctorwizz reported also a System Service Exception BlueScreen (0x0000003B) after installing this update.

I was rebooting from Win10 to boot to Win8.1. The update was installing on the shutdown phase and it was taking longer to install this time. So I tried to boot to Win10 again. It was continuing to update and bam. BSOD System Service Exception.

There is another confirmation within the tensforum thread, from a user receiving also a Blue Screen.

I like doctorwizz above also have BSOD on every machine I have after restarting to complete this update. They all run Win 10 Enterprise. I don’t have any special software running and I’ve never had such problems before. I got out of the fix by doing a system restore and I’m back at 17783.379 now. I tried an experiment or two. I tried the standalone windows catalog installer….same thing. I tried also the installer for kb4493510 and strangely it said it was already installed (but its not…well not that I can see). Its all very odd.

Woody Leonhard compiled the whole findings within this article on Computer World. He received another feedback on Twitter, where another user confirmed such a BSOD.

This is what I got. Did a system restore and things are working again. pic.twitter.com/QwP6zJeqlT

— Christian Vanderbrouk (@UrbanAchievr) 4. April 2019

Also within the askwoody.com forum comments here, here and here confirms the BSOD.

A possible explanation

Within the known issues section of update KB4490481, Microsoft mentions a BlueScreen condition caused by this update:

• If you enable End-User-Defined Characters (EUDCs) per font, the system will stop working and a blue screen will be displayed at startup. In regions other than Asia, this is not a common setting.
• Microsoft writes about it: To avoid this problem, you should not enable EUDC per font. Alternatively, you can edit the registry to alleviate the problem. For more information, see KB4496149.

However, all of the above mentioned locations for the BlueScreen are not Asian systems – the EUDC font should therefore not be activated. Final question: Are any of you affected?

Similar articles:
Windows 10 V1809: Updates KB4490481 and KB4493510
KB4490481 fixes/adds group policies in Windows 10 V1809