Just a brief note: In the blog post Windows 10 Insider Preview Build 19008 (20H1) I mentioned, that the insider preview was available in the Fast Ring. On October 24, 2019, Microsoft rolled out the update KB4527587 in the Fast and Skip Ahead Ring  (the addendum can be found here). This increases the build to 19008.1000. The change is intended to test the update feature.

[German]On October 24, 2019, Microsoft released the optional update KB4522355 to fix the start menu and many other issues caused by previous update – and causes additional issues. In addition, an AutoPilot update KB4523786 has been planned to be rolled out for certain machines in the corporate environment, but that has gone wrong.

Chaotic AutoPilot Update KB4523786

Windows AutoPilot  is a collection of technologies for setting up and pre-configuring new devices that can only be used in corporate environments. Effective October 24, 2019, Microsoft released KB4523786 (Cumulative Update for Autopilot in Windows 10 Version 1903, October 22, 2019). The update is optional, so it was only offered after an update search. The update is intended to bring some improvements and fixes for Windows 10 devices configured with Windows Autopilot.

Microsoft explicitly writes in the support article that this update will not be rolled out for Windows 10 Home. Even Windows 10 Pro will not receive the update if the device has not been prepared and registered for AutoPilot. That’s the theory I described last night in the blog post Windows 10 V1903: AutoPilot-Update KB4523786. Shortly after the article was published, users protested in my blog, because they were offered and installed this update on Windows 10 Home. 

John wrote:
On my Windows 10 Home I also received the autopilot update (KB4523786). Strange!

Peter wrote:

The same goes for me.
I have Windows 10 Home 64 Bit Version 1903 (Built 18362.449 after updates).
The following updates were successfully installed:
KB4522741 Cumulative Update for .Net Framework 3.5 and 4.8
KB4523786 Windows Autopilot Update
and the optional:
KB4522355 Cumulative Update for Windows 10 Version 1903

Apparently Microsoft ‘opened the floodgates’ too wide for this update and distributed it with the watering can to all Windows 10 systems with version 1903, no matter which SKU was available. Theoretically, this should not be a problem, as the AutoPilot update remains unused on such machines. But it’s stupid when unused code floats around on the system – at some point there will be collisions. So you should uninstall the update via Control Panel -> Programs and Features -> Installed Updates.

Meanwhile Microsoft has blocked the AutoPilot update KB4523786 on 10/25/2019 again for distribution via Windows Update (see). Woody Leonhard revealed some more details in this ComputerWorld article. For example, a user in this post points out that the update is intended for lower-level TPM chips. This is also mentioned in the Microsoft support article. So the update is supposed to correct some problems like hangers by the TPM chip. Possibly the update distribution has been fixed to this TPM chip. Be that as it may, the Microsoft support articles claim something different than what the users see. But now the update should no longer be offered.

Update KB4522355 for Windows 10 Version 1903

Optional cumulative update KB4522355 was distributed on October 24, 2019 for Windows 10 version 1903 and to insiders with version 1909. It is intended to fix a number of bugs in the relevant Windows 10 versions (see Windows 10 V190x: Update KB4522355 released).

Bleeping Computer writes here, that the issues with some Intel and Broadcom Wi-Fi adapters has been fixed. But the upgrade block to Windows 10 V1903 has not yet been lifted, and some users report that their WLAN adapters are still not working.

It might also be helpful to have a fix to eliminate the high CPU load on Remote Desktop Connections (RDP). It also promises to fix the start menu problems caused by previous updates (see Windows 10: Fixes for October 2019 (start menu) issues). However, there are user objections.

• In this German comment user JensDoe reported, that this update bricks his desktop search again.
• In this German cKomment a 2nd user reported, that the update didn’t fix the bricked desktop search on his system.
• User Darren reported here, that his broken start menu is still unfixed. 

Somehow this update probably leaves some users open to ‘wishes’. Have you noticed any other problems?

Similar articles:
Windows 10 V190x: Update KB4522355 released
Windows 10 V1903: AutoPilot-Update KB4523786.
Windows 10 V190x: Update KB4522355 released
Windows 10 V1903: Update KB4517389 breaks Edge Browser [Fix]
Windows 10: Fixes for October 2019 (start menu) issues

[German]Microsofts October 2019 updates for Windows 10 have caused a lot of trouble for border authorities in Australia. Companies could no longer access the Integrated Cargo System of the Australian Border Force.

The Australian Border Force (ABF) uses an Integrated Cargo System (ICS) for customs clearance. Companies can access this integrated cargo system via the Internet using a browser to handle import/export controls and customs formalities.

Windows 10 October 2019 update brorks ICS access

On October 8, 2019, Microsoft rolled out a series of security updates for Windows 10 (see Patchday Windows 10-Updates (October 8, 2019)). Subsequently, companies discovered that Windows 10 no longer allowed access to the ICS web pages in Internet Exploer. The Australian Border Force published this article on October 25, 2019, which highlights the problem.

MICROSOFT WINDOWS UPDATE – ICS ACCESS ISSUES

On 8 October 2019, Microsoft released a Windows 10 security update, which caused worldwide issues for some users, including interoperability problems between some versions of Windows 10 systems and the Integrated Cargo System (ICS). The issue affects clients when attempting to login to the ICS portal using Internet Explorer.

Our technical teams are working with Microsoft at the highest priority to understand and resolve the root cause of the issue and to develop an appropriate solution. A change in behaviour of the protocol establishing the security of the connection with ICS is causing authentication failures.

We are aware that some users have removed the update to successfully restore connectivity. We recommend any decision to remove the security update is informed by an appropriate risk assessment and analysis.

Additional security controls to limit any risk associated with the removal of the patch such as the use of standalone machines should be considered.

Your cooperation and understanding is appreciated as we work to identify an acceptable long term solution to this problem. An update will be provided as soon as relevant information is available.

In short: The security update of 8 October 2019 causes access issues to the Integrated Cargo System in Internet Explorer (IE) in Windows 10. However, IE is mandatory for these accesses. The IT staff of the Australian Border Force are currently working with Microsoft to identify the problem.

The authority writes that some users have uninstalled the security updates from October 8, 2019 back into Windows 10 to work with the Integrated Cargo System. The Australian Border Force writes in the above article that such a step should only be carried out after a risk analysis. On the other hand, what options do the companies have if they need to access the Integrated Cargo System to handle the import and export of goods?

Protocol changes cause issues

According to the authority, ‘a change in the behavior of the protocol that secures the connection to the ICS causes authentication errors’. The Register has seen an E-Mail that says “the Australia Border Force is working with teams from Unisys, IBM, Home Affairs, and Microsoft to find a solution to these issues”. They say the Australia Border Force is to blame by still using Internet Explorer as a browser for government applications. But I think many companies are still using Internet Explorer for intranet web applications. And so Windows as a service remains an adventure. Or how do you manage this in the company?

[German]A brief information for administrators who are involved in creating reference images for Windows Server 2019. I came across a post that might be helpful.

I myself don’t have any activity in this business, so I can’t really judge if it’s needed. But I’ll post the information here on the blog – maybe one or the other admin might find it helpful.

New blog post: Building the Perfect Windows Server 2019 Reference Image (Covers both offline servicing and build and capture scenarios) https://t.co/4BUafQmoke pic.twitter.com/VshYqHPmLa

— Johan Arwidmark (@jarwidmark) October 19, 2019

Johan Arwidmark is Chief Technology Officer at TrueSec, but has published a private blog post on Twitter about creating a reference image for Windows Server 2019. 

The Wannacry ransomware has hit many computers in 2017. Over the last year we have seen some re-infections in some sites, but not a big ware of infections. Now there are signs, dass some people probably may be facing new infections.

I haven’t too much details. But security researcher @VessOnSecurity has just postet the following Tweet.

Several people in various countries seem to have a bit of a WannaCry problem… pic.twitter.com/osq29Bo2cY

— Vess (@VessOnSecurity) October 27, 2019

The embedded graphics shows the ‘Uploaded Unique Malware’ detected for Ransom.Wannacry from Symantec.

Similar articles
WannaCry has infected chip maker TSMC fabs …

[German]Currently there is a rumour that Microsoft wants to adjust the completion dates for Windows 10 builds and declares feature updates at the end of the year (December) and in summer als ready to market (RTM).

In the past Microsoft has rolled out feature updates for Windows 10 in spring (April to May) and autumn (October to November). These versions were completed (RTM) in March and September of the respective year. Only the first Windows 10 (RTM) version and the Anniversary Update were released in summer 2015 and 2016, respectively.

Zac Bowden reports now on Windows Central in this article that Microsoft wants to adapt the upcoming Windows 10 20H1 as the first version to the development cycle of the Azure kernel. Therefore the Windows 10 20H1, which is expected for spring 2020, should reach the so-called RTM status in December 2019. However, it is not known when this version will be delivered to the general public.

While in the past Windows 10 feature updates were usually completed in March and September, Microsoft, according to Bowden, plans to complete OS releases in December and June as RTM. This means that the development cycle of Windows 10 updates will be delayed by two to three months. One will be completed in winter and one in summer.

This decision was probably already made when Windows 10 was affiliated to Microsoft Azure in development. In order to align the development plans of Azure and Windows, a feature version of Windows 10 had to be skipped. The 19H2 version of Windows 10 is the result because it is an update.

Zac Bowden writes that the 20H1 version of Windows 10 is almost finished and was internally marked as feature-complete in August. Since that time, Microsoft has mainly focused on fixing bugs and polishing the operating system for release. For this reason, insiders haven’t gotten any major new features in 20H1 builds for several months now, as the Windows 10 20H1 release is ready. Currently there is still time until Microsoft in mid-December, until the Windows 10 20H1 should be declared RTM ready. Let’s see if these rumors come true.

[German]Microsoft has now released a new service for Windows Defender ATP customers. If they need support for security incidents, these customers may cvall Microsoft’s security experts on demand for assistance with attacks or malware infections. More details may be read within Microsoft’s security blog post Experts on demand: Your direct line to Microsoft security insight, guidance, and expertise. (via)

[German]It seems that Windows 10 version 1903 is also causing issues with mouse cursor during RDP sessions. According to a report, the mouse will stutter or jitter during a remote desktop session.

Windows 10 Version 1903 is a critical beast, when it comes to RDP sessions. I’ve blogged about two issues (black screen and high CPU load) associated with RDP – see the links at the articles end. Now I stumbled about a 3rd issue.

Mouse issues with RDP

Noel Carboni hat brought that to light at askwoody.com within this article. Carboni has updated a Windows 10 machine to version 1903. When he used the company’s VPN and RDP to control this machine remotely, he observed, that the mouse would stutter or jitter. He gave an more detailled explanation for this behavior:

Based on observation, with Win 10 v1903, whenever a new graphic is loaded into the mouse cursor (e.g., the arrow changes to a finger or spinner or whatever) the cursor pointer is moved back to the position it was in where the change was requested by the controlled system.

With Windows 10 version 1809 the same RDP sessions run flaw less. This behavior in Windows 10 v1903 is irritating.

Same cure as last time: Force XDDM driver use

Well, Caroboni found the same workaround, I’ve outlined within the two articles links at the end of this post. In mid-July 2019, I published the blog post Windows 10 V1903: Remote Desktop shows Black Screen, which deals with a different problem in RDP sessions (black screen). My suggestion for a workaround there was to force the use of the XDDM driver instead of the normally used WDDM graphics driver.

1. Launch gpedit.msc with administrative privleges.
2. Then navigate to the following branch in the Group Policy Editor.

Use the branch: Computer Configuration->Policies->Windows Settings->Administrative Templates->Windows Components->Remote Desktop Services->Remote Desktop Session Host->Remote Session Environment, set the Policy Use WDDM graphics display driver for Remote Desktop Connections to Disabled.

Noel Carboni wrote, that this will clear up jittery mouse on Windows 10 v1903. What’s currently not clear: Microsoft has released update KB4522355 for the Windows 10 versions 1903 on October 25, 2019 (see Windows 10 V190x: Update KB4522355 released). One of the fixed issues was:

Addresses an issue with high CPU usage in Desktop Window Manager (dwm.exe) when you disconnect from a Remote Desktop Protocol (RDP) session.

I don’t know, if the mouse stutter issue will be fixed with update KB4522355 in Windows 10 versions 1903. Otherwise use the workaround with GPO as outlined above.

Similar articles:
Windows 10 V1903: Remote Desktop shows Black Screen
Windows 10 V1903: RDP (dwm.exe) causes high CPU load, freezes VMs

Microsoft has released the Windows 10 Insider Preview Build 19013 (from the development branch 20H1) for Windows Insider in the Fast Ring on October 29, 2019. Details about the fixes and new features (there are some emojis) can be found in the Windows Blog.

[German]Microsoft has released another preview version 0.12 of the PowerToys for Windows 10 users. As a new feature the PowerRename Windows Shell Extension has been added.

The PowerToys known from Windows 9x are Open Source and available for free on this GitHub page. I had reported about the first release in September 2019 (Windows 10: First Open Source PowerToys released).

New: PowerRename

PowerRename is a Windows shell extension to rename multiple files using search and replace or regular expressions. PowerRename allows easy searching and replaces or extends matching with regular expressions. As you type the Search and Replace input boxes, the Preview pane displays what the items are renamed to. PowerRename then calls the Windows Explorer file operations engine to perform the renaming. This has the advantage that the renaming process can be undone after PowerRename is exited. The following animation shows the use of the tool.

(PowerRename, Source: GitHub, Click to zoom)

A description of the functions can be found on the PowerRename page. The tool was integrated into the PowerToys by Chris Davis based on his SmartRename tool.

What’s to come

In this GitHub Readme article, the developers have given a brief outlook on what they plan to do with other tools.

• Maximize to new desktop widget – The MTND widget shows a pop-up button when a user hovers over the maximize / restore button on any window. Clicking it creates a new desktop, sends the app to that desktop and maximizes the app on the new desktop.
• Process terminate tool
• Animated gif screen recorder

Details may be read on GitHub.

[German]Windows 7, Windows 8.1 and various Windows Server versions have timeouts in TLS connections after installing the latest October 2019 updates. Microsoft has confirmed these TLS timeouts in a support article.

A Microsoft support article 4528489 (Transport Layer Security (TLS) connections might intermittently fail or timeout when connecting) contains the details. 

The error description

When attempting to connect [to a server], Transport Layer Security (TLS) and Secure Sockets Layer (SSL) may fail temporarily or run on a timeout. One or more of the following errors will be displayed:

• “The request was aborted: Could not create SSL/TLS secure Channel”
• Error 0x800903030f  (SEC_E_MESSAGE_ALTERED)
• An error logged in the System Event Log for SCHANNEL event 36887 with alert code 20 and the description, “A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.​”

The cause of this issue is that Microsoft closed the vulnerability CVE-2019-1318 in Augst 2019 with an update. Now updates from October 2019 seems to cause the TLS timeouts.

Which Windows versions are affected?

Unfortunately, the fix was distributed through various updates to Windows 7, Windows 8.1, and various Windows Server versions that are still in support. Affected are the following Windows versions that have received cumulative updates and rollups as of October 8, 2019 (or later):

• KB4519998 LCU for Windows Server, version 1607 and Windows Server 2016.
• KB4520005 Monthly Rollup for Windows 8.1 and Windows Server 2012 R2.
• KB4520007 Monthly Rollup for Windows Server 2012.
• KB4519976 Monthly Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1.
• KB4520002 Monthly Rollup for Windows Server 2008 SP2

Also affected are systems that have received the following security-only updates dated October 8, 2019.

• KB4519990 Security-only update for Windows 8.1 and Windows Server 2012 R2.
• KB4519985 Security-only update for Windows Server 2012 and Windows Embedded 8 Standard.
• KB4520003 Security-only update for Windows 7 SP1 and Windows Server 2008 R2 SP1
• KB4520009 Security-only update for Windows Server 2008 SP2

Whoever has installed these updates on the machines and receives TLS errors should react and try the following workaround.

A workaround for the TLS problem

Microsoft states two workarounds in the support article, with which the TLS timeout problem can possibly be mitigated.

• Enable support for Extend Master Secret (EMS) extensions when performing TLS connections on both the client and the server operaing system. EMS as defined in RFC 7627,  was added to supported versions of Windows in the calendar year of 2015. Any update released on or after October 8, 2019 will have EMS enabled by default for CVE-2019-1318.
• Or: For operating systems that do not support EMS, remove the TLS_DHE_* cipher suites from the cipher suite list in the OS of the TLS client device. For instructions on how to do this on Windows, see Prioritizing Schannel Cipher Suites.

Microsoft does not recomend disabling EMS. If EMS was previoulsy explicitly disabled, it can be re-enabled by setting following registry key values:

HKLM\System\CurrentControlSet\Control\SecurityProviders\Schannel  

On TLS Server: DisableServerExtendedMasterSecret: 0
On TLS Client: DisableClientExtendedMasterSecret: 0

Damit sollten die TLS-Verbindungsprobleme weg sein. (via)

[German]A brief addendum to Trend Micro WFBS 10.0 SP1: Patch Build 2178. It looks like this patch is causing some minor issues. Several readers reported, that suddenly a spyware infection is reported on the clients during the scan.

Trend Micro released a patch with build 2178 for its Worry Free Business Security version 10.0 Service Pack 1 on October 26, 2019. This patch is intended to close a 0-day vulnerability in the web console. I reported about the update in the blog post Trend Micro WFBS 10.0 SP1: Patch Build 2178 released and also mentioned a workaround for installation issues.

Suddenly (false) Spyware Warnings

Several users are reporting that TM WFB SP1 Build 2178 reports suddenly false Spyware alarms during a scan. The comments may be found within my blog post Trend Micro WFBS 10.0 SP1: Patch Build 2178 released. Matthew Warburton for instance writes about it:

Hi, we installed this latest patch and have noticed on every computer it is detecting between 80 and 100 pieces of spyware (all the same). I’m pretty sure they are false positives as we are seeing no issues with any of the PCs and all the pieces of spyware are ranging between around 2003 and 2012 – so it’s not like they are new instances of spyware. Has anyone else noticed this?

Also user Alessando (and two other has confirmed this issues. Blog reader Alessando wrote:

Yes, the same problem here.

Now on every computer it is detecting around 530 spywares every manual scan (the same spywares on all the clients).
Moreover, after the patch the clients can’t update theirselves (network/proxy error): after the rollback the clients can update theirselves, but they detect the 530 spywares (because the patch on the client remain the 2178).

Even more critical is that after installing patch 2178, clients can no longer update themselves and report a network/proxy error. After I published the German blog post Spyware-Probleme mit Trend Micro WFBS 10.0 SP1: Patch Build 2178 a couple of hours ago, German user Calvin left this comment:

The installation went smoothly for me, but since installing the patch countless spywares have been detected with every scan (50 to 100 per client), but they definitely seem to be “false positives”. The registry keys are not present at all, neither before nor after the scan and they are mostly very old spyware. The patch seems to have been knitted with too hot a needle.

And Calvin left the English comment here with a similar message. It seems that Trend Micro needs to patch again. I will check, if I can inform them via twitter.

[German]A few hours after the release of PowerToys v0.12, Microsoft’s developers have added the update to PowerToys v0.13. This is a maintenance update that fixes some bugs.

The PowerToys known from Windows 9x are Open Source and available for free on this GitHub page for Windows 10. I had introduced the first release in September 2019 (Windows 10: First Open Source PowerToys released). End of October PowerToyes v012 has been released with the new tool PowerRename (see the blog post PowerToys v0.12 Beta released). But there were still bugs there. Nowv0.13 is available. The Github page shows the following fixes:

PowerRename:

• Fixed crashing bug
• Fixed duplicate entries for PowerRename in context menu for shortcuts
• PowerReanme dialog is no longer appearing in top corner all the time
• Ensure we show the file extension in the UI even if extensions are hidden in Windows Explorer

Shortcut Guide:

• Fixed conflicting key with Xbox controller
• Hide Shortcut Guide when a screenshot is taken

The new setup file as well as the source code are available on this GitHub page. (via neowin.net)

[German]After October 2019 is over, I would like to take a look at the operating system share on the desktop. Is Windows 7 finally drops at 2% share and what’s about Windows 10?

Looking at the latest figures from netmarketshare.com (until October 2019), Windows still runs at 86.82 (Sept. 2019: 86.38%) of desktop systems. Mac OS comes to 10.97% (Sept. 11.16%), while Linux runs on 1.55% (Sept. 1.80%) of the systems. 

(netmarketshare.com OS-Market-Share 10.2019, Zum Vergrößern klicken)

In the analysis of the desktop share by individual operating system versions, NetMarketShare shows the following figures for the desktop operating systems at the end of October 2019:

• Windows 10 comes to 54.32% (previous month 52.33%),
• Windows 7 is at 26.90 % (previous month 28.61 %),
• Windows 8.1 still comes in at 3.59 % (previous month 3.45 %),
• and macOS 10.14 comes to 5.16 % (previous month 6.78 %).

As expected, Windows 10 grew in October 2019 and Windows 7 lost market share, but still runs on every fourth desktop system.

(netmarketshare.com. Windows Market-Share 10.2019, Zum Vergrößern klicken)

It will be exciting to watch what happens in the coming months. After all, support for Windows 7 will expire in January 2020 (only companies can renew for a fee). It is interesting to note that there is no movement towards Windows 8.1 or macOS 10.x. On the desktop, Windows 10 will dominate in the future.

Among browsers on desktop systems, Google Chrome is the undisputed leader with 67.39%, followed by Firefox (8.63%). The Internet Explorer still comes up to 6.37% and the Edge bumbles around at 6.09%.

[German]Microsoft released update KB4528332 for Windows 10 20H1 to Windows Insider on November 1, 2019 (see the addendum within the Windows Blog). The update contains no changes and fixes, but raises the build to 19013.1000. The goal is to test the update function. Colleagues report that the Servicing Stack Update KB4528336 is also available.

[German]A blog reader recently informed me about an observation he made during updating Windows Server 2012 Standard. Maybe someone has observed that behavior and knows a solution

Blog reader Alexander H. sent me the relevant information by e-mail. Alexander wrote within his e-mails:

I’m responsible for the patch management and I noticed recently something very exciting on Windows Server 2012 Standard systems today.

Like every month I installed the patches at our customers and restart the systems. Several Windows Server 2012 Standard the updates is shown with the status “Pending restart” after restarting the servers during in the update process (see following screen shot).

(Click to zoom)

Another phenomenon is that the updates on several systems I updated yesterday showed the status “Succeeded”! The Windows updates were still available for installation.

In “WindowsUpdate.log” there are no errors, the Windows updates are successfully downloaded and installed from the WSUS server, after the restart the behavior appears identical 1:1 again.

Alexander wrote that restarting the WSUS server did not improve the situation. During the troubleshooting he noticed with other Windows Server 2012 standard systems that the systems without update installation problems had not installed the feature “Desktop Experience”.

Desktop Experience involved?

For this reason, he removed the Desktop Experience feature from a system before installing the update, restarted it, and then installed Windows Updates. After the restart, the Windows Updates were installed correctly.

According to these findings, he tried to repair the machines with the pending updates’ by removing the Desktop Experience feature, but had an unpleasant experience. He wrote:

Afterwards I wanted to remove this feature on the problematic systems with the status “Pending Restart” and test whether this helps – unfortunately now the error “An unexpected error has occurred” appears.

(Click to zoom)

Maybe one of the blog readers is aware of a solution to these problems. From 2017 I found this thread which deals with a similar problem.

[English]Security researchers have now probably seen for the first time a meta sploit on the net that wants to exploit the BlueKeep vulnerability and tries to install Crypto-Miner. At the moment, however, this exploit still ends with BlueScreens.

The BlueKeep vulnerability in the Windows RDP service threatens unpatched systems from Windows XP to Windows 7 and their server counterparts. I had been warning about the BlueKeep vulnerability for months (see BlueKeep warning: Exploit might come soon?). It seems, however, that the BlueKeep vulnerability is difficult to exploit in practice. This is the only way to explain that this issue has been quite quiet so far, although there is a publicly available metasploit (see Windows: Bluekeep Metasploit released in the wild). But that could change now.

RDP HoneyPots suddenly crashes with BlueScreens

I had already seen it at the weekend, but only now am I able to prepare something for it. Security researcher Kevin Beaumont had set up a worldwide network of honeypots for the RDP vulnerability after the BlueKeep vulnerability became known and the first exploits became available. On Saturday Beaumont reported that its EternalBlue RDP honeypot suddenly showed BlueScreens.

huh, the EternalPot RDP honeypots have all started BSOD’ing recently. They only expose port 3389. pic.twitter.com/VdiKoqAwkr

— Kevin Beaumont (@GossiTheDog) November 2, 2019

Specifically, the first BluesScreen with a restart start of the underlying Windows system already appeared on 23 October 2019. In the last weeks there were these BlueScreens at further Honeypots. The suspicion was that someone was trying to exploit the BlueKeep vulnerability. In another tweet, however, it quickly became clear that it was probably not a worm that had attacked the honeypot. According to Beaumont, there were probably only BlueScreens at various honeypots. Here is a post from him:

imma retrieving the crash logs to see if anything interesting pic.twitter.com/sEoMV37RG7

— Kevin Beaumont (@GossiTheDog) November 2, 2019

On November 2, 2019 he received his bill for the booked Microsoft Azure services and looked at the details of the Azure Sentinel for log analysis. 

(Azure Sentinel, Source: Kevin Beaumont)

Since 22/23 October, problems (BSOD) have probably occurred with the affected azure instances. Then safety researchers looked at the crash dump of the BlueScreens – an analysis can be found here. MalwareTech security researchers confirmed that the kernel dump contained traces of a metasploit exploiting the BlueKeep vulnerability (or at least something based on it). It is probably an attempt to install a crypto-miner on Windows machines via the vulnerability. Beaumont has published now a writeup.

Here’s a writeup of the BlueKeep exploitation activity investigated this weekend https://t.co/q1ne8uuyai

— Kevin Beaumont (@GossiTheDog) November 3, 2019

At present, the impact is still limited: It’s not a worm that spreads itself, and the approach of putting a crypto-miner on the machines is unattractive, but not a major threat. But the conclusion from these attacks is that there are people who now understand how to attack random targets using BlueKeep vulnerabilities. There’s a good chance the attacks will become more sophisticated soon. More articles can be found at Wired, The Hacker News or ZDNet.

Background: BlueKeep vulnerability

I had reported about the BlueKeep vulnerability CVE-2019-0708 in several blog posts. An explanation of the vulnerabilities can be found in the blog post Security Critical update for Windows XP up to Windows 7 (May 2019).

There is a patch, but it has not been installed on all systems. It is currently estimated that approximately 800,000 systems are still unpatched and accessible via the Internet (see Windows: What about the BlueKeep vulnerability in July 2019? ).

Es gibt zwar einen Patch, aber dieser wurde nicht in allen Systemen installiert. Aktuell schätzt man, dass noch ca. 800.000 Systeme ungepatcht betrieben werden und per Internet erreichbar sind (siehe Windows: Wie steht’s um die BlueKeep-Schwachstelle im Juli 2019?). In my blog post How To: BlueKeep-Check for Windows, I explained how a system can be scanned both locally for installed patches and in a network for vulnerabilities.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
Windows: Bluekeep Metasploit released in the wild
BlueKeep warning: Exploit might come soon?
How To: BlueKeep-Check for Windows

[German]A brief Information from the MS Ignite 2019 conference currently taking place in Florida. Users who have a license for the SCCM ConfigMgr now also have an Intune license to manage their devices.

The announcement was made by Brad Anderson, Corp. Vice President, Microsoft 365, at MS Ignite 2019. I have become aware of the issue through the following tweet. 

i know i was talking fast up on stage, but i’m pretty sure i didn’t stutter:
if you own #ConfigMgr you now automatically have @MSIntune licenses for co-managing @Windows devices.#MSIgnite pic.twitter.com/qLEh14SJIJ

— Brad Anderson (@Anderson) November 4, 2019

I’m assuming that this has something to do with Microsoft‘s announcement of Microsoft Endpoint Manager, where the licensing is also mentioned.

ConfigMgr (System Center Configuration Manager, SCCM) is a software product from the Microsoft System Center 2012 Suite. Intune is a software for Cloud Computing from Microsoft and serves the administration of PC and mobile end devices over the Internet. Intune is part of the Microsoft Enterprise Mobility Suite (EMS) and enables an administrator to manage end devices with Windows operating systems via a web browser (e.g. to perform virus scans or install updates). The administrator must also have registered with Microsoft with a Microsoft account. Distribution takes place via a subscription system: monthly costs are incurred for each managed user.

[German]A brief information for administrators of Windows 10 clients. Microsoft has started blocking older versions of the Application Compatibility Toolkit on Windows 10.

For example, the Application Compatibility Toolkit has been useful in fixing compatibility issues with VMware products on Windows 10 (see Windows 10: Update KB4517211/KB4522015 breaks VMware Workstation). However, many users reported issues with the tool, which erroneously displayed the System Database storage option as “Read Only”.

Now Microsoft has blocked older versions of the Application Compatibility Toolkit from running on current Windows 10 builds. Blog reader Valery has informed me in this comment to my article Windows 10: Update KB4517211/KB4522015 breaks VMware Workstationhttps://borncity.com/win/2019/11/06/windows-10-application-compatibility-toolkit-blocked/ that he received the following popup.

I haven’t tested anything yet, so I don’t know if there is already an updated version, and set it as a brief information here.

[German]Microsoft has released the Windows 10 Insider Preview Build 19018 (from the development branch 20H1) for Windows Insider in the Fast Ring on November 6, 2019. There are some new features and fixes and the Skip Ahead ring is ‘slaughtered’. There is also a new ISO file of Preview Build 19013.

The development branch 20H1 will end as a Windows 10 build expected in early 2020.

The Skip Ahead ring is terminated

Probably the most important point is that Microsoft has finished the Skip Ahead ring. Microsoft wrote :

Starting today, Windows Insiders who have opted into Skip Ahead are being migrated back into the Fast ring. This means that Skip Ahead will no longer be reflected under Settings > Update & Security > Windows Insider Program. Going forward, we will not be offering Skip Ahead as an option for Insiders to sign-up for. Our goal is to provide everyone in the Fast ring the freshest builds at the same time.

New in the Build 19018

In the Quick Search Windows 10 will shows now new entries for weather, top news, new movies and historical events of the day (see below four entries in the screenshot).

(Source: Microsoft)

There is also an improved preview for certain search results (e.g. weather forecast) announced:

(Source: Microsoft)

Details about the improvements and fixes (for instance a fix for Update error 0x80240017) may be found within the Windows Blog.

ISO of Windows Insider Preview Build 19013

Microsoft has also provided new ISO installation filew (32/64 bit) of Windows Insider Preview Build 19013 (20H1). This ISO file can be downloaded by Windows Insiders from this Microsoft site and used for installation.