[German]Microsoft has defined the requirements for Extended Security Updates (ESU) and provides a test update to check, if a machine is ready for ESU. Here is some information about what you need to know about Extended Security Updates.

What is the ESU program?

As of January 14, 2020, support for Windows 7 SP1 will end and the operating system will no longer receive security updates. Exceptions are only systems in enterprise environments, where support has been purchased through the Extended Security Update (ESU) program. I had blogged about the extended security update support in articles like Wow! Windows 7 get extended support until January 2023 (see also the links at the end of the article).

Microsoft defines requirements for systems

It now appears that Microsoft is preparing the final steps so that appropriate systems can receive and install these advanced security updates. I became aware of this topic through a tweet by Woody Leonhard.

Microsoft starts testing infrastructure for Win7 Extended Security Update (ESU) patches. There are four new ESU-related patches in the Catalog. #PatchLady has details. https://t.co/ZSOKLPLXXb

— Woody Leonhard (@AskWoody) November 7, 2019

A visitor of his site noticed, that the Microsoft Update Catalog contains a ‘Preparation Updates’ section to provide support for extended security update support. 

(Microsoft Update Catalog, Quelle: askwoody.com)

Furthermore, on November 5, 2019, Microsoft released the support article (Update to verify that eligible Windows 7 SP1 and Server 2008 R2 SP1 devices can get Extended Security Updates) for Update KB4528069. The test update is available for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1 via Microsoft Update Catalog or via WSUS.

This optional non-security update allows administrators to verify that your eligible Windows 7 Service Pack 1 (SP1) and Server 2008 R2 SP1 devices can continue to receive Extended Security Updates (ESUs) after the support date expires on January 14, 2020.

A system that shall receive security updates after January 14, 2020, the following prerequisites must be met, according to the Microsoft support article.

1. Install the following SHA-2 code signing support update and servicing stack update (SSU) or a later SSU update:
   • 4474419 SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019
   • 4490628 Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
2. Install the following servicing stack update (SSU) and monthly rollup:
   • 4516655 Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 10, 2019
   • 4519976 October 8, 2019—KB4519976 (Monthly Rollup)

In addition, an ESU key must be installed and activated. Information on installing and activating the ESU key was published by Microsoft in mid-October 2019 in the Tech Community article How to get Extended Security Updates for eligible Windows devices.

So it’s clear that only systems that have been enabled with an appropriate ESU key will receive enhanced security updates. After activation, administrators can continue to use their current update and services strategy to deploy ESU through Windows Update, Windows Server Update Services (WSUS), or any other preferred update management solution.

Similar articles:
Wow! Windows 7 get extended support until January 2023
Windows 7 Extended Security Updates buyable from April 2019
Microsoft offers Windows 7 Extended Update Support to SMBs
Prices for Windows 7 Extended Security Updates till 2023
Windows 7: Office 365 ProPlus Updates till 2023

[German]Just a brief  information for people who want to upgrade to Windows 10 version 1909 and try later to install the Intel graphics driver 26.20.100.7323 DCH. It’s possible that he installation ends with an error message ‘OS not compatible’.

The issue in detail

Intel released the Intel graphics driver 26.20.100.7323 DCH in the middle of October 2019 (Martin Brinkmann from ghacks.net wrote something about it here). In the release notes this driver is explicitly described as compatible with Windows 10 Version 1909 (RTM). 

https://t.co/KNEnYPHZxo@Deskmodder @WinFuture
Die Version lässt sich gar nicht unter 1909 installieren. BS inkompatibel.

— al Qamar (Karl Wester-Ebbinghaus) (@tweet_alqamar) November 3, 2019

Yesterday I stumbled upon a Tweet from German blog reader Karl Wester-Ebbinghaus. Karl wrote in the above Tweet that the driver won’t install under Windows 10 Version 1909. The installation ends with an error message ‘OS not compatible’.

There are some hits when searching in conjunction with an incompatible Intel graphics driver. The explanations that the operating system is outdated are not really helpful.

The reason for the install error: Intel GPU switched off

After the discussion started on Twitter, Karl contacted Intel directly and asked why this error message occurs. Then there was an answer from Intel, which Karl summarizes in the following tweet:

ok die Sache ist mit Intel per PN aufgeklärt. Wenn die primäre Grafikkarte die Intel GPU abschaltet kommt diese Meldung. Früher war die mal spezifischer. Jetzt kommt “OS not compatible”

— al Qamar (Karl Wester-Ebbinghaus) (@tweet_alqamar) November 7, 2019

So the problem only occurs on systems where the primary graphics card turns off the Intel GPU on the motherboard. Then the Intel graphics driver cannot be installed (which is logically). Karl wrote, that previous driver versions returns a more detailed error message, it the Intel GPU was deactivated. So if you get the above error message when updating the Intel graphics driver, you know the reason. 

[German]A new version of MegaCortex Ransomware is being distributed by malware such as Emotet. The new version not only encrypts the system’s files but also changes the user’s password.

The MalwareHunter team has been able to access corresponding malware examples. In the following tweet they point to a corresponding message to victims.

The latest MegaCortex ransomware also threats to leak files: “[…] downloaded your data […]. In the unfortunate event of us not coming to an agreement we will have no choice but to make this data public.”
Of course, it can be a lie, but for sure they could do it.@demonslay335 pic.twitter.com/lWgJnSDykS

— MalwareHunterTeam (@malwrhunterteam) November 5, 2019

After encrypting files, this is a new quality – the user is virtually locked out of the user account under Windows. In addition, the blackmailers threaten to make the data public if it is not paid for. Bleeping Computer has taken up this case here. After an analysis by Vitali Kremez and Bleeping Computer, the MegaCortex ransomware changes its behavior.

• In the new version of the Ransomware, the files are provided with the file name extension .m3g4c0rtx after encryption. 
• The Ransomware changes the Windows password of the logged-in user so that the user can no longer log in.
• A message “Locked by MegaCortex” is now displayed on the login page with an e-mail account stating that the computer has been locked by the malware.

(MegaCortex notification, Source: Bleeping Computer)

In addition, the attackers claim to have uploaded the victim’s data to a secure location. The following text appears in the express message. 

“We have also downloaded your data to a secure location. In the unfortunate event of us not coming to an agreement we will have no choice but to make this data public.
Once the transaction is finalized all of copies of data we have downloaded will be erased.”

The text contains the threat to publish the data in case of non-payment. So far it has not been confirmed whether attackers have actually uploaded files of the victims to their own servers. If a data outflow can be confirmed, affected persons are not only confronted with the problem of being victims of a Ransomware attack. Depending on the information copied, this may also be a data protection violation that must be reported in the EU.

If the main launcher is executed by MegaCortex, it extracts two DLL files and three CMD scripts to C:\Windows\Temp. Then the actions are executed by the Ransomware. The launcher currently has a Sectigo certificate for an Australian company called MURSA PTY LTD. In the meantime, Sectigo has declared the certificate invalid. Further details on the course of the attack can be found in the Bleeping Computer article.

[German]After the first malware attacks using the BlueKeep vulnerability have been found in the wild (see Windows: first BlueKeep Metasploit in the wild), Microsoft and the Australian government are intensifying their warnings.

Short review of BlueKeep

The BlueKeep vulnerability in the Windows RDP service threatens unpatched systems from Windows XP to Windows 7 and their server counterparts. I had been warning about the BlueKeep vulnerability for months (see BlueKeep warning: Exploit might come soon?). It seems, however, that the BlueKeep vulnerability is difficult to exploit in practice. This is the only way to explain that this issue has been quite quiet so far, although there is a publicly available metasploit (see Windows: Bluekeep Metasploit released in the wild). But that could change now.

Last week the picture has changed. Security researcher Kevin Beaumont had set up a worldwide network of honeypots for the RDP vulnerability following the discovery of the BlueKeep vulnerability and the availability of the first exploits. On Saturday Beaumont reported that its EternalBlue RDP honeypot suddenly showed BlueScreens.

When security researchers looked at the BlueScreen crash dump, it became clear that someone was trying to exploit the BlueKeep vulnerability. MalwareTech security researchers confirmed that the kernel dump contained traces of a metasploit to exploit the BlueKeep vulnerability (or at least something based on it). It is probably an attempt to install a crypto-miner on Windows machines via the vulnerability. I had collected details in the blog post Windows: first BlueKeep Metasploit in the wild.

Warning from the Australian authorities

An article at Bleeping Computer reveals, that australian Cyber Security Centre (ACSC) of  Australian Signals Directorate warns together with partners from the states, companies and individuals from threats by the Ransomware Emotet and from exploiting the BlueKeep vulnerability. Both threats were active in the wild.

The ACSC apparently took up the above-mentioned findings and calls on users to be vigilant. Attackers have begun to exploit the Windows BlueKeep vulnerability to attack unpatched systems and infect them with coin miners.

Regarding the Emotet campaigns, the ACSC writes that these have slowly decreased compared to the end of October last week. However, emotets still pose a significant threat to businesses and the general public. More details can be found at Bleeping Computer.

Microsoft also warns again against BlueKeep

The above-mentioned discovery of malware infecting honeypots with a crypto-miner via the BlueKeep vulnerability is also a wake-up call for Microsoft to finally patch its system.

While we currently see only coin miners being dropped, we agree w/ the research community that CVE-2019-0708 (BlueKeep) exploitation can be big. Locate and patch exposed RDP services now. Read our latest blog w/ assist from @GossiTheDog & @MalwareTechBlog https://t.co/y1NgN5WVu8

— Microsoft Security Intelligence (@MsftSecIntel) November 7, 2019

In the tweet above, Microsoft security specialists point to MalwareTech’s analysis of the BlueKeep attack and recall that patches are available for the RDP vulnerability. Microsoft has summarized its findings in this blog post (Bleeping Computer picked it up here). The following chart shows the increase in attacks on BlueKeep honeypots.

Figure 1. Increase in RDP-related service crashes when the Metasploit module was released Source: Microsoft

Background: BlueKeep vulnerability

I had reported about the BlueKeep vulnerability CVE-2019-0708 in several blog posts. An explanation of the vulnerabilities can be found in the blog post Security Critical update for Windows XP up to Windows 7 (May 2019).

There is a patch, but it has not been installed on all systems (see Windows: What about the BlueKeep vulnerability in July 2019? ). In my blog post How To: BlueKeep-Check for Windows, I explained how a system can be scanned both locally for installed patches and in a network for vulnerabilities.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
Windows: Bluekeep Metasploit released in the wild
BlueKeep warning: Exploit might come soon?
How To: BlueKeep-Check for Windows
Windows: first BlueKeep Metasploit in the wild

[German]Occasionally Microsoft cleans up its web site and deletes older support articles. In recent weeks, a number of KB articles have fallen victim to this cleaning action.

I came across a tweet by Woody Leonhard, who put agaoin the topic on the table this weekend.

Microsoft is deleting (not archiving) older Internet Explorer documentation. https://t.co/MVYPXffzYc

— Woody Leonhard (@AskWoody) November 10, 2019

Woody Leonhard refers his article to Internet Explorer (Version 8 and 9) and writes that old support articles will be deleted.I notice, however, that this affects much more content at Microsoft than just Internet Explorer.

Background: My blogs uses a plug-in that checks all links cyclically for validity. Invalid links are displayed to users as crossed out in the text. I get a list of broken links and redirect them to archive copies of the Wayback machine if possible. During the last months I have been getting ‘bursts’ with many broken links to Microsoft – that is: Microsoft has deleted the downloads for patches or hotfixes, but also KB articles.

For some deleted content this makes sense, for example hotfixes or updates contained in the update rollups or cumulative updates. The problem I see: Deleting KB articles is of course stupid for people looking for the old content. But Microsoft doesn’t seem to dispute it.

[German]A bug in Windows 10 is currently (since the weekend of November 9, 2019) unsettling users who use USB storage devices. Instead of a USB drive, the Explorer now displays a generic device icon. Here is some information about the problem.

I got aware of the issue through this comment left by blog reader John Doe within the discussion area of my German blog (thanks to user John Doe for the hint).

The error description

After reading the comment, I’ve tested the behavior on two systems with Windows 10 version 1903 with two USB sticks and made an interesting observation. When I inserted the first USB stick into one of my test systems, it was correctly recognized and displayed with a name and an icon for a drive in Explorer.

In the above screenshot this is drive G: named antiXlive. But what is already noticeable: The USB drive D: is displayed with a generic symbol in the form of a stylized computer. The drive had no media inserted on the machine, so it is hidden. I then unplugged the USB stick and plugged it into a second test machine and opened the Explorer. There the USB stick was already displayed with a generic drive icon (see image below).

Then I used a second USB stick to on the first test system with Windows 10 Version 1903 and plugged it in. First a proper icon for this device was shown. But after a few seconds the generic drive icon with a stylized computer appeared. So I ejected the USB stick and tried the 2nd USB stick. But both USB sticks was now be displayed with a generic drive icon in Explorer. In the screenshot above, it is drive D: labeled antiXlive.

Something happened with the USB drive detection and Windows 10 V1903 shows a faulty device icon.

I have inspected the relevant branches in the Device Manager (see image above). The USB stick is displayed correctly as SanDisk Cruzer Edge USB device and in the USB controller branch I can’t find anything conspicuous.

Multiple hits in Microsoft Answers forum

Blog reader John Doe has pointed out several hits in the Microsoft Answers forum in his commentary (here, here and hier). What all users have in common is that the wrong (generic) device icon is suddenly displayed in Explorer. One user wrote:

My USB drives shows either as a generic device or a non-specified device

As the title stated, all of my USB drives shows with a “generic device icon” in windows explorer, and when im about to remove my device it shows as “remove “device””, when I plug the device it shows the normal drive icon for a split seccond and then changes to a generic icon, which it doesnt affect the performance of my drives, but makes me suspect that something is wrong on my computer while detecting my usb devices. 

I’ve attached some screenshots of this so you can understand me a little bit more

Cheers (I apologize if you have a hard time reading the screenshots because my pc is in spanish)

PS: Most of my usb drives are made by kingston and it normally shows as “Data Traveler x.0”

The  ‘MVP colleague’ tried to assist this users, but his advice wasn’t too helpful. After all, Greg Carmack has tried to give an explanation in this thread (even if it is wrong).

Changed drive policy or just a bug?

Carmack’s tip is that in April 2019, Microsoft changed its policy for handling removable media (USB storage). Microsoft has posted this support article on the subject, and I reported this change in the blog post Windows 10 V1809: Changes removal policy for USB media. In this blog post, I also provided the steps on how to change the policy back to the previous behavior.

Hopefully I then changed the drives eject policy, ejected the USB stick and plugged it in again. In fact, a proper drive icon for the USB stick appeared in Explorer shortly afterwards. When I wrote this article and went back to my test machine. The generic symbol has been displayed again in Explorer.

So it’s a simple conclusion: It has nothing to do with the chanced device policy (I’ve doubt this, due to the fact, that this behavior just occurred). It’s simply a bug! I don’t know, which update is responsible – possibly the cumulative update KB4517389 rolled out on October 8, 2019 (see Patchday Windows 10-Updates (October 8, 2019)). Or has anyone seen the bug on older Windows 10 builds?  I will try to point Microsoft’s software engineers to this article, in the hope, that they will fix this issue.

Similar articles:
Windows 10 V1809: USB Type-C Shutdown bug confirmed
Windows 10 V1903: External USB storage as Upgrade blocker
Windows 10: Not enough USB Controller resources
Windows 10 V1809: Changes removal policy for USB media

Microsoft had released the Windows 10 Insider Preview Build 19013 (from the development branch 20H1) for Windows Insider in the Fast Ring on October 29, 2019. Now Microsoft has released this build in the Slow Ring. Details can be found in the Windows Blog.

[German]Windows 10 November 2019 Update (Version 1909) has just been released today, 12 November 2019, by Microsoft for general use. In the blog post, I like to outline how to get this update.

John Cable of Microsoft has announced the availability of the Windows 10 November 2019 update (version 1909) in this blog post. The update can be obtained via the update search. I have tried the necessary steps on a test machine to determine the required details.

If the feature update is not offered on a machine during the search, there are compatibility issues.

Update from Windows 10 version 1903

Those who already work with Windows 10 Version 1903 will have the code for Version 1909 already on their hard disk. Microsoft rolls out the same updates for Windows 10 Version 1903 and Version 1909. I had already mentioned the November 2019 update in the blog post Windows 10 V1909 is called November 2019 Update. 

All you need now is an unlock update (Enabler Update, KB4517245), which unlocks the relevant features for Windows 10 November 2019 Update. To get this update, go to the Settings page and check for updates under Update and Security – Windows Update. 

During my test with Windows 10 Version 1903 the updates listed in the following screenshot were displayed. The machine was not yet updated with the updates of the last patchday. 

I have installed all updates except the optional update KB4522355 from October. But it didn’t show the function update to V1909. Then I also triggered the optional update KB4522355 via Download now and install for installation. Whether this is necessary, I cannot say with certainty – but only after all pending updates were installed, the update search found the function update.

After the restart during the update installation, I had the system search for updates in the settings again.

The update search now offfered me the feature update for Windows 10, version 1909 as an optional update (see figure above). The download and installation of this feature update must be initiated explicitly via the Download and Install Now hyperlink. So nothing changes compared to the procedure to install the feature update for Windows 10 V1903, even if the November 2019 update is provided as an ‘update package’.

(Click to Zoom)

The Feature update for Windows 10, version 1909, is the Enabler Update KB4517245, as I could see in the list of installed updates within Control Panel (see figure above). The update history shown by the Settings page doesn’t show this detail, there is only an entry for the Feature update for Windows 10, version 1909 reported (see following figure).

What I noticed: The Enabler Update KB4517245 (which is the feature update for Windows 10, version 1909) was downloaded within seconds (it only contains about 20 kb). A restart of the system is required for installation.

(Click to Zoom)

The upgrade to version 1909 took some time – and afterwards I was guided to the information page shown above. I skipped the process and was able to log in after some minutes.

Windows 10 version 1909 has the build number 18363.449.

Update from Windows 10 Version 180x

Users who are running older Windows 10 builds up to version 1809 will be offered a ‘classic’ feature update via Windows Update search. The complete installation image is downloaded and the foundation of Windows 10 is replaced during installation. Here nothing changes compared to earlier feature updates.

The user must initiate the download and installation of the feature update to version 1909 via the hyperlink displayed. For these machines I assume that Microsoft Windows 10 Version 1909 will roll out iagain n waves to ensure compatibility during the upgrade.

Windows 10 V1909: A kind of Service Pack

Unlike previous feature updates, the Windows 10 November 2019 Update has only slight changes since the May 2019 Update. The feature update to the Windows 10 November 2019 update is something like a service pack. It should also be mentioned that Windows 10 V1909 Enterprise receives 30 months of update support, while Windows 10 V1909 Home and Pro only receive 18 months of updates. 

Similar articles:
Windows 10 19H2: What could change
Windows 10 V1909 come end of October 2019 at the earliest
Windows 10 V1909: ISOs in VS subscription available
Windows 10 V1909: Build 18362.10024 in Slow Ring
Windows 10 V1909 in Release Preview Ring
Windows 10 V1909: Release on November 12, 2019?
Windows 10 V1909 is called November 2019 Update

[German]As of November 12, 2019, Microsoft released security updates for Windows clients and servers, Office, and more. Here is a compact overview of these updates.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. can be found in separate blog posts.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001 (but is not always up to date).

Notes on updates

All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes up to Patchday. In addition to the security patches for the vulnerabilities, the updates contain defense-in-depth updates to improve security.

The updates can also be downloaded from the Microsoft Update Catalog. Updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update.

On November 12, 2019, Windows 10 Version 1803 will receive security updates for the last time in its home/pro version. Information about the support period for Windows 10 can be found in the Windows Lifecycle Facts Sheet.

Internet Explorer 11 will be available on Windows Server 2012 from May 2019. This configuration is available only through the Cumulative Update for IE.

For Windows 7 SP1 and Windows Server 2008/R2, an updated SHA-2 Code Signing Update KB4474419 was released on October 8, 2019 (see this comment at askwoody.com).

The November 2019 security updates cover 75 vulnerabilities (including one 0-day vulnerability in IE), of which 13 are rated critical and 61 moderate. A list can be found on the Google Zero Day Initiative blog – Talos has also published a summary here. And Martin Brinkmann has published a compact list of updates (I will discuss more details within separately in blog posts).

Critical Security Updates

Internet Explorer 11
ChakraCore
Microsoft Edge (EdgeHTML-based)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 13
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2019 Cumulative Update 2
Microsoft Exchange Server 2019 Cumulative Update 3

Important Security Updates

Excel Services
Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Excel 2016 for Mac
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Office Online Server
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
Office Online Server
Microsoft Visual Studio 2017 version 15.9
Microsoft Visual Studio 2017 version 16.0
Open Enclave SDK
Azure Stack

Moderate Security Updates

Internet Explorer 9
Internet Explorer 10

Similar Articles:
Microsoft Office Patchday (November 5, 2019)
Microsoft Security Update Summary (November 12, 2019)

Microsoft has released the Windows 10 Insider Preview Build 190123 (from development branch 20H1) for Windows Insider in the Fast Ring on November 12, 2019. Details about the fixes and new features (a few emojis are available) can be found in the Windows Blog.

[German]On November 12, 2019, Microsoft released several (security) updates for Windows 7 SP1 and further updates for Windows 8.1 as well as the corresponding server versions. Here is an overview of these updates.

Updates for Windows 7/Windows Server 2008 R2

For Windows 7 SP1 and Windows Server 2008 R2 SP1, a rollup and a security-only update have been released. The update history for Windows 7 can be found on this Microsoft page. Installation requires installed SHA2 support to successfully install the security updates.

KB4525235 (Monthly Rollup) for Windows 7/Windows Server 2008 R2

Update KB4525235 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) contains (besides the security fixes of October 2019) improvements and bug fixes and addresses the following: 

• Addresses an issue that prevents a 16-bit Visual Basic 3 (VB3) application or other VB3 applications from running. 
• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Addresses an issue with temporary user profiles in an environment in which user profile disks (UPD) are deployed and cached roaming profiles are not deleted when the “Delete cached copies of roaming profiles” policy is enabled.
• Security updates to Microsoft Scripting Engine, Windows Input and Composition, Microsoft Graphics Component, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

This update is automatically downloaded and installed via Windows Update. The package is also available via Microsoft Update Catalog and will be distributed via WSUS. The installation requires that the SSU (KB4490628  of March 2019 and the SHA-2 update KB4474419 of September 10, 2019) is already installed. If installed via Windows Update, it will be installed automatically. After the update installation, Microsoft recommends to install the SSUKB4523206 (if not already installed).

Since August 2019, the SHA-2 update (KB4474419) must be installed before installing this security update. This update will only be delivered via SHA-2 Code Signing for Windows Update and WSUS. Microsoft has made an update on October 8, 2019. The update should be updated automatically.

Microsoft does not list a known problem for this update.

KB4525233 (Security Only) for Windows 7/Windows Server 2008 R2

Update KB4525233 (Security-only update) is available for Windows 7 SP1 and Windows Server 2008 R2 SP1. The update addresses the following issues.

• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Security updates to Windows Input and Composition, Microsoft Graphics Component, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

The update is available via WSUS or in the Microsoft Update Catalog. To install the update, you must meet the prerequisites listed in the KB article and above in the Rollup Update.

When deploying WSUS, make sure that the SSU and SHA-2 updates mentioned above are installed – the automatic installation will not then be performed via Windows Update. After installation, Windows must be restarted before the Security-only Update is installed. You should also install the security update KB4525106 for IE, as this closes a 0-day vulnerability. Microsoft does not list any known issues with this update. Whether telemetry functions are included this time is currently unknown.

Updates foür Windows 8.1/Windows Server 2012 R2

For Windows 8.1 and Windows Server 2012 R2 a rollup and a security-only update have been released. The update history for Windows 8.1 can be found on this Microsoft page. .

KB4525243 (Monthly Rollup) for Windows 8.1/Server 2012 R2

Update KB4525243 (Monthly Rollup for Windows 8.1 and Windows Server 2012 R2) contains improvements and fixes, and addresses the following items.

• Addresses an issue that prevents a 16-bit Visual Basic 3 (VB3) application or other VB3 applications from running.
• Addresses an issue that causes only one Bluetooth Basic Rate device to function properly on some Bluetooth controllers after installing the August 13, 2019 update.
• Addresses an issue that causes error 0x7E when you connect Bluetooth devices after installing the June 11, 2019 update.
• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Addresses an issue with temporary user profiles in an environment in which user profile disks (UPD) are deployed and cached roaming profiles are not deleted when the “Delete cached copies of roaming profiles” policy is enabled.
• Security updates to Microsoft Scripting Engine, Internet Explorer, Microsoft Graphics Component, Windows Input and Composition, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

This update is automatically downloaded and installed by Windows Update, but is also available in the Microsoft Update Catalog and via WSUS. For manual installation, the latest Servicing Stack Update (SSU) must be installed first.

The update has a known problem: Certain operations, such as renaming files or folders located on a cluster shared volume (CSV), may fail with the error “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”. This occurs when you perform the action on a CSV owner node from a process that does not have administrator privileges. See the KB article for details.

KB4525250 (Security-only update) for Windows 8.1/Server 2012 R2

Update KB4525250 (Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2) addresses the following intems.

• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Security updates to Microsoft Graphics Component, Windows Input and Composition, Windows Cryptography, Windows Virtualization, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

The update is available via WSUS or in the Microsoft Update Catalog. The update has the same known problems as the rollup update, these are described in the KB article. For a manual installation, the latest Servicing Stack Update (SSU) must be installed first. In addition, you should also install the  KB4525106 security update for IE, as this fixes a 0-day vulnerability. In this update, Microsoft lists the same known issues as for update KB4525243. 

Similar articles:
Microsoft Office Patchday (November 5, 2019)
Microsoft Security Update Summary (November 12, 2019)
Patchday: Updates für Windows 7/8.1/Server (12. Nov. 2019)

Office November 2019 Updates are causing Access Error 3340

[German]On November 12, 2019 (second Tuesday of the month, patchday at Microsoft), several cumulative updates were released for the supported Windows 10 builds. Here are some details about each update.

A list of the updates can be found on this Microsoft Web page. I’ve pulled out the details below. The update installation requires an existing current Servicing Stack Updates (SSUs). Microsoft now publishes an overview of current Servicing Stack Updates (SSUs) at ADV990001.

Updates for Windows 10 Version 190x

For the Windows 10 builds 1903 and 1909 released in 2019, Microsoft provides the same update packages. The following updates are available for the Windows 10 May 2019 Update (Version 1903) and the Windows 10 November 2019 Update (Version 1909).

Update KB4524570 for Windows 10 Version 190x

Cumulative Update KB4524570 raises the OS build to 18362.476 (Windows 10 V1903) or 18363.476 (Windows 10 V1909). The update is available for Windows 10 Version 1903 (and the Hololense), for Windows 10 Version 1909, and for Windows Server Version 1903 and Windows Server Version 1909. It contains quality improvements but no new operating system features. Here is the list of improvements, called highlights by Microsoft:

Updates to improve security when using Internet Explorer and Microsoft Edge.

The following fixes and improvements to Windows 10 Version 1909 have been added:

• This build includes all the improvements from Windows 10, version 1903.
• No additional issues were documented for this release.

For Windows 10 Version 1903 the following fixes and improvements have been added:

• Addresses an issue in the Keyboard Lockdown Subsystem that might not filter key input correctly. 
• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions.)
• Security updates to Microsoft Scripting Engine, Internet Explorer, Windows App Platform and Frameworks, Microsoft Edge, Windows Fundamentals, Windows Cryptography, Windows Virtualization, Windows Linux, Windows Kernel, Windows Datacenter Networking, and the Microsoft JET Database Engine.

In addition, Microsoft has released an update directly for the Windows Update Client to improve its reliability. This will be rolled out outside of Windows Update if the machine is compatible and not a LTSC variant and updates have not been blocked by GPO.

This update is automatically downloaded and installed by Windows Update. This update is also available in the Microsoft Update Catalog and via WSUS. Microsoft strongly recommends that you install the latest Service Stack Update (SSU) for your operating system before installing the latest Cumulative Update (LCU). For the update, Microsoft specifies a known setup issue during the OOBE phase (no user can be created during a reinstallation if the IME is used for Asian fonts).

Updates for Windows 10 Version 1809

The following updates are available for Windows 10 October 2018 Update (version 1809) and Windows Server 2019.

Update KB4523205 for Windows 10 Version 1809

Cumulative Update KB4523205  raises the OS build (according to MS) to 17763.864 and includes quality improvements but no new operating system features. Here is the list of improvements, called highlights by Microsoft:

• Updates to improve security when using Internet Explorer and Microsoft Edge.
• Updates to improve security when using external devices (such as game controllers, printers, and web cameras) and input devices such as a mouse, keyboard, or stylus.
• Updates to improve security when using Microsoft Office products.

The following fixes and improvements have been added to the Windows version:

• Addresses an issue that might cause the Microsoft Defender Advanced Threat Protection (ATP) service to stop running and stop sending reporting data.
• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions and Windows Server OS editions.)
• Security updates to Microsoft Scripting Engine, Internet Explorer, Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Microsoft Edge, Windows Fundamentals, Windows Cryptography, Windows Virtualization, Windows Linux, Windows Kernel, Windows Datacenter Networking, Windows Peripherals, and the Microsoft JET Database Engine.

In addition, Microsoft has released an update directly for the Windows Update Client to improve its reliability. This will be rolled out outside of Windows Update if the machine is compatible and not a LTSC variant and updates have not been blocked by GPO.

This update is automatically downloaded and installed by Windows Update. This update is also available in the Microsoft Update Catalog. Microsoft strongly recommends that you install the latest Service Stack Update (SSU) for your operating system before installing the latest Cumulative Update (LCU). Microsoft lists several known issues that the update causes. See the KB article for details.

Updates for Windows 10 Version 1803

For Windows 10 April Update (version 1803) these are the last updates for Home and Pro, as their support expires on November 12, 2019. The following updates are available.

Update KB4525237 for Windows 10 Version 1803

Cumulative Update KB4525237 contains quality improvements but no new operating system functions and raises the OS build to 17134.1069. Here is the list of improvements, this time described by Microsoft as highlights: 

• Updates to improve security when using Internet Explorer and Microsoft Edge.
• Updates to improve security when using external devices (such as game controllers, printers, and web cameras) and input devices such as a mouse, keyboard, or stylus.
• Updates to improve security when using Microsoft Office products.

And here is the list of fixes and changes:

• addresses an issue that causes events that are based on Windows Defender Application Control Code Integrity to be unreadable.
• Provides protections against the Intel® Processor Machine Check Error vulnerability (CVE-2018-12207). Use the registry setting as described in the Guidance KB article. (This registry setting is disabled by default.)
• Provides protections against the Intel® Transactional Synchronization Extensions (Intel® TSX) Transaction Asynchronous Abort vulnerability (CVE-2019-11135). Use the registry settings as described in the Windows Client and Windows Server articles. (These registry settings are enabled by default for Windows Client OS editions, but disabled by default for Windows Server OS editions.)
• Security updates to Microsoft Scripting Engine, Internet Explorer, Windows App Platform and Frameworks, Microsoft Graphics Component, Windows Input and Composition, Microsoft Edge, Windows Cryptography, Windows Virtualization, Windows Linux, Windows Kernel, Windows Datacenter Networking, Windows Peripherals, and the Microsoft JET Database Engine.

This update is automatically downloaded and installed by Windows Update. This update is also available in the Microsoft Update Catalog. Microsoft empfiehlt strongly recommends that you install the latest Service Stack Update (SSU) for your operating system before installing the latest Cumulative Update (LCU). Microsoft lists several known issues that the update causes in the KB article.

Updates for Windows 10 Version 1507 till 1709

For Windows 10 RTM up to version 1709 different updates are available for the LTSC versions and Enterprise versions. Here is a short overview. 

• Windows 10 Version 1709: Update KB4525241 is only available for Enterprise and Education. The update raises the OS build to 16299.1508. The fixes mentioned in the KB article are included. This update is automatically downloaded and installed by Windows Update, but can be downloaded from the Update Catalog. Vor The latest Servicing Stack Update (SSU) must be installed prior to manual installation. Details, including known issues, can be found in the KB article.
• Windows 10 Version 1703: Update KB4525245 is only available for Enterprise and Education – it is the last security update as support is now ended. The update raises the OS build to 15063.2172 and includes the fixes mentioned in the KB article. This update is automatically downloaded and installed by Windows Update, but can be downloaded from the Microsoft Update Catalog. The latest Servicing Stack Update (SSU) must be installed before manual installation. Details, including known issues, can be found in the KB article. 
• Windows 10 Version 1607: Update KB4525236 only for Enterprise and Education as well as Windows Server 2016. The update raises the OS build to 14393.3226 and includes the fixes mentioned in the KB article. This update is automatically downloaded and installed by Windows Update, but is available in the Microsoft Update Catalog. The latest Servicing Stack Update (SSU) must be installed before manual installation. Details, including known issues, can be found in the KB article..
• Windows 10 Version 1507: Update KB44525232 is available for the RTM version (LTSC). The update raises the OS build to 10240.18395 and includes the fixes mentioned in the KB article. This update is automatically downloaded and installed by Windows Update, but is available in the Microsoft Update Catalog. The latest Servicing Stack Update (SSU) must be installed before manual installation. Details, including known issues, can be found in the KB article.

There was no update for Windows 10 V1511, because this version was dropped from support. Details about the above updates can be found in the respective Microsoft KB articles in case of doubt.

Similar articles:
Microsoft Office Patchday (November 5, 2019)
Microsoft Security Update Summary (November 12, 2019)
Patchday: Updates für Windows 7/8.1/Server (12. Nov. 2019)
Patchday Windows 10 Updates (November 12, 2019)

Office November 2019 Updates are causing Access Error 3340

[German]For users with a Windows 10 N variant, Microsoft has released the Media Feature Pack for Windows 10 N version 1909. Here is some information about this topic and how to obtain this pack.

What is Windows 10 N?

Windows N is the version of the operating system without media player and media functions. It has been offered by Microsoft (under pressure from the EU competition authorities) for years. N stands for no media features. Also for Windows 10 there is a so-called N-variant – Windows 10 KN is a reduced version developed for Korea without media features. In practice, I think that OEM manufacturers do not offer Windows 10 N installations. Usually, it is students or other users who at some point will be able to purchase a Windows 10 N installation at a reasonable price.

Who needs the Media Feature Pack and why?

If someone uses a Windows 10 N, the media functions are missing. In addition to the missing Windows Media Player, which could be substituted by VLC player, there are other problems. Without the media features that are missing in Windows 10 N, there are more limitations.

• Apps with media play back features (Groove Music, Video app etc.) won’t work
• Connecting smartphones, cameras and mobile devices via USB cable fails, because there is no support for media transfer using Picture Transfer Protocol (PTP) and Media Transfer Protocol (MTP).
• New features like Windows Mixed Reality, Cortana, Windows Hello, and the PDF display in the new Edge browser based on Windows Media files are not included in Windows 10 N.

This Microsoft site lists further functional limitations of the Windows 10 N version. Only by installing the Media Feature Pack are the missing functions retrofitted and it is, for example, possible to import photos or display PDF documents again.

Note that the Media Feature Pack for N versions of Windows 10 is not compatible with Windows Mixed Reality. Users who want to use Windows Mixed Reality must install a non-N version of Windows 10.

Where can I get the Media Feature Pack?

Microsoft provides the Media Feature Pack for the Windows N variants for free. The problem is that each Windows 10 version needs the appropriate version of the Media Feature Pack. For Windows 10 N Version 1909 (November 2019 Update) you need the Media Feature Pack for Version 1909.

In the past, you had to manually download the Media Feature Pack for the Windows 10 N version from a Microsoft site Media Feature Pack list for Windows N editions. Colleagues from deskmodder.de point out that a direct download will no longer be available. 

1. Instead you have to go to the Settings page and navigate to Apps – Apps and Features.

2. There you have to select the command Optional Features and on the next page the button Add Feature.

For a Windows 10 Version 1909 N variant, the Media Feature Pack should be offered for installation. At the latest after a restart of the system the media functions should be available.

Similar articles:
Media Feature Pack for Windows 10 N Version 1809
Windows 10 N: Media Feature Pack for Version 1903 released

[German]Another supplement to the Patchday (November 12, 2019). A number of users under Windows 7 SP1 and Windows Server 2008/R2 get the error 0x800B0109 when installing the update KB890830 (MRST). Here is some information about the topic and what was going on.

What does update KB890830 (MRST) do?

Update KB890830  is the ‘Windows Malicious Software Removal Tool’ (MSRT). The tool is available for all versions of Windows and is rolled out cyclically on patchday as an update to clean the systems from malicious software (certain common threats such as Trickbot). 

Windows needs to be restarted to take effect after installation. Those who want to run the tool manually can download it from the Microsoft Download Center or run an online version of microsoft.com. This tool cannot replace an antivirus product. You should therefore use an antivirus product to help protect your computer.

Installation issues with November 12, 2019 version

The MSRT version that was released on November 12, 2019 as update KB890830 causes problems under Windows 7 SP1 and Windows Server 2008/R2. Already on the patchday there were (German) comments like this:

With KB890830 all my installation attempts fail.
Error Code 0x800B0109

Further comments indicate that there are install issues with the 32-bit version of Windows 7 SP1. The German comment here also shows the installation error with the 64-bit version. I have also received reports that the tool is being installed on a recurring basis. Woody Leonhard also mentioned this installation error in an article at ComputerWorld.

What does error 0x800B0109 means?

The error code 0x800B0109 stands for CERT_E_UNTRUSTEDROOT, and the message is in plain text:

A certificate chain was processed, but ended with a root certificate that is not trusted by the trust provider.

This simply means that the certificate used to verify the signed update file cannot be trusted. A digital signature is included in the update package. But the certificate chain used to verify the trustworthiness of the digital signature ends with a root certificate that is not considered trustworthy.

Ad-hoc I would have suspected a missing Servicing Stack Update (SSU) or a SHA-2 update as the cause for Windows 7 SP1 and Windows Server 2008/R2. The support article for update KB890830 says:

Note: Starting November 2019, MSRT will be SHA-2 signed exclusively. Your devices must be updated to support SHA-2 in order to run MSRT. To learn more, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

But that’s not the root cause this time. Rather, Microsoft made a mistake signing the update package in question. There is this Technet Forenthread, where the issue is discussed. 

In the meantime update KB890830 is no longer available via Windows Update (see this German comments within my blog). Within the Microsoft Update Catalog there is update KB890830 still available with v5.77. However, for Windows 7, Windows Server 2008 and Windows Server 2008 R2, this has the update date 11/13/2019, while the counterparts for Windows 8.1 to Windows 10 and the server counterparts have the update date 11/12/2019.

So Microsoft has updated the package for Windows 7 and Server 2008/r2 and replaced the faulty certificate. I have now downloaded the MSRT v5.77 in a 64-bit version for my Windows 7 SP1. The tool ran smoothly. 

The Microsoft Update Catalog offerst two MSRT packaged to download. One is a delta update, which may be used in WSUS.

Similar article:
Issues with Update KB890830 (Windows Malicious Removal Tool

[German]It seems that Microsoft has started to force systems, which still run with Windows 10 version 1803, to upgrade to Windows 10 May 2019 Update (version 1903) via feature update.

Windows 10 Version 1803 reached EOL

According to Microsoft’s Windows 10 End of Life sheet shows that older Windows 10 builds will reach the End of Life in October and November, respectively (see table below).

(Source: Microsoft)

Windows 10 Version 1803 Home and Pro will reach the end of 18 months of support on November 12, 2019 according to the table above. Then there will be the last security updates for this Windows version. Only the Enterprise versions will receive one year longer support. Older Windows 10 versions have already dropped out of support in the home/pro version.

Windows 10 V1803: EOL notifications since October

I had already mentioned it briefly in the October 2019 blog post Windows 10: force upgrade to V1803 and EOL notification. Since mid-October 2019, the Windows 10 systems in question had started to inform users about the end of life (EOL) with appropriate notifications. Users of older Windows 10 versions up to and including Windows 10 version 1803 Home and Pro will therefore receive the following notification, which indicates the end of support

(Source: Microsoft)

Microsoft has announced this in this support article. The update KB4023814 is responsible for the notification.

Windows 10 V1803: Now comes the forced update

Now that the end of support has been reached, Microsoft starts a forced update for these systems. I had already mentioned in the blog post Windows Windows 10: force upgrade to V1803 and EOL notification of October 25, 2019 that first users reported this process.

Bleeping Computer now also reports in this article that Windows 10 1803 systems now automatically receive a feature update. However, the systems will not be updated to Windows 10 October 2018 Update (Version 1809), but to Windows 10 May 2019 Update (Version 1903) instead.

I currently have no systems with Windows 10 version 1803 left for me to test. A system, where Windows 10 Version 1709 was still installed in the summer, I had changed over Windows Update to Windows 10 Version 1803. Then I was offered an update to Windows 10 Version 1903, which I also ran. And yesterday this machine was updated to Windows 10 version 1909.

(Feature updates since Windows 10 May 2019 Update, Click to size)

However, all these upgrades were triggered manually (see screenshot above). So the question is whether any of you have had a forced upgrade without your help on Windows 10 Version 1803 systems?

Similar articles:
Windows 10 V1803 threatens a forced update as of July 2019
Windows 10 V1803: Force update to V1903 – Part 1
Windows 10 up to V1803: Details for Upgrade to V1903  – Part 2
Windows 10 V1803 will be updated to Version 1903
Windows 10: force upgrade to V1803 and EOL notification

Microsoft has released the Windows 10 Insider Preview Build 190125 (from the development branch 20H1) for Windows Insider in the Fast Ring on November 125, 2019. Details about the fixes and new features (e.g. the Windows search has been improved) can be found in the Windows Blog.

[German]The end of support for Windows Server 2008 and Windows Server 2008 R2 happens on January 14, 2020. Without migration, organizations risk security issues and compliance violations. Microsoft advises Windows Server 2008 customers to quickly migrate to Azure Cloud. But there are other solutions, such as the ESU program. Here is some information on the topic.

‘Switch to Azure’ is the brief conclusion of a press release published by Microsoft this week. It is well known that extended support for Windows Server 2008 and Windows Server 2008 R2 will end on January 14, 2020. However, there are still companies that have no concrete plans to migrate to a new operating system.

But on January 14, 2020, however, the two server versions will receive security updates for the last time. Companies that have not migrated to a successor product by then will therefore run into a problem from February 2020.

Microsoft advises switching to the Azure cloud

Microsoft recommends that Windows Server 2008 and Windows Server 2008 R2 instances be moved to Azure so that no security issues or breaches of compliance regulations are to be risked from the cut-off date.

The background to this recommendation is that Microsoft offers Re-Hosting for Windows Server 2008 and Windows Server 2008 R2 to Microsoft Azure. Then there will be another 3 years of Extended Security Update support for these server versions. Migration to the cloud gives companies more time to find new solutions for their software applications that still require the use of old servers.

What if we don’t migrate?

Many companies still rely on Windows Server 2008 and Windows Server 2008 R2 because they either shy away from the effort of server migration or fear compatibility problems of their running applications due to an update. Companies that do not migrate their Windows Server 2008/R2 installations are negligent when they are connected to the Internet. Microsoft points out various risks.

Compliance and observance of EU-GDPR endangered

With the systems unpatched from January 2020, security gaps risk (possibly) open up, making IT vulnerable to attacks. In addition, companies run the risk of violating compliance regulations, which include effective patch and change management.

In addition, compliance with the EU data protection basic regulation (EU-GDPR) is difficult to guarantee in obsolete server environments. This can lead to a loss of trust on the part of customers or partners, provoke fines and civil law consequences and also lead to losses in sales and profits.

Separating systems from the Internet is not a solution

Some recommends separating systems from the Internet that can no longer be patched. According to Microsoft, this approach only protects against external attacks, but not against data leaks and attacks resulting from negligence or malicious intent on the part of companies’ own networks.

Only if a system is completely isolated and data exchange is completely prevented can the likelihood and extent of damage be limited. However, practice shows, according to Microsoft, that complete isolation is almost never feasible and enforceable.

Recommendations for action at the end of support

Microsoft now gives recommendations for the end of support of the server versions mentioned. Those who have not yet planned to switch to a modern server operating system such as Windows Server 2019 or server operation in Microsoft Azure should, according to Microsoft, definitely consider modernizing their business software. Microsoft offers numerous planning and relocation aids on its website.

As an alternative to moving to the Azure cloud, I would like to point out the Extended Security Update Program (ESU), which is not only available for Windows 7 SP1, but also for Windows Server 2008 and Windows Server 2008 R2.

Microsoft also mentions that for customers with software maintenance (Software Assurance), in addition to moving to Microsoft Azure, it is also possible to use extended security updates for a limited period of three years at a charge. These updates from the “Extended Security Update Program” must be purchased every year for the affected servers.

Due to the limited update possibilities and the limited flexibility Microsoft recommends companies to migrate to Azure. For those systems migrated to and registered in Microsoft’s Azure data centers, free security updates for Windows Server 2008 and Windows Server 2008 R2 are available for three more years. Further information is available from Microsoft on the following websites:

• Information about the End-of-Support of Windows Server 2008 can be found here
• About running Windows Server in Microsoft Azure
• Website of the Extended Security Update Program
• Information about Windows Server 2019

Similar articles:
Exchange Server 2010: Support extended to October 13, 2020
Windows 7 on Microsoft Azure as Windows Virtual Desktop
Microsoft offers Windows 7 Extended Update Support to SMBs
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Windows 7 Pro users receiving notification about support end
Windows 7: Free Extended Update Support and usage
Windows 7 shows End of Support notification
FYI: End of Support for Windows 7, SQL-Server 2008 and more
Wow! Windows 7 get extended support until January 2023
Windows 7 Extended Security Updates buyable from April 2019
Microsoft offers Windows 7 Extended Update Support to SMBs
Prices for Windows 7 Extended Security Updates till 2023
Windows 7: Office 365 ProPlus Updates till 2023
Windows 7 Extended Security Updates (ESU) reuirements

[German]Short information for people who want to access Linux Btrfs disks under Windows. The Window driver WinBtrfs v1.5 has just been released. Blog reader Gero S. pointed this out to me (thanks for that).

WinBtrfs is a Windows driver for the next generation Linux file system Btrfs. The new release is a reimplementation from scratch. The driver does not contain any code from the Linux kernel and should work with any Windows version from Windows XP. It is also included as part of the free operating system ReactOS. The features of the driver:

• Reading and writing of Btrfs filesystems
• Basic RAID: RAID0, RAID1, and RAID10
• Advanced RAID: RAID5 and RAID6
• Caching
• Discovery of Btrfs partitions, even if Windows would normally ignore them
• Getting and setting of Access Control Lists (ACLs), using the xattr security.NTACL
• Alternate Data Streams (e.g. :Zone.Identifier is stored as the xattr user.Zone.Identifier)
• Mappings from Linux users to Windows ones (see below)
• Symlinks and other reparse points
• Shell extension to identify and create subvolumes, including snapshots
• Hard links
• Sparse files
• Free-space cache
• Preallocation
• Asynchronous reading and writing
• Partition-less Btrfs volumes
• Per-volume registry mount options (see below)
• zlib compression
• LZO compression
• LXSS (“Ubuntu on Windows”) support
• Balancing (including resuming balances started on Linux)
• Device addition and removal
• Creation of new filesystems with mkbtrfs.exe and ubtrfs.dll
• Scrubbing
• TRIM/DISCARD
• Reflink copy
• Subvol send and receive
• Degraded mounts
• Free space tree (compat_ro flag free_space_cache)
• Shrinking and expanding
• Passthrough of permissions etc. for LXSS
• Zstd compression
• Windows 10 case-sensitive directory flag
• Oplocks

Defragmentation, support for Btrfs quotas and Windows 10 reserved storage have not yet been implemented. If a Btrfs file system resides on an MD software RAID device created by Linux, WinMD is also required to display it under Windows.

The new version should be suitable for daily use, but making backups is recommended. The developers also point out that the use of this software is at your own risk. Details can be found on GitHub – download may be found here.

[English]Another addendum for administrators of Windows Server 2008 systems who need extended support. Microsoft has already released the update KB4528081 for Windows Server 2008 SP2 on November 8, 2019, which is intended to check the eligibility for the Extended Security Updates.

German blog reader Gero H. has made me aware of this update (thanks for that). Gero wrote me in an e-mail:

for Windows Server 2008 SP2 the update KB4528081 was released. 

This update should check the compatibility of the system, if support is possible after 14.01.2020 and if ESU updates are available.

However, this update is only available for the 64bit version. The Itanium and 32bit versions are not available.

Windows Server 2008 R2 SP1 and Windows 7 SP1 also do not receive this update.

In fact, the Microsoft Update Catalog contains only a 64-bit version of this update with a release date of November 5, 2019. The support article for Update KB4528081 (Update to verify that eligible Windows Server 2008 SP2 devices can get Extended Security Updates) reads:

This optional nonsecurity update will help you verify that your eligible Windows Server 2008 Service Pack 2 (SP2) devices can continue to get Extended Security Updates (ESUs) after the end of support date of January 14, 2020.

With this optional, non-security update, administrators can check whether their eligible Windows Server 2008 Service Pack 2 (SP2) devices can continue to receive Extended Security Updates (ESUs) after the support date expires on January 14, 2020.

It is therefore only an update to test whether everything is ok with the update supply from January 2020 onwards. The optional update KB4528081 is available in the Microsoft Update Catalog and in WSUS, but not via Windows Update. Microsoft states that the update cannot be used for the following platforms:

This update is not applicable for Windows 7 Virtual Desktop (WVD) and Windows 7 Embedded OS.

So Windows 7 and Windows 7 Embedded are left out. Within the KB article the preconditions for installing this update (SHA-2 update and the current SSUs) are mentioned. Blog reader Gero is surprised that no such update has been released for Windows 7 SP1 and has asked himself the following questions.

1. did the update KB4528081 just accidentally get released and the other variants get one in December etc?

2. don’t the other versions like 2008 R2 SP1 / Win7 SP1 / 2008 SP2 x86 & ia64 need any? And if yes

3. Then why does Server 2008 SP2 x64 need one? 

Gero installed the Update on Windows Vista Ultimate x64 and was able to receive follow up updates. But this might be locical, because the Microsoft support article says that the package should only check if there is something preventing Windows Server 2008 from installing Extended Security Updates. The updates until January 14, 2020 would be installed without any influence. Has anyone installed the update on Windows Server 2008 and more information?

[German]A brief addendum for users of Windows 7 SP1 and Windows Server 2008/R2, who had trouble with update KB890830 (MSRT) in November. Microsoft has indirectly admitted that they pulled KB890830 from Windows Update due to issues.

What was the MSRT problem?

Update KB890830 is the ‘Windows Malicious Software Removal Tool’ (MSRT). The tool is available for all versions of Windows and is rolled out cyclically on patchday as an update to clean the systems from malicious software (certain common threats such as Trickbot).

The update was also rolled out on Patchday (November 12, 2019) for all Windows versions via Windows Update. But this MSRT version from November 12, 2019 causes issues in Windows 7 SP1 and Windows Server 2008/R2. Already on Patchday there were comments like this:

With KB890830 all my installation attempts fail.
Error Code 0x800B0109

I have also read reports that the tool is being installed again and again. In the blog post Windows 7: Update KB890830 (MSRT) drops Error 0x800B0109 I outlined the background for error 0x800B0109. The error code stands for CERT_E_UNTRUSTEDROOT, which means that the certificate chain was processed though. However, the check ended with a root certificate that is not trusted by the trust provider.

So, while the KB890830 Update Certificate was invalid for Windows 7 SP1, all other versions of Windows accepted the MSRT Certificate. What caused this problem could not be clarified – probably Windows 7 SP1 lacks a corresponding root certificate.

MSRT reissued and pulled from Windows Update

Shortly after the patchday blog readers reported that the update KB890830 was no longer offered via Windows Update. In the blog post Windows 7: Update KB890830 (MSRT) drops Error 0x800B0109 I had pointed out that an updated version of the MSRT (update KB890830) for Windows 7, Windows Server 2008 and Windows Server 2008 R2 (dated 11/13/2019) has been released in Microsoft Update Catalog. So Microsoft has changed something. I also reported that I was able to download the MSRT from the Update Catalog and run it successfully on Windows 7.

Now a blog reader has pointed out an addition in the support post for KB890830 . Microsoft has added the following passage:

Due to certificate chain verification issues on pre-Win10, the MSRT package of November 2019 will not be offered via Windows Update.

Please download the package from Download site to run on these platforms.

Microsoft therefore no longer offers the MSRT for all Windows versions prior to Windows 10 for November 2019 via Windows Update. The reason is a problem in the certificate chain. The recommendation is to download the tool manually and then run it for verification. So exactly what I had already outlined in the blog post Windows 7: Update KB890830 (MSRT) drops Error 0x800B0109.