It’s the third week of the month – the week we find out if Microsoft acknowledges any side effects it’s achieving as part of the monthly patch release process.
First, a bit of background. Microsoft has released patches for years. But they weren’t always released on schedule. In the early days, Microsoft would release updates any day of the week. Then in October 2003, Microsoft formalized the release of regular security updates on the second Tuesday of the month. This is how Patch was born Tuesday. (Note: Depending on where you are in the world, Corrective Tuesday could be Correct Wednesday.) The next day, or in some cases, within the next week, users and administrators report issues with updates—and Microsoft finally acknowledges that, yes, there are issues .
And here’s the catch: Not everyone will see the side effects that Microsoft admits to (and sometimes there are side effects that Microsoft never admits). Or it could be some that just happen coincidentally with the patchwork process. (I often installed updates and doing a restart shed light on an underlying issue that I wasn’t aware of.)
This month, I made an interesting discovery. There are actually two sources of documentation about issues arising from the latest updates. The first, called the Windows Health Release Dashboard, lists all supported products from Windows Server 2022 through Windows 7 and document issues that Microsoft has investigated and fixed. This month, for example, Microsoft acknowledges that there were issues with Server 2022 that ran on Active Directory Domain Controllers. As the company notes: “An issue was found with how the assignment of certificates to machine accounts is handled by the domain controller.”
Not all Active Directory domain controllers are affected – only those that use machine certificates. Microsoft will roll out changes to how certificates are handled; Plan to add audit now and enforce more changes later. If you are an Active Directory domain administrator, I recommend that you check out this knowledge base article and review your event.
Interestingly enough, there is a second source that documents debug issues that Microsoft might investigate. However, this summary of known issues is only available if you have access to an E3 or E5 license. If so, and you have admin rights or support rights, you can go to the dashboard integrated within the Microsoft 365 dashboard. It documents some side effects not noticed in the general dashboard. For example, this month’s Microsoft 365 Health release dashboard acknowledged that there were two additional issues that were not noticed in the general console.
First, he notes the problem with the Remote Desktop Services Broker Connection role:
“We have received reports that after installing KB5005575 or later updates on Windows Server 2022 Standard Edition, the Remote Desktop Connection Broker and Support Services role may be removed unexpectedly. We have expedited the investigation and are working on a solution. Note: Windows Server 2022 Datacenter release and releases are not affected. Other Windows Server reported this problem.
Workaround: If you are using Remote Desktop Connection Broker on Windows Server 2022 Standard Edition, you can mitigate this issue by removing Remote Desktop Connection Broker, installing the latest security update, and then re-adding Remote Desktop Connection Broker.
“Next Steps: We are working on a solution and will provide an update in an upcoming release.”
Next, it documents this:
We are receiving reports that the Snip & Sketch app may fail to take a screenshot or may fail to open using the keyboard shortcut (Windows key + shift + S), after installing KB5010386 and later updates.
Next steps: We are currently investigating and will provide an update when more information becomes available.
I’m not sure why there is a difference between the items listed in the Public Health Edition dashboard and the Microsoft 365 Health Edition dashboard. But if you have access to the Microsoft 365 edition, you should review the information there.
More and more, Microsoft is using a technology called “undo known issues”. If a problem is introduced by a non-security fix included in Patch Tuesday updates, Microsoft can undo and fix it behind the scenes. Often in the health release dashboard, you will see a notification that the problem will be dealt with this way, and if you are not in a corporate domain, you may be prompted to restart your computer. In a domain, you can use Group Policy as a trigger. (The admx file is routinely published with instructions to run the rollback.) These rollbacks cannot be performed if the issue is triggered by a security patch, because re-update to the previous security patch state would leave your system vulnerable.
For example, the recent update brought up an issue “where some applications using Direct3D 9 may have issues with some GPUs.”
As Microsoft notes:
After installing KB5012643, Windows devices using certain GPUs may have applications that close unexpectedly or intermittent issues with some applications that use Direct3D 9. You may also receive an event log error in the Windows application/logs with the defective module d3d9on12. dll and exception code 0xc0000094 .
Solution: This issue has been resolved using Known Issue Rollback (KIR). Please note that it may take up to 24 hours for the resolution to automatically propagate to unmanaged consumer and business devices. Restarting your Windows machine may help apply Resolution on your device is faster For enterprise-managed devices, devices that have installed an affected update and have this issue can be resolved by installing and configuring the special group policies listed below. For information about deploying and configuring these special group policies, please see How to Use the Special Group Policy Group to publish undo known issues.
Group Policy Downloads as Group Policy:
- Download for Windows 11 Version 21H2 – Group Policy Name: KB5012643 220509_20053 Undo known issues.
- Download for Windows 10 Version 2004, Windows 10, Version 20H2 and Windows 10, Version 21H1 – Group Policy Name: KB5011831 220509_20051 Undo known issues. “
Again, not all computers will see this problem. It is limited to certain computers affected by specific GPUs.
Bottom line: Next time you see stories about side effects caused by Tuesday’s releases, don’t assume you’ll be affected. You may not encounter any problems at all. If you have the resources, I recommend setting up a test bed for the sample machines so you can decide if you should. If you can’t do that, the key to recovery (and avoiding issues), is to make sure you have a backup of your computer and can restore it if necessary. The technology that ensures that you can recover from ransomware is also the same technology that ensures that you can recover from the side effects of a wrong patch.
Copyright © 2022 IDG Communications, Inc.