Not All Patch Problems Are Created Equal
It’s the third week of the month – the week we find out if Microsoft is acknowledging the side effects it’s investigating as part of the monthly patch release process.
First, a bit of contextualization. Microsoft has released patches for years. But they weren’t always released on a schedule. At first, Microsoft released updates any day of the week. Then in October 2003, Microsoft made it official to release normal security updates on the second Tuesday of the month. Thus was born Patch Tuesday. (Note: Depending on where you are in the world, Patch Tuesday may be Patch Wednesday.) The next day, or in some cases, within the next week, users and admins are reporting issues with updates – and Microsoft is finally acknowledging it, yes, there are issues.
Herein lies the catch: not everyone will see the side effects recognized by Microsoft (and sometimes there are side effects that Microsoft never acknowledges). Or some that occur could just be a coincidence of the patching process. (I often installed updates and rebooting brought to light an underlying issue that I was unaware of.)
This month, I made an interesting discovery. There are actually two sources of documentation for issues with the latest updates. The first, called Windows Health Release Dashboard, lists all supported products from Windows Server 2022 through Windows 7 and documents issues Microsoft is investigating and fixing. This month, for example, Microsoft is acknowledging issues with Server 2022 triggered on Active Directory domain controllers. As the company notes, “An issue has been detected with the way certificate mapping to machine accounts is handled by the domain controller.”
Not all Active Directory domain controllers are affected, only those using device certificates. Microsoft will roll out changes to how certificates are managed; he plans to add auditing now and apply other changes later. If you are in charge of an Active Directory domain, I recommend that you check out this knowledge base article and review your event.
Interestingly, there is a second source that documents patch issues that Microsoft may be investigating. However, this summary of known issues is only available if you have access to an E3 or E5 license. If so, and you have admin rights or support rights, you can access the built-in dashboard in your Microsoft 365 dashboard. It documents some of the side effects not noted in the dashboard audience. For example, this month’s Microsoft 365 Health release dashboard acknowledged two additional issues not noted in the public console.
First, he notes the issue with the Remote Desktop Services Broker connection role:
“We have received reports that after installing KB5005575 or later updates on Windows Server 2022 Standard Edition, the Remote Desktop Services Connection Broker role and Support Services might be removed unexpectedly We have expedited the investigation and are working on a resolution.Note: Windows Server 2022 Datacenter edition and other versions of Windows Server are not affected by this issue.
“Workaround: If you are using Remote Desktop Connection Broker on Windows Server 2022 Standard Edition, you can mitigate this issue by removing Remote Desktop Connection Broker, installing the latest security update, and then re-adding Remote Desktop Connection Broker.
“Next steps: We are working on a resolution and will provide an update in an upcoming release.”
Then he documents this:
“We are receiving reports that the Snip & Sketch app may fail to capture a screenshot or fail to open using the keyboard shortcut (Windows key + Shift + S), after installation from KB5010386 and later updates.
“Next steps: We are currently investigating and will provide an update when more information becomes available.”
I don’t know why there is a difference between the items noted in the Public Health Releases Dashboard and the Microsoft 365 Health Releases Dashboard. But if you have access to the Microsoft 365 version, you should review the information there.
Increasingly, Microsoft is using a technology called “Known Issue Rollback”. If an issue is introduced by a non-security fix included in Patch Tuesday updates, Microsoft can roll it back and fix it in the background. Often in the health releases dashboard you will see a notice that an issue will be handled this way and if you are not in a corporate domain you may be prompted to restart your computer. In a domain, you can use Group Policy as a trigger. (An admx file is regularly released with tips for triggering the rollback.) However, these rollbacks cannot be performed if the issue is triggered by a security patch, because reverting the update to its pre-patch state security would make your system vulnerable. .
For example, a recent update introduced an issue where “some applications using Direct3D 9 may have issues on some GPUs”.
As Microsoft notes:
“After installing KB5012643, Windows devices using certain GPUs may experience applications quitting unexpectedly or intermittent issues with certain applications using Direct3D 9. You may also receive an error in the event log in the logs /Windows applications with faulting module d3d9on12.dll and exception code 0xc0000094 .
“Resolution: This issue is resolved using Known Issues Rollback (KIR). Please note that it may take up to 24 hours for the resolution to automatically propagate to consumer devices and devices non-managed professionals. Restarting your Windows device may help the resolution apply to your device faster. For corporate-managed devices that have installed an affected update and experienced this issue, they may resolve by installing and configuring the special group policy listed below.For more information on deploying and configuring these special group policies, please see How to Use Group Policy to Deploy a Known Issue Restore.
“Group Policy downloads with Group Policy name:
- Download for Windows 11, version 21H2 – GP name: KB5012643 220509_20053 Known restore issue.
- Download for Windows 10, version 2004, Windows 10, version 20H2 and Windows 10, version 21H1 – GP name: KB5011831 220509_20051 Known restore issue.
Again, not all computers will see this problem. It is limited to certain computers with specific GPUs that are affected.
Bottom line: The next time you see articles about side effects caused by Patch Tuesday releases, don’t assume you’ll be affected. You may not encounter any problem. If you have the resources, I recommend setting up a sample machine testbed so you can determine if you’ll make it. If you can’t, the key to recovery (and avoiding problems) is to make sure you have a backup of your computer and can restore it if needed. The technology that ensures you can recover from ransomware is also the same technology that ensures you can recover from errant patch side effects.
Copyright © 2022 IDG Communications, Inc.