As we close out this extraordinary year, it’s important to remember the unusual patching experiences this year that affected many businesses and their processes.
The pandemic effect
Not surprisingly, the pandemic impacted patching in a big way. In April, it forced Microsoft to push off the end of life for two products, Windows 10 1709 and Windows 10 1809 — by six months each. Win 10 1709 wound up with a 36-month support window for Enterprise and Education users and 1809 Home and Pro got an extra six months, to Nov. 10. Clearly, Microsoft could see the impact of the pandemic on enterprise rollout plans and understood that most of us had other things on our minds.
Then, due to the impact of shifting to work from home, Microsoft announced a pause in the release of optional preview updates for Windows 10, only resuming the releases in June, once things were stabilized. (While the company has traditionally paused optional preview updates during December as employees take vacation days, this is the first time it did so during the normal coding year.
Patching for workers at home
As IT administrators quickly pivoted to supporting remote workers, we pretty much grabbed and updated any laptop or desktop we could get our hands on. We also wound up patching and controlling many more machines than we’d had under our control before. As a result, many IT administrators had to deal with deploying updates over a VPN tunnel. Microsoft helpfully published guidance and information on how to ensure that while data to the office went over the VPN tunnel, the patching updates would go over the home user’s Internet connection.
Patching side effects
This was first time in a long time I remember actually removing – and blocking – an update. Normally, I try to find a workaround rather than uninstalling an update, but in June, I couldn’t find an alternative. The June updates were not kind to my Ricoh PCL 5 printers. Nor did they play nicely with my dad’s Brother printer. Lots of people were affected by the printer issues triggered in the June 2020 updates.
While working from home during the pandemic means we’re less likely to be printing remotely, we still need to print now and then— and clearly Microsoft forgot to test printing in this release. In my case, I had to remove the update, reconfigure my PCL 5 printers, and update them to PCL 6 versions to make sure I wouldn’t be affected in the future.
Feature releases held back
It’s always amazing to me how Microsoft’s own Surface device are never the first to receive feature releases when they are released. Microsoft even had to put a safeguard hold on its own devices until the issue was resolved. We are still tracking an issue where computers with Conexant audio drivers are blocked from both 2004 and 20H2. This may be changing, though, as Microsoft recently updated its Windows health release dashboard to indicate it’s resolving issues with Conexant audio drivers.
As noted in an updated Health release information note, “This issue was resolved for safeguard IDs 25702662 and 25702673. The safeguard hold has been removed for these safeguard IDs as of December 11, 2020. Please note, if there are no other safeguards that affect your device, it can take up to 48 hours before the update to Windows 10, version 2004 or Windows 10, version 20H2 is offered.”
Exposing Safeguard holds
Microsoft has put in place these blocks to ensure that machines will not receive feature updates until they are ready to receive them. But this can prevent IT admins from understanding what is keeping the feature release from the system. Thus, Microsoft now exposes these safeguard holds by using the Update compliance interface. With Windows 10 1809 or later systems that have installed the October 2020 security update, there is now a group policy setting to allow an IT admin to opt out of the blocking mechanism. This new setting, “Disable safeguards for Feature Updates,” is available to bypass a feature block should you understand fully the consequences.
LCU and SSU now combined
The next major shift Microsoft is implementing is changing in the process of patching. For many years, the company has released servicing stack updates (SSUs) to ensure the long-term health and continued servicing of the Windows 10 (and earlier) platforms. As noted: “Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the “component-based servicing stack” (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.”
When they’re released, they have to be installed on the Windows 10 platform prior to the installation of the latest cumulative update (LCU). If they are not, it could mean future servicing issues on your workstations and servers. So ensuring they are installed appropriately is key. Starting with the December updates, the Servicing stack updates for the 2004/20H2 feature release platforms are being combined with the latest cumulative update; they will be in one file and you will no longer have to ensure that you install one before the other. (Microsoft plans to backport these changes to the prior platforms.)
Those that use Windows update won’t see an impact. The SSU silently installs before the LCU when you install the monthly releases. It’s the corporate and third-party patching tools that will no longer have to worry about these two updates and only have to approve the one.
The year included some major and interesting updates that need to be applied to workstations and servers. Ransomware operators have utilized the vulnerabilities to hit computer users and networks. The ZeroLogon privilege escalation vulnerability (CVE-2020-1472) has been used to allow attackers to gain more access to networks. Currently, we are in the enablement phase, where the update has been installed, but it’s not enforced to protect against non Windows clients being able to be used in attacks.
As of Feb. 9, 2021, the updates installed then will turn on Domain Controller enforcement. CVE-2020-0796 (GhostSMB) is a wormable SMBv3 vulnerability that – as yet – has not been widely exploited. There are reports, however, of many vulnerable systems still in use at this time.
Here’s hoping that in 2021 we won’t have quite so many changes to handle.