Radia - General Discussions

 
 
Jim Longo
How to publish the new smaller wsusscn2.cab file to Radia

Microsoft has announced a smaller wsusscn2.cab file will be available in a temp location until March 2022 when the new smaller wsusscn2.cab file will be available in the default location. This workaround can be used to publish and distribute the smaller wsusscn2.cab while we investigate options to add this temp location in Radia. I have run through these steps using the new wsusscn2.cab in the lab and successfully acquired MS-KB5007186. If you have any questions or problems please open a case with support. 

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/announcing-a-smaller-wsus-scan-cab/ba-p/2928256

The smaller wsusscn2_new.cab file can be manually downloaded for Radia to use to publish and distribute to the Radia end points.

1.> Download the new wsusscn2_new.cab and rename the file to wsusscn2.cab
http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2_new.cab

For data acquisition:
2.> Copy the wsusscn2.cab file to
C:\Program Files (x86)\PSL\RCA\Data\PatchManager\patch\microsoft
C:\Program Files (x86)\PSL\RCA\Data\PatchManager\patch\microsoft\wua

For metadata only acquisition:
2.> Copy the wsusscn2.cab file to
C:\Program Files (x86)\PSL\RCA\Data\PatchManager\patch\msft
C:\Program Files (x86)\PSL\RCA\Data\PatchManager\patch\msft\wua

3.> Add the following syntax to the acquire job, command line overrides section. 
-SKIP_WSUSSCNCAB_DOWNLOAD Y -SKIP_WSUSSCNCAB_EXTRACTION N

4.> Run the acquire job. The new smaller wsusscn2.cab file will be used to publish and distribute Security patch content in Radia.

0 0
Jim Longo
Radia Patch Manager: October 2021 Patch acquisition issues

Problem:

The following error appears in the logs and no October 2021 bulletins are being acquired. 

 

20211012 15:22:04 Error: can't read "bulletin_srvc_options(MS-KB5005635)": no such element in array
while executing
"split $bulletin_srvc_options($bname) "
(object "::Acquire::nEWMSFT0" method "::Acquire::NEWMSFT::get_srvc_filtered_bulletin_list" body line 14)
invoked from within
"get_srvc_filtered_bulletin_list"
(object "::Acquire::nEWMSFT0" method "::Acquire::NEWMSFT::convert_bulletins" body line 4)
invoked from within
"$p1 convert_bulletins"
20211012 15:22:04 Error: can't read "bulletin_srvc_options(MS-KB5005635)": no such element in array

 

Cause:

The Offline scan file format has changed.

 

Resolution:

Development is currently working on an official hotfix and a test hotfix is available. Please open a case with support and request the patch.tkd module. 

3 1
Jim Longo
PrintNightmare, Critical Windows Print Spooler Vulnerability, out-of-band security updates.

Microsoft has released out-of-band security updates to address a critical Windows print spooler vulnerability. Persistent has created the following custom XML files to distribute the security patches. Please open a case with Persistent and request the required kb numbers.  

Windows Print Spooler Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

 

Here are all the bulletins that have the July 2021 OOB patch. These are applicable to x86 and x64 systems. Please open a support case with the required kb numbers. 


Windows 7 and Windows Server 2008 R2
July 6, 2021 KB5004953 (Monthly Rollup) Out-of-band

2021-07 Security Monthly Quality Rollup for Windows 7 for x86-based Systems (KB5004953)
2021-07 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB5004953)
2021-07 Security Monthly Quality Rollup for Windows Server 2008 R2 for x64-based Systems (KB5004953)


Windows 8.1 and Windows Server 2012 R2
July 6, 2021 KB5004954 (Monthly Rollup) Out-of-band

2021-07 Security Monthly Quality Rollup for Windows 8.1 for x86-based Systems (KB5004954)
2021-07 Security Monthly Quality Rollup for Windows 8.1 for x64-based Systems (KB5004954)
2021-07 Security Monthly Quality Rollup for Windows Server 2012 R2 for x64-based Systems (KB5004954)


Windows 10 1607 LTSB and Windows Server 2016
July 7, 2021 KB5004948 (OS Build 14393.4470) Out-of-band

2021-07 Cumulative Update for Windows 10 1607 LTSB for x86-based Systems (KB5004948)
2021-07 Cumulative Update for Windows 10 1607 LTSB for x64-based Systems (KB5004948)
2021-07 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5004948)


Windows 10 Version 1809/LTSB and Windows Server 2019
July 6, 2021 KB5004947 (OS Build 17763.2029) Out-of-band

2021-07 Cumulative Update for Windows 10 Version 1809 for x86-based Systems (KB5004947)
2021-07 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB5004947)
2021-07 Cumulative Update for Windows 10 LTSB Version 1809 for x86-based Systems (KB5004947)
2021-07 Cumulative Update for Windows 10 LTSB Version 1809 for x64-based Systems (KB5004947)
2021-07 Cumulative Update for Windows Server 2019 for x64-based Systems (KB5004947)


Windows 10 X64 Version 1909
July 6, 2021 KB5004946 (OS Build 18363.1646) Out-of-band

2021-07 Cumulative Update for Windows 10 Version 1909 for x86-based Systems (KB5004946)
2021-07 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB5004946)


Windows 10 X64 Version 2004, 2009, 2104
July 6, 2021 KB5004945 (OS Builds 19041.1083, 19042.1083, and 19043.1083) Out-of-band

2021-07 Cumulative Update for Windows 10 Version 2004 for x86-based Systems (KB5004945)
2021-07 Cumulative Update for Windows 10 Version 2004 for x64-based Systems (KB5004945)
2021-07 Cumulative Update for Windows 10 Version 20H2 for x86-based Systems (KB5004945)
2021-07 Cumulative Update for Windows 10 Version 20H2 for x64-based Systems (KB5004945)
2021-07 Cumulative Update for Windows 10 Version 21H1 for x86-based Systems (KB5004945)
2021-07 Cumulative Update for Windows 10 Version 21H1 for x64-based Systems (KB5004945)

 

 

0 0
Jim Longo
Using a custom (XML) Patch service to deploy the Feature Update for Windows 10, version 20H2 Enablement Package

A Radia custom (XML) Patch service can be used to update an endpoint from Windows 10 2004 to Windows 10 2009 using the Windows 10 version 20H2 Enablement Package (KB4562830). This enablement package is a more efficient way of updating the operating system as it does not require the full Windows 2009 ISO image file to be deployed to the endpoints. The KB4562830 enablement package is approximately 86MB in size whereas the full Windows 10 20H2 ISO payload is approximately 4.8GB in size. Therefore, deploying the Windows 10 20H2 feature update using the enablement package requires far less network bandwidth during the upgrade process.

 

Prerequisites

You must have the following prerequisites installed before applying this update:

  • Servicing stack update for Windows 10, version 2004: September 8, 2020 or a later servicing stack update
  • October 13, 2020 KB4579311 (OS Build 19041.572) or a later cumulative update

In some instances, it is not necessary to update the wsusscn2.cab file on each acquisition. Custom (XML) Patch services are independent of the wsusscn2.cab file so the wsusscn2.download and extraction can be skipped when acquiring custom XML files. 

NOTE: To request custom patch services from professional services, please open a case with support with the kb number or third-party application name, OS and architecture. For instance, KB4562830, Windows 10 2004 x64. 

 

Instructions:

(Request a copy of the custom xml file MSC-KB4562830.xml from support.)

1.> Copy the custom XML file MSC-KB4562830.xml into the <InstallDir>\RCA\data\PatchManager\patch\custom folder prior to acquisition. 

2.> Create a new custom acquisition job named custom or use an existing acquire job. A sample configuration is shown in the screenshot below.

3.> Enter the Bulletin to be acquired: MSC-KB4562830. 

4.> In the Command Line Overrides enter the following syntax to skip the wsusscn2.cab file download and extraction.

      -SKIP_WSUSSCNCAB_DOWNLOAD Y -SKIP_WSUSSCNCAB_EXTRACTION Y

5.> Set “Acquire Microsoft Patches” to Yes.

6.> Run the acquisition from the Operations Tab in the console and check the CSDB editor for the bulletin MSC-KB4562830.

7.> Assign the MSC-KB4562830 service in policy to start updating Windows 2004 systems to Windows 2009(20H2) the KB4562830 enablement package.

 

 

0 0
Jim Longo
Using the new Software Download Manager in CP4 to deliver Windows 10 installation media

Starting with Radia 10 CP4, Software Download Manager is enabled by default. The Download Manager will download bits in the background using only radstgrq.exe and will not consume a Radia connect.

Refer to the 10.0CP4_Guides/New_Features_10.0_CP4.pdf starting on page 54 for detailed information on the new Software Download Management feature in CP4. 

Using preload=b initiates the background transfer of files to the endpoint.  

These instructions are for example WINDOWS_1903_ESD. This will deliver the Windows 10 install media to the end point in the background.  The Windows 10 ISO was extracted and published using basic component select mode. 

 

  • Download the ISO, extract and publish the media. Example WINDOWS_1903_ESD

 

NOTE: After the service is published open the CSDB and set desired bandwidth throttling on the service.

 

 

  • Assign WINDOWS_1903_ESD in Policy, NOTE: The service is set to Optional so it can be targeted using sname=WINDOWS_1903_ESD

 

  • Create a preload background job or new timer instance to initiate the background transfer of WINDOWS_1903_ESD. Use sname=WINDOWS_1903_ESD and preload=b to enable the background transfer of the WINDOWS_1903_ESD service. Since this is a preload no radtray is available during this operation. The radstrgq.exe process runs while the transfer is running and will start and stop with system reboots, etc.

NOTE: Use DNAME=RADSTAGE or leave DNAME= off the command line so it will be automatically set to RADSTAGE.

Radskman.exe mname=radia,dname=RADSTAGE,uid=$MACHINE,ip=jlongoR11,port=3464,cat=prompt,cop=y,context=m,LOG=connect_preload_software.log,LOGSIZE=4096000,mnt=n,dname=radstage,sname=WIN10_1909_ESD,preload=b,rcsuri=tcp://jlongoR11:3464,datauri=http://jlongoR11:3466

 

  • The service exists under the RADSTAGE folder

 

  • The data is downloaded to the DATA folder

 

  • After the preload completes create a new job or timer instance to build the media, note the preload=b has been removed.

Radskman.exe mname=radia,uid=$MACHINE,ip=jlongoR10,port=3464,cat=prompt,cop=y,context=m,LOG=connect_preload_software.log,LOGSIZE=4096000,mnt=n,sname=WINDOWS_1903_ESD,dname=software

 

  • The new connect runs like a normal Radia connect and will display in the radtray.

 

  • Once complete the media should exist in the expected folder.

 

  • Review the new Download reporting in ReportingServer to see status of downloads for devices and services.

 

 

0 1
Jim Longo
Windows 10, version 1903 reached end of service on December 8, 2020

Windows 10, version 1903 will reach the end of service on December 8, 2020. This applies to the following editions of Windows 10 released in May of 2019:

  • Windows 10 Home, version 1903
  • Windows 10 Pro, version 1903
  • Windows 10 Pro Education, version 1903
  • Windows 10 Pro for Workstations, version 1903
  • Windows 10 Enterprise, version 1903
  • Windows 10 Education, version 1903
  • Windows 10 IoT Enterprise, version 1903
0 0
Jim Longo
Windows 10, version 1809 reached end of service On November 10, 2020 (Home, Pro, Pro for Workstations)

Windows 10, version 1809 reached end of service On November 10, 2020 (Home, Pro, Pro for Workstations). If you are experiencing problems patching Windows 10 1809 we recommend updating Windows 10 to a supported version.

 

 

 

2 0
Avner Callender
Changing bootsector on Win10 pc

I have windows machines with 2 harddisks C and D.

C is your normal windows10 HDD, the pc boots from this hdd and the user works from here.

The D drive is our recovery drive. it is a fully functional WINPE boot hdd tha will format c and put a clean image back.

The batchfile that changes the boot sector runs without problems when i execute it manually on the PC.

But when i execute it via Radia it returns with an error.

the command that does not work is bcdboot

please help

thanks

0 0
Jim Longo
Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

Windows 7 and Windows Server 2K8 R2 systems that are not currently up to date on security patching through January 2020 may encounter an error during the discover patch scan.

 

20200925 11:11:36 Info: Running a scan
20200925 11:11:36 Info: Resetting Status for vendor MICROSOFT
20200925 11:11:36 Info: Current version of WUA is 7.5.7601.17514
20200925 11:11:36 Info: Current version of MSI is 5.0.7601.17514
20200925 11:11:36 Info: WUA Scan file is C:\PROGRA~2\PSL\RCA\Agent\Lib\WUA\wsusscn2.cab
20200925 11:11:36 Info: WUA Catalog Size : 974166746 bytes & Date/Time : Tue Sep 08 11:38:39 GMT Daylight Time 2020
20200925 11:11:53 Error: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

 

Cause:

In accordance with our SHA-1 deprecation initiative, the wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures.

 

Resolution:

Install the following kb numbers to bring the system into SHA2 compliance. To obtain the custom XML bundle please open a case with support and request the January 2020 update bundle.

 

1.>          KB4490628 - Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019

2.>          KB4474419 - SHA-2 code signing support update Version 3 for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 9, 2019

3.>          KB4536952 - Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: January 14, 2020

4.>          KB4534310 - January 14, 2020 KB4534310 (Monthly Rollup)

0 0
Mohammed Al-Nady
How to restrict a service resolution to any machine which has a specific software installed ?

Hi all, 

can any one help to know how can i limit the service a service resolution so that it should be deployed only on any machine which has mozilla installed ?

 

thanks 

3 0
Jim Longo
Microsoft released an updated wsusscn2.cab file on March 12, 2020

 Microsoft released an updated wsusscn2.cab file on March 12, 2020. If you already ran the acquire for March prior to March 12, 2020 please re-acquire the March content using force and replace set to YES to ensure you have the most up to date content. If you have any questions please open a support case. 

 

Verify the wsusscn2.cab date (03/12/2020) in the following location. 

PSL\RCA\Data\PatchManager\patch\Microsoft\wsusscn2.cab

0 0
William Dodson
Adobe flash end of support on December 31, 2020

What is the roadmap for radia on not using adobe flash?

1 0
Jim Longo
KB4474419 Version 3 Update: SHA-2 code signing support update for Win 2008 R2, Win 7, and Win 2008

Microsoft has updated KB4474419 with a version 3 patch. Since Microsoft uses the same KB number the bulletin MS-KB4474419 must be re-acquired with force and replace to update the CSDB with the latest patch information. 

We have received reports of problems with detection and rebooting after installing the December CU KB4530734 security update without first updating 4474419-V3. 

Please re-acquire MS-KB4474419 with force and replace set to YES to update the Radia Service MS-KB4474419 with the latest patch information. 

https://support.microsoft.com/en-us/help/4474419/sha-2-code-signing-support-update

 

0 0
Jim Longo
How to enable Patch Management Reports (Entitled)

Currently in Patch Manager reporting, the patch compliance for a device is calculated by the applicable and acquired bulletins. This hotfix enhances the Patch Manager reporting to add a new set of reports for displaying the patch compliance for entitled bulletins instead of acquired bulletins.

The new set of reports named "Patch Management Reports (Entitled)" is added at the same level as the existing "Patch Management Reports".

Existing Patch Manager reports will continue to work as it is. The modules needed to enable these reports should already exist so there should not be a need to update the modules from hotfix QCCR1C55215. Only the instructions below should be needed in order to update the reports with entitled bulletins. 


1. Edit the patch.cfg located at <InstallDir>/PatchManager/etc
-> Add

DEVICE_COMPLIANCE_BY_ASSIGNED_BULLETINS Y


2. Re-start the RCA Patch Manager Server service

Steps for Messaging Server:

1. Edit the patch.dda.cfg located at <InstallDir>\MessagingServer/etc (Place in "msg::register patch.odbc" section)
-> Add

DEVICE_COMPLIANCE_BY_ASSIGNED_BULLETINS Y


2. Re-start RCA Messaging Server Service.

Steps for RCA Reporting Server:


1. On the Core Server, navigate to <InstallDir>\ReportingServer\reportpacks
2. Navigate to <InstallDir>\ReportingServer\reportpacks\etc\rapm.cfg
3. Search for "ENABLE" key word, change the value from 0 to 1 and refresh the reporting page.

After applying above Hotfix , please do the following mentioned Steps for Configuring Client:


1. Open the Admin CSDB Editor.
2. Navigate to PRIMARY->PATCHMGR->Client Method->DISCOVER.
3. Edit all the attributes (Create Method, Delete Method etc.) to add a new parameter -sab Y where sab stands for Send Assigned Bulletins.
4. Repeat this step for FINALIZE and MANAGE.

0 0
Jim Longo
The December acquisition is failing with an invalid token error.

Accelerite is currently investigating an invalid token error when acquiring the December wsusscn2.cab file and MUC bulletins. We will update this post when we have more information and a solution is available.  

20191211 15:47:24 Info: STDOUT: Invalid text value '20191211 15:47:24 Error occured while reading patch information error "not well-formed (invalid token)" at line 1 character 1
"ï <--Error-- »¿<LocalizedProperties><Language>en</L"'

 

1 0
Jim Longo
Windows 7/Windows Server 2008 (R2) Extended security patching using Radia Patch Manager

 On January 14th, 2020, Microsoft will end regular support for Windows 7, Windows Server 2008 and Windows Server 2008 R2. In order to continue patching Windows 7 and Windows Server 2008 and Windows Server 2008 R2 an extended support contract with Microsoft is needed. 

 Depending on the delivery mechanism Microsoft uses there may not be a need to use custom XML descriptor files to patch these OS's. Microsoft has released a hotfix for extended support for these OS's and the patches may be delivered through the existing MUC data feed and wsusscn2.cab file. In that scenario Radia Patch Manager can continue to be used to distribute security updates. 

 If however Microsoft uses the same delivery mechanism as the Windows XP/2003 Server updates then custom XML descriptor files will be needed to continue patching these OS's via Radia.

 For those who will be extending security patch support with Microsoft and require custom XML descriptor file support to continue to distribute the security patches via Radia Patch Manager, please open a case with our support department requesting details about our XML descriptor file program to manage out of support Windows Operating Systems.

 Once we have the details about how Microsoft will be delivering the security updates we will update this post with more information.

 

4 0
Jim Longo
How to deploy Chrome Zero-Day fixes for Chrome zeroday vulnerabilities CVE-2019-13720 CVE-2019-13721

 The Chrome Zero Day fix is Chrome version 78.0.3904.87 or newer. The current version of Chrome that is downloaded when acquired is Chrome version 78.0.3904.97. 

 Radia can deploy the Chrome update via Software Manager or Patch Manager depending on preference or availability. 

 To use Software Manager, download and publish the update from Google.

http://dl.google.com/tag/s/defaultbrowser/edgedl/chrome/install/GoogleChromeStandaloneEnterprise.msi

 Patch Manager can update Chrome using the built-in Google-Chrome acquisition, but this will require an update on our end to the latest version before it will correctly detect if Google needs to be updated based on certain versions. We will update the built-in Google-Chrome bulletin and make it available for acquisition next week.

 If you need to update Google-Chrome immediately you can request the custom bulletin CHROME-78.xml which will update Google Chrome to version 78.0.3904.97. This covers multiple OS's including Win7, Win8.1, Win10 (all version including LTSB), Win2K8 R2 and Win2012 R2, if you need an OS added that is not present please let us know and we can add it to the custom bulletin.

 If you need any assistance acquiring the CHROME-78 or built-in GOOGLE-CHROME bulletins please let us know and we will help get the content acquired and distributed. 
 

1 0
Jim Longo
How to force a Patch service to trigger a return code of 811 (reboot)

To force a Patch service into an 811 (reboot) add the following syntax to the Patch service.

 

Note: Using MS-KB4516655 as the example service to force a reboot.

 

Navigate to:

PRIMARY.PATCHMGR.ZSERVICE.MS-KB4516655 /reboot and double click the reboot variable.

Enter the value: 


AI=IQ 

 

NOTE: Setting a reboot flag to 811 will not stop other Patch services from installing during the same patch connect.

0 0
Jim Longo
Managed Services report shows "Reboot Pending" for Patch services

When using the Managed Services report (AppEvent table) to verify Patch services the “events to report” flag and MIB switch will need to be modified in order to show successful verification events and clear "Reboot Pending" from Patch services.

NOTE: Turning on the verification events will increase Radia object traffic. It is recommended to use the patch reports for compliance and not the Managed Services report to show the status of a Patch.

By default, the AppEvent object is sent during the Install, Update, Repair events. The verification event is only sent if the verify fails.

 For this reason, the AppEvent object that updates the Managed Services report will show a status of "Reboot Pending" for Patch services that required a reboot since this was the last event that was sent after the install event. If the subsequent Radia verify is successful, no new event is sent to the database and the status remains in “Reboot Pending”.

 In order to update the Managed Services status column with a successful verify event for patch services we need to change the Events to Report flag AV=F to AV=B on the <defaults> instance of PATCHMGR.ZSERVICE.<DEFAULTS>

1.>   Change Events To Report Flags.

Change:
AI=B,AD=B,AU=B,AR=B,AV=F,VA=B,VD=B

TO :
AI=B,AD=B,AU=B,AR=B,AV=B,VA=B,VD=B

 

2.. Change MIB to Y on PATCHMGR.CMETHOD instances (Discover, Finalize, Manager). The default value for MID is none. Changing to Y will verify each patch service during the Patch connect. This will increase the amount of time the Patch connect runs.

 On the next patch connect the Managed Service status column will update with the successful verification event. 

 

0 0
Jim Longo
Microsoft releases out-of-band security update to fix IE zero-day & Defender bug
Microsoft released out of band security patches that are not yet available in the wsusscn2.cab file. If you require a XML descriptor file to install the security patches please open a case with the IE version if applicable, OS and Architecture.  For example, IE 11, Win7, Win8.1, Win10 (1607 LTSB. 1709, 1803, 1809, 1903) x86/x64.

 

https://www.zdnet.com/article/microsoft-releases-out-of-band-security-update-to-fix-ie-zero-day-defender-bug/

Microsoft has released an emergency out-of-band security update today to fix two critical security issues -- a zero-day vulnerability in the Internet Explorer scripting engine that has been exploited in the wild, and a Microsoft Defender bug.

The updates stand out because Microsoft usually likes to stay the course and only release security updates on the second Tuesday of every month. The company rarely breaks this pattern, and it's usually only for very important security issues.

This is one of those rare occasions, and Windows users are advised to install today's updates as soon as possible. The patch for the IE zero-day is a manual update, while the Defender bug will be patched via a silent update.

THE IE ZERO-DAY

Of the two bugs, the Internet Explorer zero-day is the most important one, primarily because it's already been exploited in active attacks in the wild.

Details about the attacks are still shrouded in mystery, and Microsoft rarely releases such details. What we know is that the attacks and the zero-day have been reported to Microsoft by Clément Lecigne, a member of Google's Threat Analysis Group.

This is the same Google threat intel team that has detected the attacks with iOS zero-days against members of the Chinese Uyghur community earlier this year. Those attacks also targeted Android and Windows users; however, it is unclear if the IE zero-day patched today is part of those attacks.

But what we know now is that IE zero-day is a very serious vulnerability. It is what researchers call a remote code execution (RCE) issue.

 

According to Microsoft, "the vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user."

"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user," Microsoft said. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

The attack requires luring an Internet Explorer user on a malicious website, which is a rather trivial task, as it can be achieved by various methods such as spam email, IM spam, search engine ads, malvertising campaigns, and others.

The good news is that Internet Explorer usage has gone down to 1.97% market share, according to StatCounter, meaning the number of users vulnerable to attacks is rather small, and attacks should be pretty limited in scope.

The IE zero-day is tracked with the CVE-2019-1367 identifier. In a security advisory, Microsoft lists various workarounds for protecting systems if today's update can't be applied right away. The security advisory also contains links to the manual update packages, which Windows users will need to download from the Microsoft Update Catalog and run on their systems by hand. The patch for the IE zero-day won't be available via Windows Update.

MICROSOFT DEFENDER DOS BUG

The second issue fixed today is a denial of service (DoS) vulnerability in Microsoft Defender, formerly known as Windows Defender, the standard antivirus that ships with Windows 8 and later versions, including the widespread Windows 10 release.

According to Microsoft, "an attacker could exploit the vulnerability to prevent legitimate accounts from executing legitimate system binaries."

The good news is that this bug isn't such a big issue. To exploit this bug, an attacker would first need access to a victim's system and the ability to execute code.

The bug allows a threat actor to disable Microsoft Defender components from executing, but if the attacker already has "execution rights" on a victim's computer, then there are many other ways to run malicious code undetected -- such as fileless attacks.

Nevertheless, Microsoft has released update v1.1.16400.2 to the Microsoft Malware Protection Engine, a component of the Microsoft Defender antivirus, to fix this issue.

This bug is tracked as CVE-2019-1255. Microsoft credited Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab with discovering this issue.

0 0
Jim Longo
How to stop automatic updates on Windows 10 Pro

On Windows 10 pro, use the Local Group Policy editor or the Registry to disable automatic updates permanently. While automatic updates remains disabled, you can still download and install patches using Radia Patch Manager. Once you complete the steps, Windows 10 Pro will stop downloading updates from Microsoft automatically.


Disabling updates using gpedit.msc


To permanently disable automatic updates on Windows 10, use these steps:


1. Open Start.
2. Search for gpedit.msc and select the top result to launch the experience.
3. Navigate to the following path:
Computer Configuration\Administrative Templates\Windows Components\Windows Update
4. Double-click the Configure Automatic Updates policy on the right side.
5. Check the Disabled option to turn off the policy.
6. Click the Apply button.
7. Click the OK button.
8.Open a command prompt as administrator and run the following command.

gpudate /force

 
Disabling updates via the Registry

 

If you're running Windows 10 Pro, you can also disable automatic updates using the Registry.


Warning: This is a friendly reminder that editing the Registry is risky, and it can cause irreversible damage to your installation if you don't do it correctly. It's recommended to make a full backup of your PC before proceeding.


To permanently disable Windows Update using the Registry, use these steps:

 

1. Open Start.
2. Search for regedit and select the top result to launch the experience.
3. Navigate to the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
4. Right-click the Windows (folder) key, select New, and then click on Key.
5. Name the new key WindowsUpdate and press Enter.
6. Right click the newly created key, select New, and click on Key.
7. Name the new key AU and press Enter.
8. Right click on the right side, select New, and click on DWORD (32-bit) Value. Set the value to 1. 
9. Name the new key NoAutoUpdate and press Enter. Double-click the newly created key and change its value from 0 to 1.
10.Restart the system.

0 0
Jim Longo
Radia Patch Manager and Windows 10 Legacy Security Patching vs. new Cumulative model

Windows 10 (1809, 1903 +) Smaller Cumulative Update model

With the introduction of Windows 10 1809, Delta and Express patching has been discontinued leaving only a small Cumulative update. The new format will limit the size of the Cumulative update to around 300MB each month. 

 

The June Cumulative update for 1809 is only 238.0 MB and should max out at around 300 MB per month.

According to Microsoft:

Starting with 1809 for both client and server – Express will no longer be an option, as we are shifting to the PSFX model which has a lower overhead and results in greater efficiencies in updates. Please find the below blog for your reference.

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461

 

Windows 10 Legacy OS (1607-1803) Express Updates, Cumulative Updates (Express support will end with Windows 10 1803)

With the introduction of Windows 10 Microsoft changed the security patch model by bundling all security patches into a single Cumulative update.  The Cumulative update includes all previous patches. As the Windows 10 Legacy OS ages the Cumulative update grows each month. 

 

The June 2019 Cumulative updates for Windows 10 1607 and 1803 and Windows Server 2016:

 

  • 2019-06 Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4503267)

               Size: 1414.1 MB

 

  • 2019-06 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4503286)

               Size: 893.2 MB

 

Microsoft offered a Delta update that included only the difference from the previous month but required the system to be up to date to receive the Delta updates. The size of the Delta updates was usually about 30-40% of the Cumulative update. (Delta updates were discontinued in April 2019).  

Express updates (support will end with Windows 10 1803)

Express updates deliver only the Delta bits needed to bring the system into compliance and requires a WSUS Server to determine the Delta bits needed by each end-point. (As of this writing, Express update support will end with Windows 10 1803/Windows Server 2016 and will be replaced with a new Cumulative update format that will restrict the size of the update to 200-300MB per month.)

While Express updates deliver a smaller payload to the end-point similar in size to the previous Delta updates, Express updates increases disc space usage significantly on the infrastructure to accommodate very large Express file bundles. Enabling Express updates may result in longer Radia patch connect times and increased resource usage on the end-points. The WSUS Server and end-point Windows Update configuration add a layer of complexity outside of Radia as well.

 

  • The June 2019 Express update bundle for Windows 10 1607 is 8.62GB
  • The June 2019 Express update bundle for Windows 10 1803 is 5.4GB

 

Using Radia Download Manager to distribute security patches in the background

For customers who do not want to enable Express updates for a limited time, the Download Manager feature will help minimize the impact of the growing Cumulative updates for legacy Windows 10 OS.  

Enable Download Manager to transfer the files required to apply patches onto the managed devices in the background, outside of the usual Agent connect process. This option allows for bandwidth throttling and an automatic stop and start of the download until it completes.

 

If you would like more information on Windows 10 Security patching please open a case with support and we will schedule a call to discuss Windows 10 security patching in more detail. 

 

 

0 0
Jim Longo
Radia Patch Manager/Download Manager Options (background transfer of patch binaries)

 Radia Patch Manager can transfer patch binaries outside the normal patch connect by enabling the Download Manager option in Agent Options. This is advantageous when transferring large binaries like Windows 10 cumulative updates that may take a long time to transfer on slow networks. While the files are downloading in the background the end-point can continue to be managed by the Radia agent. Once the download of the patch binary is complete the patch can be applied or deferred until the next patch connect.

Download Manager can be used without the metadata only option. When using metadata only, the download manager is automatically enabled. 

Review the Radia Admin guide for more details regarding Download Manager. 

Patch Agents can be patched with or without the use of the Download Manager option. Without it, the Agent connect handles the download of the required patch files in a foreground process. In contrast, the Download Manager uses a background process to handle the passive download of the required patch files onto the Agent.

Download Manager runs independently and downloads the binaries. If the user turns off the machine or is disconnected from the network during the download, on reboot, the timer ensures that the Download Manager resumes downloading the binary from the point where it stopped. If Apply patches after download completion is set to Yes, Download Manager automatically
triggers a new Patch Agent Connect.

Enable Download Manager to transfer the files required to apply patches onto the managed devices in the background, outside of the usual Agent connect process. This option allows for bandwidth throttling and an automatic stop and start of the download until it completes.

0 0
Jim Longo
Windows 7/10 monthly rollups/cumulative updates are being marked (superseded=Y) after 2 months

Windows 7 monthly rollups and Windows 10 cumulative updates are being marked (superseded=Y) after the previous months update(P+1) during the acquisition when (Mark Supersedence for all the bulletins) is set to yes in the acquisition job. Only the current and previous month Windows 7/10 monthly rollups/cumulative updates can be managed when mark supersedence for all bulletins is set to yes in the acquisition job. It is best practice to install the latest updates.

 It is possible to download and manage superseded bulletins by setting the (Download Superseded Patches for all the bulletins) to yes in the acquire job but this will install outdated patches that will not have the latest updates. This option should only be used if there is a problem with the current and previous updates that prohibit them from being distributed. 

 

Windows 7 

 

Current rollup:

Title="2019-05 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4503292)" 

 

Previous rollup:

Title="2019-05 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4499164)"  QNumber="4499164"  Superceded="N"

 

Previous +1

Title="2019-04 Security Monthly Quality Rollup for Windows 7 for x64-based Systems (KB4493472)"  QNumber="4493472"  Superceded="Y" SupercededByBulletin="MS-KB4499164" 

 

 

Windows 1803

 

Current cumulative:

Title="2019-06 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4503286)" 

 

Previous cumulative:

Title="2019-05 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4499167)"  QNumber="4499167" Superceded="N"

 

Previous +1

Title="2019-04 Cumulative Update for Windows 10 Version 1803 for ARM64-based Systems (KB4493464)"  QNumber="4493464"   Superceded="Y" SupercededByBulletin="MS-KB4499167"

 

 

Windows 10 1809

 

Current cumulative:

Title="2019-06 Cumulative Update for Windows 10 Version 1803 for x64-based Systems (KB4503327)" 

 

Previous cumulative:

Title="2019-05 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4494441)"  QNumber="4494441"  Superceded="N"

 

Previous +1

Title="2019-04 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4493509)"  QNumber="4493509"  Superceded="Y" SupercededByBulletin="MS-KB4494441"

 

0 0
Jim Longo
KB4500331 / WinXP and Win2K3 critical security patch released by Microsoft

In May 2019, Microsoft released 4500331, a critical security patch  for "remote code execution vulnerability" on WinXP and Win2K3 systems. 

 

Windows 7 is also vulnerable and should be patched using the May Windows 7 Security Only(4499175) or Monthly Rollup(4499164). 

 

Radia Patch Manager can mange KB4500331 on WinXP and Win2K3 using a custom XML file that is available upon request. Open a case with Accelerite support and request a copy of the MSC-KB4500331 custom XML file.  

 

https://support.microsoft.com/en-us/help/4500331/windows-update-kb4500331

Description of the security update for the remote code execution vulnerability in Windows XP SP3, Windows Server 2003 SP2, Windows Server 2003 SP2 R2, Windows XP Professional x64 Edition SP2, Windows XP Embedded SP3, Windows Embedded POSReady 2009, and Windows Embedded Standard 2009

 

Here is a Computerworld article on the subject:

https://www.computerworld.com/article/3395538/if-youre-running-windows-xp-7-or-associated-servers-patch-them.html

 

 

 

 

0 0
Nathan Truitt
Remote device OS deployment

Looking for ideas on how to recover remote devices from a major event requiring OS rebuilds. These devices are scattered throughout the U.S. and Canada on slower links in offices containing two to eight workstations. Our 10.0 CP1 Core\Satellite servers are centralized in three geographic locations. Ideally we would like to pull the winpe.wim, image.wim and package files from a device local to the office. There is currently only a single partition on each Windows 7 device. The Windows 10 devices were built with a single partition but when Bitlocker is enabled the required second partition is created. Thanks for the input.

1 0
Jim Longo
Acquiring .NET Patches using Radia

When acquiring the .NET security updates there is a top-level KB number that includes the .NET sub products.

As an example, For 2-2019, the .NET the top-level bulletin is KB4487078 which includes the 3 sub .NET sub products/kb numbers (KB4483451, KB4483455, KB4483458). The 3 sub kb numbers are included under the top-level kb number.

An acquisition for MS-KB4487078 will acquire all 3 sub kb numbers/patches (KB4483451, KB4483455, KB4483458) under a single bulletin MS-KB4487078.

 

See the KB article below for more details.

https://support.microsoft.com/en-us/help/4487078/security-and-quality-rollup-updates-for-net-framework-3-5-1-to-4-7-2

 

Security and Quality Rollup updates for .NET Framework 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1, 4.6, 4.5.2, and 3.5.1 for Windows 7 SP1 and Server 2008 R2 SP1 (KB 4487078)


4483451 Description of the Security and Quality Rollup for .NET Framework 4.7.2, 4.7.1, 4.7, 4.6.2, 4.6.1, and 4.6 for Windows 7 SP1 and Server 2008 R2 SP1 and for .NET Framework 4.6 for Server 2008 SP2 (KB4483451)

4483455 Description of the Security and Quality Rollup for .NET Framework 4.5.2 for Windows 7 SP1, Server 2008 R2 SP1, and Server 2008 SP2 (KB4483455)

4483458 Description of the Security and Quality Rollup for .NET Framework 3.5.1 for Windows 7 SP1 and Server 2008 R2 SP1 (KB4483458)

 

To determine the top-level kb number for .Net visit a .NET kb article on the web for any of the .NET products and the find additional information section. The Security Update Summary page lists all security patches released by Microsoft. 

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

 

Using KB4483451 as an example we can identify the top-level kb number as 4487078.

 

https://support.microsoft.com/en-us/help/4483451/description-security-and-quality-rollup-for-net-framework-4-6-to-4-7-2

 

Additional information about this update


For more information about this update as it relates to Windows 7 Service Pack 1 (SP1) and Windows Server 2008 R2 SP1, see the following article in the Microsoft Knowledge Base:


4487078 Security and Quality Rollup updates for .NET Framework 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, and 4.7.2 for Windows 7 SP1 and Server 2008 R2 SP1 (KB 4487078)

 

0 0
Jim Longo
How to retire bulletins from the CSDB editor in Production using RadDButil and Perform a Patch DB Synchronization

NOTE: Before retiring bulletins from the CSDB editor it is very important to un-entitle the bulletins from Radia Policy first. If bulletins are retired before removing them from policy the result will be a 650 error during the Radia agent connect.

 

There are 2 ways to remove old bulletins from the CSDB editor.

 

1.> Use the Console and add the bulletins to the retire section and run an acquisition. During the next acquisition the bulletins listed in the retire section are removed from the CSDB editor. This method may not be available in Production if the acquisitions are not executed in Production. If acquisitions are not executed in Production follow the steps it item #2 below.

 

 

2.>   If acquisitions are not executed in production use the RadDButil command line to remove old bulletins from the CSDB editor. The following example will remove MS-KB4462214 from the CSDB editor. The raddbutil.exe is in the ConfigurationServer/bin folder.

 

Copy this syntax into notepad and create a batch file named radDButil_Patch_Delete.bat in the ConfigurationServer/bin folder to it can be reused when needed. Change the bulletin ID to the bulletin ID that will be retired.

 

raddbutil.exe delete -walk 1 -ignore PRIMARY.SYSTEM.PROCESS.*+PRIMARY.SYSTEM.ZMETHOD.*+PRIMARY.PATCHMGR.CMETHOD.*+PRIMARY.PATCHMGR.METADATA.*+PRIMARY.PATCHMGR.OPTIONS.*+PRIMARY.PATCHMGR.PATCHARG.*+PRIMARY.PATCHMGR.PRODUCT.*+PRIMARY.PATCHMGR.RELEASE.*+PRIMARY.PATCHMGR.SP.*+PRIMARY.PATCHMGR.PG2PR.*+PRIMARY.PATCHMGR.PROGROUP.*-preview 0 PRIMARY.PATCHMGR.ZSERVICE.MS-KB4462214(SYNC)

  

When using RadDButil to remove old bulletins it may be necessary to Perform a DB Synchronization from the console to remove the bulletins from the Patch ODBC database and reporting.

 

 

1 0
 

Top Contributors