Patch Tuesday Megathread (2024-11-12)

[-]

therabidsmurf@reddit

Anyone else seeing the updates for Server 2022 taking an outrageous amount of time to install? Going on 3 hours for the two I've tried usually only about 15 minutes. No issues with 2016 or 2019.

[-]

wrootlt@reddit

Oh man, we have a thousand of AWS Workspaces running 2022 (VDI). This can cause a flood of tickets if it takes hours to come up after restart.

[-]

So, 2022 21H2 is fine for us. But we are having lots of broken AWS workspaces with older Windows Server 2016 after November patches. As we cannot really reach them and rebooting or restoring snapshot from console doesn't help, we are deleting them and creating new. First time in 4 years running in so many problems with this OS.

[-]

wrootlt@reddit

Patched one. Install was 1.5h, but restart (2 restarts) took only 6 min. Our workspaces are in Windows Server 2022 21H2. Maybe long reboot happens on newer builds.

[-]

NoAcanthaceae9758@reddit

To speed up the time of update installation at the point where the update window counts up to 100% and before the reboot button appears, I usually go to the details view of task manager and set the priority of the "TiWorker.exe" process to "High" or even "Realtime". After the reboot that change is gone and by the next update that process is started new with "Normal" priority. That usually speeds up the update installation time a lot!

[-]

FCA162@reddit

Thank you for the tip.
For me it made no difference.
TiWorker.exe took max 25% CPU on priority "Normal" or "Realtime", although the processor was 50% idle of time.

[-]

NoAcanthaceae9758@reddit

Since Windows Update is single-threaded you won't get more than 25% overall CPU usage on a 4-core system or 12/13% on a 8-core system for that process. If you take a specific look at the (giga)bytes that are read and written by the "TiWorker.exe" process while windows is updating while you have elevated that process to a higher priortity state, you will see that this is speeding it up! To show the (giga)bytes read and written right-click on the columns bar in task-manager details view (e.g. CPU), click on "Select column" and add "I/O read bytes" and "I/O write bytes".

[-]

BALLS_SMOOTH_AS_EGGS@reddit

Ah good tip. I'll see if that helps at all. I feel like there's always competing information as to what is most effective (if anything).

[-]

sync-centre@reddit

VMs on 2019 were zippy.

Physical on 2019 was ok.

HyperV boxes on 2022 were slow AF.

[-]

dmcginvt@reddit

just did a 2022 hyper-v box, it did 4 reboots thought for sure i was stuck in a boot loop but im old school and just waited it out. Was down for an hour but this is my least important box and it was after hours so all good.

[-]

tmikes83@reddit

To clarify, are you referring to a physical host running Hyper-V or the VMs themselves?

[-]

FCA162@reddit

Yes, installing KB5046616 after 1,5H still on 73% and no progress...

[-]

1grumpysysadmin@reddit

Those always take about a thousand years to update... and then my apps take 2 hours to compile and run post-reboot. I feel this pain.

[-]

unixuser011@reddit

God, this is why I'm looking forward to moving to 2025, just for the hot patching alone

[-]

flatvaaskaas@reddit

Hot patching is available on 2022, but very limited SKU's though. Cool feature of 2025 indeed

[-]

dmcginvt@reddit

Pretty sure .net still needs updates so its frankly useless and fixes nothing

[-]

DeathEater25@reddit

MS can't even get normal patches to work, what makes you think they'll get hot patching working lol

[-]

unixuser011@reddit

sad but true, unfortunately

It remains to be seen but the tech demo they showed has me optimistic

I am ready for Microsoft to take that optimism and shove it somewhere (I'll let you decide where)

[-]

lordcochise@reddit

Definitely a bit longer than usual for 2019/2022 this month but not too bad; pre-reboot patch time was pretty long but restarts were quick

[-]

Sad_Difference_9008@reddit

Same experience here. Even 2016 is done with reboots and everything before 2022 has even finished installing.

[-]

way__north@reddit

The couple 2016 servers I've done so far were slow AF to download the patches, but the installs themselves went smooth

[-]

xqwizard@reddit

Yeah, mine is still “downloading” after 30 minutes. It’s currently at 55%. The CU isn’t even that big (~350MB). Downloaded very quick from the catalog.

[-]

W4mbo@reddit

Yep, same here. Takes forever.

[-]

i_am_dangry@reddit

30mins for me, however Action1 says they installed, but Windows says they didn't. So who knows, it is Schrodinger's Update

[-]

cbiggers@reddit

.NET taking forever.

[-]

Heuchera10051@reddit

The initial reboot on my test server took close to two hours for KB....6615, and now it's working on KB...6616..

[-]

rayko555@reddit

got a couple of 2019 and 2022 that took us around 2hrs and half to install.

[-]

jmech337@reddit

Running a Server 2022 and it's going on 1 hour.

[-]

DRK-NYT@reddit

Does anyone know if the below issue has been fixed in any of the CU's since July?

Windows 10: Patch Tuesday Megathread (2024-07-09) :   
Windows Server 2016: Patch Tuesday Megathread (2024-07-09) :   

2024-07 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5040434)  
2024-07 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5040437) 
2024-07 Cumulative Update for Windows Server 2019 (1809) for x64-based Systems (KB5040430)

[-]

tom_tech0278@reddit

We are seeing some issues with RDP Remote App following the November cumulative update whereby the session is connected but nothing is drawn after 10 minutes or so.

It appears they have updated the mstscax.dll file to build number 10.0.26100.2314 which may be the issue - testing ongoing. We have replaced this file with the previous month and it appears it may have stopped the issue.

Windows 11 24H2 and Windows Server 2019

[-]

AlertCut6@reddit

Again, seeing windows 10/11 takes a while to install or fails both lsu and .net updates with forticlient installed

[-]

trail-g62Bim@reddit

...we are going to be rolling out forticlient soon. Is that something that is consistent?

[-]

AlertCut6@reddit

I've been seeing it since July. There's a bit of chatter on Reddit and the forti forums but doesn't appear to be affecting many

[-]

rcr_nz@reddit

Anyone seeing an issue on Win 11 23H2 with Windows Spotlight being enabled after applying this months cumulative?

We have a custom picture background on all our computer and the update is enabling spotlight and showing that instead.

Switching 'Personalise your background' from Spotlight back to picture reverts to the custom picture.

[-]

bgappa@reddit

I have been working on this for about 24 hours and nothing I try seems to resolve the issue. I am meeting with Microsoft in a half hour, I am going to bring this up.

[-]

rcr_nz@reddit

Please report back if you get anything useful out of them. I logged a job but they just assigned it to the wrong team, closed it and told me to log another one.

[-]

MelQQ@reddit

Seeing this also on Win 11 23H2. Not a fan of settings like this getting changed like this for our users.

[-]

Intervlan@reddit

Find any fix for this? Can’t seem to find anyone else reporting the same so far.

[-]

had2change@reddit

Confirmed. We have customers with patch management through CW Automate. Threw people off yesterday and today as patches rolled.

[-]

Intervlan@reddit

Was their wallpaper set by GPO or similar?

We had an instance where someone not in scope for the wallpaper GPO had their background changed to spotlight. A GPO user kept there enforced background - so far anyway!

[-]

rcr_nz@reddit

We don't enforce background via gpo for staff. We are happy for them to be able to change it we just want the default to be custom. With limited testing users who have set their own background are fine only those still on default are affected.

[-]

sysadmin_dot_py@reddit

Have you confirmed that those clients have not accidentally updated to 24H2 by chance? I've noticed that 24H2 defaults to Spotlight for the background.

[-]

rcr_nz@reddit

Good suggestion, but no, still on 23H2.

Users who had set their own custom picture don't seem to be affected just our default custom branded background. New profiles are also affected.

[-]

Walter_Whitey@reddit

I'm having some issues with users hard locking up after updates, randomly.. They have to hard shutdown their machines.. Windows 11 23H2.. Anyone else seeing this?

[-]

TamPiXeL@reddit

After patching Office 2016 C2R , it seems some users are complaining about their pinned items in word or excel disappearing. Anyone seen reports like these?

[-]

fiddlesmg@reddit

Had a 2016 DC run out of memory this morning after being patched early Sat morning. Windows successfully diagnosed a low virtual memory condition. The following programs consumed the most virtual memory: SEDService.exe (1268) consumed 40242688000 bytes, lsass.exe (820) consumed 380784640 bytes, and dns.exe (1752) consumed 266219520 bytes.

[-]

almarley@reddit

SMB network shares are no longer working on our german 2016 Server since KB5046612. Am i the only one?

[-]

Pepe-Argento@reddit

You can activate SMB 1.0 or 2.0 compatibility and it solve the problem

[-]

almarley@reddit

Unfortunately it didn't.
I can access the shares via \\localhost\ but not via \\servername\
Firewall is disabled. Hostname resolves correctly.

[-]

Flaky-Fisherman4731@reddit

What i have seens the update have giving os some DNS issues. We uninstalled and things started working fine.

[-]

Mrmumbels@reddit

I am seeing the same issue. Did you find a fix?

[-]

AlaskanDruid@reddit

Ugh, one of the patches this month or last month re-enabled blocking udp connections again (just like in 2022). Has anyone ran across which patch it is? I am hoping someone already went through and found the culprit before I start going through uninstalling patches to find out (re-inventing the wheel).

[-]

Jabo5779@reddit

Start with kb5046616 (for Server 2022) - but the November Server Monthly CU - we just had to roll that out of a system (IIS/Faxing). Let me know if that is it. We had to open a ticket with the vendor to let them know it broke our integration, nothing back from them yet on why that could be. Pulling out that KB restored functionality of the system.

[-]

god_of_tits_an_wine@reddit

Has anyone deployed them on RDS Gateways yet?

[-]

MarkTheMoviemaniac@reddit

That was my question as well. I was wondering if that issue has been fixed yet.

[-]

techvet83@reddit

The issue that was first seen in the July updates was fixed with the October patches, AFAIK. We skipped July, August, and Sept for our gateways but had no issue with the October patches.

[-]

uploadthelogs@reddit

same here

[-]

MarkTheMoviemaniac@reddit

Thanks. I remember seeing there was some question on if October patches ACTUALLY fixed things. I appreciate the info.

[-]

ceantuco@reddit

Updated 2016 and 2019 AD, print, file and SQL servers without issues. Also Win 10 and Win 11 workstations no issues.

Did not install Exchange Nov24 SU due to mail flow issues other admins have reported. Will wait until V2 is released and tested.

[-]

joshtaco@reddit

Science compels us to explode the sun. Ready to push this out to 11,000 workstations/servers

[-]

TahinWorks@reddit

Very appropriate placement for a callout of my favorite game ever made. Kudos, and don't forget your mask!

[-]

FCA162@reddit

"Every decision is made in darkness. Only by making a choice can we learn whether it was right or not."
Pushing this update out to 200 Domain Controllers (Win2016/2019/2022) in coming days.

EDIT 1: Windows Update installing KB5046616, after 2 hours still on 73% and no progress anymore...
Also installing KB5046547 (.NET Framework) took ages to install and reboot... !!

[-]

DeathEater25@reddit

I'm seeing this as well. Not quite as long as you, but the CU is taking far longer than normal, especially on NVME drives.

[-]

MadCoder1@reddit

Same here, going on 5 hours now. Thankfully its a spare 2022, but still. It hasn't gotten through the patch yet, let alone the reboot. It was stuck at 44% for a long time, now its "stuck" at 73%.. I had two other 2022's patch normally. All very similar hardware and previous patch levels.

[-]

MadCoder1@reddit

74%......

[-]

MadCoder1@reddit

It finally finished the installs after 8 hours, the reboot took 5 minutes, and all is well

[-]

FCA162@reddit

Tip from NoAcanthaceae9758

To speed up the time of update installation at the point where the update window counts up to 100% and before the reboot button appears, I usually go to the details view of task manager and set the priority of the "TiWorker.exe" process to "High" or even "Realtime". After the reboot that change is gone and by the next update that process is started new with "Normal" priority. That usually speeds up the update installation time a lot!

https://www.reddit.com/r/sysadmin/comments/1gpe5kc/comment/lwwa1np/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

[-]

woodburyman@reddit

I too am having this issue on just out Server 2022 systems. 2019, 2016 patch quick, and the one Server 2025 system i have in production already. (It's our KMS server..).

[-]

Trooper27@reddit

Do what must be done Lord Vader. Do not hesitate, show no mercy.

[-]

vabello@reddit

I appreciate your pop culture reference.

[-]

asoge@reddit

You go ahead, I'll wait til end of the month. ;)

[-]

_TommyDanger_@reddit

You can do it again in 22 minutes.

[-]

AnDanDan@reddit

Not if I sing campfire songs with my friends first.

[-]

Jazzlike-Love-9882@reddit

I see what you both did here 👀

[-]

DeathEater25@reddit

All hail the taco

[-]

Mission-Accountant44@reddit

Woah there buster you're flooding the thread with off-topic and unnecessary information

[-]

Stonewalled9999@reddit

tacos are necessary

[-]

Grrl_geek@reddit

Especially on Taco Tuesday!!!!!!!!!!!!!!!

[-]

Cyrus-II@reddit

So are you, so am I...

[-]

NorSB@reddit

YOLO

[-]

ceantuco@reddit

lets do it!

[-]

CozyBear4006@reddit

Anyone else experience issues with Windows Server 2016 DC after the 2024-11 cumulative, where programs wouldn't load or were blocked by your administrator, with a no publisher being reported? Solved by restarting cryptsvc which took 15+ minutes to restart... A server restart did nothing.

[-]

mike-at-trackd@reddit

\~\~ November 2024 Microsoft Patch Tuesday Damage Report \~\~

** 72-hours later (plus a few) 😬 **

Yesterday was a confluence of crazy (personally and at trackd) and posting this completely slipped my mind! My apologies, patchers. Let’s dig in…

No disruptions detected or reported on the trackd platform.

Thankfully, my delayed posting wasn’t too critical as it looks like mostly just updates taking longer than usual and some fail to download. Some minor disruptions to mail flows and possibly SMB network shares with the German language pack.

Exchange Server 2019

Mail flow rules not working (r/sysadmin, Microsoft)

Server 2016

Server Message Block (SMB) network share inaccessible with German language pack

[-]

sync-centre@reddit

I believe .net 6.X has reached EOL today as well.

[-]

icemerc@reddit

Correct,

Roadmap link for those interested:
https://dotnet.microsoft.com/en-us/platform/support/policy/dotnet-core

[-]

notta_3d@reddit

Question for you. We have version 6 on almost all of our systems. Does removing version 6 and installing version 9 usually cause issues?

[-]

Electrical_Arm7411@reddit

The apps we use rely on a .net 6. Uninstalling 6 breaks them. Be cautious.

[-]

sleeper1320@reddit

If it helps, .NET 8 has a later EoL than 9, so you really want to jump to 8.

Does removing version 6 and installin [...]

At least for myself, the code base I work on requires the devs update all references of .NET 6 during compile and runtime to .NET 8. So suddenly yanking 6 for me would break everything until they did their thing first.

[-]

wrootlt@reddit

Yes. But they still released 6.0.36 today. Although it is not marked as security patch. Neither is 8.0.11.

[-]

Capable_Tea_001@reddit

Remember the rules of safe patching: Deploy to a test/dev environment before prod. Deploy to a pilot/test group before the whole org. Have a plan to roll back if something doesn't work. Test, test, and test!

Or, if you want to Auto upgrade to WS2025, ignore all of the above

[-]

Acrobatic-Count-9394@reddit

No-no yOu dO NoT uNdastand!

Those are just security patches!!!!!!

We will not waste time on testing these in test enviroments!!!!!

That was pretty much consensus of people replying to me during the whole Crowdstrike fiasco.

Apparently letting some moron push untested updates to kernel level stuff is now par for the course.

[-]

mnvoronin@reddit

Again?

The whole Crowdstrike thing was due to the corruption of the Channel File (aka definition update). You do not want to delay definition updates for your antivirus software.

[-]

Acrobatic-Count-9394@reddit

Yes, again.

I`m baffled at people that still act like delaying definitions a bit would cause instant death of the universe as we know it.

For that to matter, your network needs to be already fully compromised(or designed like outright trash).

Multiple safeguards need to fail - as opposed to single failure point at kernel level.

[-]

mnvoronin@reddit

I'm baffled at people that still think that network breach and server crash carry the same threat profile.

No matter how bad, kernel crash won't end up in your data being encrypted or exfiltrated.

[-]

mahsab@reddit

Not much difference if the whole company is down in both cases.

Actually, for many affected companies Crowstrike issue did a lot more damage than a hack would, as it affected EVERYTHING, not just one segment of their network. Not just that, it affected even assets that are not in any way connected to the main network.

Impact of getting breached using 0-day vulnerabilities is high, but probability is very low. Like fire. It makes it necessary to mitigate, but NOT above everything else.

You're worried about a ninja crawling through the air ducts and hanging from a thin string from the ceiling of your server room and exfiltrating the data from the console, while in reality, it will be the cleaning lady that will prop open the emergency door in the server room to dry the floor faster while she goes to lunch. Or the security guy just waving through guys with hi-vis vests, clipboards and hard hats, while they dismantle your whole server room.

[-]

mnvoronin@reddit

Tell me you don't know what you are talking about without saying you don't know what you are talking about.

In case of a faulty update, the solution is restoring from the recent backup. Or even better, spinning up a DR to a pre-crash recovery point, remediating/disabling the faulty update and failing back to production. Or, like in the Crowdstrike case, boot into recovery mode and apply the remediation.

In case of infiltration, you are looking into days if not weeks of forensic investigation before you can even hope to begin restoring your backups or even rebuilding the compromised servers if the date of original compromise can't be established; mandatory reporting of the breach; potential lawsuits and much much more. Even worse, your network may be perfectly operational but your data is out and you only know when the black hats contact you demanding a ransom to keep it private.

You're worried about a ninja crawling through the air ducts and hanging from a thin string from the ceiling of your server room and exfiltrating the data from the console, while in reality, it will be the cleaning lady that will prop open the emergency door in the server room to dry the floor faster while she goes to lunch. Or the security guy just waving through guys with hi-vis vests, clipboards and hard hats, while they dismantle your whole server room.

No. You should stop watching those "hacker" movies. In 99% of the cases, it will be a C-suite clicking a link from the email message promising huge savings or something like that. And yes, there is not a single week passes

[-]

SoonerMedic72@reddit

Yes. At most businesses, servers crashing because of a bad update is a bad week. Network being breached may require everyone updating their resumes. The difference is massive.

[-]

mnvoronin@reddit

Yeah, I know :)

Crowdstrike incident happened around 3 pm Friday my time. By midnight we had all 100+ servers we manage up and running (workstations took a bit longer obviously).

The cryptolocker incident I was involved in few years ago resulted in the owners closing the business.

[-]

SuperDaveOzborne@reddit

I totally agree with you. If an update crashes my server, even if it is so bad that I have to restore from backup I can start a restore and get back online fairly quickly. If I have a server that is compromised I have to get a forensics team involved to probably spend days to figure out when I was compromised before I can start doing any restores. Plus everything else needs to be looked at very closely for compromise. Not to mention if any data was lost and then you have lawsuits, disclosures, etc. These two scenarios don't even compare.

[-]

techvet83@reddit

True, but I assume the point about the updates (def files or executables) being untested by CrowdStrike is correct. I didn't realize until now that CrowdStrike is planning to "Provide customer control over the deployment of Rapid Response Content updates".

Channel-File-291-Incident-Root-Cause-Analysis-08.06.2024.pdf

[-]

Windows95GOAT@reddit

Hey not every company grants their IT the time / money for a) test environment b) even the chance to read through and test for themselves.

Atm we also go full auto send.

[-]

oneshot99210@reddit

Every company has a test environment.

Some companies have a separate production environment.

[-]

ronin_cse@reddit

It's never a cut and dry thing and it's just which trade off you want to take.

Obviously, it's best to test everything thoroughly before pushing out to production but a lot of the time that just isn't feasible in environments where you don't have someone specifically working in that role.

Like yeah ok CrowdStrike's patch blue screened a bunch of devices and it would have been nice to catch that first.... buuuutttt it was pushed out in the middle of the night and what happens if you don't auto update CS or you delay them until they can be tested? What happens when there is a legit 0-day attack in the middle of the night and since you didn't automatically update to the new CS patch your entire network gets taken over instead? Same thing for Windows updates: what happens is a security patch gets pushed out for a vulnerability and your entire network gets encrypted because someone snuck in during the delay?

Of course the issues with patches like these are very visible and it sucks when it happens but at least they are fixable in most cases. I would rather deal with some servers auto upgrading to 2025 than deal with having to restore all by servers from back up due to a ransomware attack. Sadly, much of the time that is the tradeoff you have to make. I know I and my team certainly don't have the bandwidth during the day to test each and every patch that gets pushed out and I doubt there are many IT teams out there that can.

[-]

Acrobatic-Count-9394@reddit

"During the delay" - oh yes, because that`s what happened, not your network being compromised for a while already.

Taking over a well designed network of a size where those things matter is not a matter of seconds.

And for that, mulptiple levels of safeguards need to fail and not detect anything.

The only way to do it that quickly - is to study it for a while, and at that point... pray that whatever is present does not have deletion safeguards that will launch full out destruction of your network.

[-]

ronin_cse@reddit

Ummm ok? When do you think your network got compromised? During that period of time when you were unpatched.

Regardless of when the attack actually happens it doesn't make my main point invalid.

[-]

Capable_Tea_001@reddit

I work in software development.

Devs, QA, Project Managers, Release Managers all make mistakes.

It's never done with malice.

Mistakes happen and it's on us all to mitigate them.

Sometimes it's hard... Production environments don't always react like test environments, especially when there are other systems feeding in data etc.

I've certainly been the one to press to button on a software release that went tits up in a production environment.

We did however have a rollback plan that was well tested and worked exactly like it was planned to.

[-]

Acrobatic-Count-9394@reddit

Oh, I`m not talking about mistakes/different solutions.

I`m talking about people from companies that were shutdown hard back then... and learned nothing.

[-]

jlaine@reddit

Delta would like to talk to you right meow.

[-]

anxiousinfotech@reddit

Unfortunately the script for that conversation was in a checked bag that didn't arrive.

[-]

frac6969@reddit

Hanlon’s razor.

[-]

LakeSuperiorIsMyPond@reddit

complaining on reddit was always the plan!

[-]

fivelargespaces@reddit

LOL!

[-]

Talgonadia@reddit

We utilize KnowBe4 and have their Phish Alert button. It looks like this month's Monthly Enterprise Channel is deploying a Report Button to report phish / suspicious emails. Is there any way to disable this or remove the button? I'm researching and we haven't deployed the app out.

[-]

pcrwa@reddit

You should be able to disable here by choosing "use a non-Microsoft add-in button". Though there was a bug in the Current channel a few months ago that ignored the setting and showed the new report button anyway 🙃

[-]

FREAKJAM_@reddit

This is actually still the case. https://support.microsoft.com/en-us/office/classic-outlook-report-button-not-removed-after-setting-use-a-non-microsoft-add-in-button-5115fd55-7939-4e95-9131-0221e5b826e5

[-]

immewnity@reddit

Fixed!

[-]

rosskoes05@reddit

We're considering using the KnowBe4 button. What do you do to report emails as "not junk" when they end up in the junk folder?

[-]

JackfruitSwimming160@reddit

A few of our Windows 11 23H2/24H2 desktop got their professionnal account logout after the update. Anyone else seeing this ?

[-]

Alert-Main7778@reddit

Seeing failure to install on IIS servers (2016). The reboot went through and the install shows as failed. It prevented our IIS sites from coming up as well. Anyone else have any issues?

Installation Failure: Windows failed to install the following update with error 0x800F0841: 2024-11 Cumulative Update for Windows Server 2016 for x64-based Systems (KB5046612).

[-]

DarkSideMilk@reddit

Thought this might be appropriate to ask here since it's update related.
With WSUS now on the chopping block (Windows Server Update Services (WSUS) deprecation - Windows IT Pro Blog) I've started looking at AutoPatch and Windows Update For Business (which appears to be being merged aka "unified" with AutoPatch). I'm just not finding clear definitions on licensing.

We don't have the same licenses across the board, which means, unless something changed, we can't use intune with our current licenses. We have M365 E5's for 3 IT admins, O365 E3 for a small group of "executives" and everyone else is a mix of m365 business standard, m365 business basic, and f1 licenses.

From what I've found intune is needed to use auto patch, but we can only manage a handful of computers (like 15 per E5 or something like that) and can't register them to each user without that user having a license which would be a massive spend that would overlap with our other windows desktop open value licenses. Is that correct? Or can we enable autopatch without registering each computer into intune and just utilize the existing Hybrid Azure/Entra AD? Is Windows Update for Business even still a thing we can just adjust our gpos to use instead of wsus? I'm not looking forward to losing the level of control and stability we created within wsus (required custom wsus api powershell automations for sure, but we had it exactly as we wanted it) nor relying on delivery optimization and having each client individually download updates from the web instead of a local server, but gotta change with the times. But also, why do I need a license to control security updates that are provided with a license for the OS?

[-]

techvet83@reddit

You're free to look around, but WSUS will be around for years to come. I think MS wants everyone to use Azure Patch Manager down the road.

[-]

DarkSideMilk@reddit

In theory it will be around for at least 10 years with server 2025 having it, but that's not a for sure thing, they will stop pushing updates to it eventually

[-]

GoogleDrummer@reddit

WSUS isn't going anywhere, they're just not going to be developing it anymore, which is funny because they haven't been doing that anyway.

[-]

Stugist@reddit

Is anyone else not seeing this month's Monthly Enterprise 2409 Office updates? Only Current Channel seems to have been downloaded - not Monthly Enterprise. Just did a resync w/ Microsoft and verified in the logs that it's not being pulled down. The Office Perpetual 2019 update for this month is showing up just fine. Wtf?

[-]

MikeWalters-Action1@reddit

In anticipation of today's Patch Tuesday, here's a review of the most critical third-party vulnerabilities addressed in last month's updates:

Google Chrome: critical vulnerabilities CVE-2024-10487 and CVE-2024-10488
Mozilla Firefox: 11 vulnerabilities and a zero-day CVE-2024-9680
Apple: updates for iOS 18 and macOS Sequoia 15, fixing over 70 vulnerabilities
Cisco: over 50 vulnerabilities across its network products, including a critical flaw CVE-2024-20481
Android: over 50 vulnerabilities, including zero-days CVE-2024-43047 and CVE-2024-43093
Opera: a vulnerability that allowed extensions to access the browser's private APIs, with potential limited attack scenarios remaining post-patch.
WordPress: emergency updates for the Jetpack plugin to fix a critical vulnerability allowing logged-in users to access other users' submitted forms, and a critical EoP vulnerability in the LiteSpeed Cache plugin.
GitLab: eight vulnerabilities, including a critical issue CVE-2024-9164
IBM: a critical vulnerability CVE-2024-45656 in IBM Power Systems
NVIDIA: eight high-severity vulnerabilities in its GPU drivers and vGPU software
VMware: renewed effort to patch a remote code execution vulnerability in vCenter Server with CVE-2024-38812 and another EoP vulnerability CVE-2024-38813.
Atlassian: High-severity vulnerabilities patched across Bitbucket, Confluence, and Jira Service Management, including critical updates for JRE in Bitbucket and Moment.js in Confluence.
Samsung: use-after-free vulnerability in Exynos processors (CVE-2024-44068) that has been exploited in the wild.
Kubernetes: A critical SSH access vulnerability in virtual machines created with Kubernetes Image Builder (CVE-2024-9486)
GitHub: critical vulnerability in GitHub Enterprise Server (CVE-2024-9487) and another medium-severity information disclosure issue (CVE-2024-9539).

[-]

Jazzlike-Love-9882@reddit

We've got an Exchange 2016 & 2019 SU as well, see: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-and-2016-november-12-2024-kb5044062-a76c849c-b096-4e0c-a267-bf43964d679a

Applying now!

[-]

scrubmortis@reddit

They've pulled the SU now because of the Mail Flow rules failing requiring the transport service to be restarted.

https://techcommunity.microsoft.com/blog/exchange/released-november-2024-exchange-server-security-updates/4293125

Thanks /u/gregisagoodguy for the direction to the post.

I ended up just creating a scheduled task to restart the transport service every 10 minutes as it was crashing randomly from 15-90 minutes as there were other fixes I'd prefer to keep rather than roll back the update.

[-]

SuperDaveOzborne@reddit

I'm assuming no news is good news?

[-]

gregisagoodguy@reddit

I and others are having issues with transports rules/mail flow rules failing to fire.
Check your results for any rules you may have.

[-]

scrubmortis@reddit

Exchange

Is there another thread for this? I'm seeing issues as well with mail flow rules failing. Restarting the transport service fixes it for a few hours until it breaks again and requires another transport service restart.

[-]

gregisagoodguy@reddit

A few threads over on /r/exchangeserver .

I'm following the official exchange team blog post/discussions.

https://techcommunity.microsoft.com/blog/exchange/released-november-2024-exchange-server-security-updates/4293125

[-]

Jazzlike-Love-9882@reddit

Yes sorry, all good. As for all Exchange updates, the installer takes an eternity to complete, but services and mailflow itself actually resumed very quickly. This being said, my 2019 install is a simple one only for internal relaying and hybrid management.

[-]

SuperDaveOzborne@reddit

Well we are having some problems. Ran update on our Exchange 2016 server and it seemed to run OK, but when it came back up I had to start several services manually. Then the Windows Modules Installer Worker process started using up all CPU. Checked Windows update, but it didn't show anything that needed to be installed so I initiated a reboot and got the Getting Windows Ready prompt and it has been sitting there for over 30 minutes. Exchange is up and running, but it is just kind of hung there.

[-]

AdExtension600@reddit

One of my 2022 servers auto installed KB5046265 and KB5046616 this this morning and rebooted. Customer logged "no Internet" with us first thing and when we took a look we discovered that the dns service was unresponsive. Stopping and starting the service resolved things.

We are monitoring other clients' servers...

[-]

redbluetwo@reddit

I think this happened in testing last month due to a server having ipv6 disable improperly on 2022.

[-]

dfr_fgt_zre@reddit

Exchange 2019 CU14, installed november SU.

There is something wrong with the mail flow rule.

I have a simple rule that sends a secret copy of all mail to a public folder.

This rule does not work after SU is installed.

I made a test rule, after that both rules worked.

Then I deleted the test rule and left the original one.

After that, the original rule worked for a while, a secret copy of some e-mails went into the public folder, then it stopped, and it hasn't worked at all for the last 8 hours.

[-]

ceantuco@reddit

MS is pulling the NovSU and will re-release it soon.

[-]

ceantuco@reddit

Other admins posting similar issue here:

https://techcommunity.microsoft.com/blog/exchange/released-november-2024-exchange-server-security-updates/4293125?topicRepliesSort=postTimeDesc

[-]

erunaheru@reddit

Seeing the same thing on 2016 CU23, transport rule to delete test messages from the load balancer stopped working.

[-]

dfr_fgt_zre@reddit

This happens both on a test server and in a live environment. After restarting the server or re-creating the rule, the mail flow rule works for 30-40 minutes, then it stops.

But I can't find where to view Mail Flow Rule logging on an on-prem Exchange server.

[-]

Trick_Session8230@reddit

KB5045934 - Cumulative Update Preview for .NET Framework 3.5 and 4.8.1 for Windows 11, version 24H2 is showing as not applicable in WSUS for our Win 11 24h2 systems. Anyone else seeing this?

[-]

Popular_Reserve_1648@reddit

Installation of KB5044062 Exchange Server 2019 CU14 Nov24SU failed on 2 servers, see the error below.

After removed Windows Defender Antivirus, and retried the installation, it completed successfully.

MSI (s) (A4:24) [15:26:27:540]: Attempting to delete file C:\Windows\Installer\7fc20.msp
MSI (s) (A4:24) [15:26:27:540]: Unable to delete the file. LastError = 32
MSI (s) (A4:24) [15:26:27:553]: Attempting to delete file C:\Windows\Installer\7fc20.msp
MSI (s) (A4:24) [15:26:27:575]: MainEngineThread is returning 1603
MSI (s) (A4:98) [15:26:27:579]: RESTART MANAGER: Session closed.
MSI (s) (A4:98) [15:26:27:579]: No System Restore sequence number for this installation.
MSI (s) (A4:98) [15:26:27:583]: User policy value 'DisableRollback' is 0
MSI (s) (A4:98) [15:26:27:583]: Machine policy value 'DisableRollback' is 0
MSI (s) (A4:98) [15:26:27:583]: Incrementing counter to disable shutdown. Counter after increment: 0
MSI (s) (A4:98) [15:26:27:583]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
MSI (s) (A4:98) [15:26:27:584]: Note: 1: 1402 2: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts 3: 2 
MSI (s) (A4:98) [15:26:27:585]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (s) (A4:98) [15:26:27:587]: Destroying RemoteAPI object.
MSI (s) (A4:0C) [15:26:27:587]: Custom Action Manager thread ending.
MSI (c) (B8:40) [15:26:27:589]: Back from server. Return value: 1603
MSI (c) (B8:40) [15:26:27:589]: Decrementing counter to disable shutdown. If counter >= 0, shutdown will be denied.  Counter after decrement: -1
MSI (c) (B8:40) [15:26:27:589]: PROPERTY CHANGE: Deleting SECONDSEQUENCE property. Its current value is '1'.
Action ended 15:26:27: ExecuteAction. Return value 3.
MSI (c) (B8:40) [15:26:27:589]: Doing action: FatalError
Action 15:26:27: FatalError. 
Action start 15:26:27: FatalError.

[-]

bostjanc007@reddit

Did you remove defender or just temporary paused it during installazion?

[-]

Popular_Reserve_1648@reddit

removed in ps: uninstall-windowsfeature windows-defender

[-]

bostjanc007@reddit

did you try first with disabling Windows Defender, or you went straight forward of uninstalling it?

[-]

Popular_Reserve_1648@reddit

I didn't try to disable. Removing it completely much faster, than trying to disable its functions one by one to find out which is the culprit.

[-]

atemyr@reddit

Lucky one, the patch failed all my services got disabled and my connector aren't working anymore... RIP. working on it

[-]

Krinto87@reddit

Any updates? Maybe we have the same problem. Server 2016

[-]

Popular_Reserve_1648@reddit

If it failed, reenable winmgmt service, restart the server, and try to install the hotfix again. The hotfix will restore the services' state after the installation, whether those were disabled or enabled. You can choose when you want to reenable them.

[-]

ceantuco@reddit

oh no. good luck! Perhaps, you can post your issue on MS's tech community link above.

[-]

ceantuco@reddit

can you post it here:

https://techcommunity.microsoft.com/blog/exchange/released-november-2024-exchange-server-security-updates/4293125

[-]

EsbenD_Lansweeper@reddit

Here are the Lansweeper highlights: 88 new fixes, with 4 rated as critical and 2 exploited: Windows Task Scheduler Elevation of Privilege Vulnerability and NTLM Hash Disclosure Spoofing Vulnerability

[-]

blunderpup@reddit

My updated 2019 servers are not showing "Up to date" in the November report.

[-]

EsbenD_Lansweeper@reddit

I updated the report. Other users were able to give me enough information: https://community.lansweeper.com/t5/patch-tuesday-updates/microsoft-patch-tuesday-november-2024/bc-p/78783/highlight/true#M301

[-]

EsbenD_Lansweeper@reddit

Please double check that they have build 6532 or higher. You can also always reach out to our support team with screenshots in case you continue to have issues.

[-]

Stryker_One@reddit

Wonder how many Sys Admins take Xanax on Patch Day.

[-]

raphael_t@reddit

The download speed of patches with SCCM (in DACH region) is insanely slow today compared to previous months.

And whatever I try I can not get the feature update "Windows 11, version 24H2 x64 2024-11B" downloaded as it errors out:

Download http://*/lp_desktop_7c856293e949509c3625983400b8022c5be48f01.wim in progress: 90 percent complete Software Updates Patch Downloader

InternetReadFile() return true and pdwNumberOfBytesRead equals to 0, but ulTotalFileRead=923565112 still less than ulFileSize=923684337, treat it as a retriable error. Software Updates Patch Downloader

Same for file: professional_en-us_98014c58afbd29a57aed4f5eb6819f5cc5bce4a4.esd

[-]

raphael_t@reddit

All ADRs took over 5 hours this time, we normally make them in half the time. The following ADRs also failed:

Windows 11 with 0X80073633 - Invalid certificate signature

Server 2025 (without .NET) with 0X87D20417 - Auto Deployment Rule download failed

Server 2025 (.NET only) - with 0X80072EFF - Unknown Error (-2147012865)

In the PatchDownloader.log all 3 ADRs on their respective files fail with HttpSendRequest failed 12031 after 3 tries - Error 12031 indicates that the connection with the server has been reset or is not properly connected

I don´t think this is an issue on our side as all other ADRs ran successfully.

[-]

ITStril@reddit

Lots of my Windows 2022 servers are doing the update automatically although Windows Update is configured to "only download and notify"!

[-]

Ninevahh@reddit

We fought with this across our environment for months where our production systems would just install updates and reboot even though we had them set to download only. One of my teammates found some obscure articles (of course, he didn't save them at all) where other folks had discovered that Windows is creating Scheduled Tasks to reboot systems if updates need to be installed. They found that they had to Disable these Tasks, then modify the file permissions to remove all ability for the OS to modify them. In some cases, there were multiple Tasks (and corresponding files) named slightly differently. And in some cases, there wasn't a Task present, but Windows would just create a new one. So, he created GPOs that would push out those files if they weren't there and set the permissions to prevent anyone from modifying them.

This article talks about some of this sort of stuff in Step 2, though it's more focused on the desktop OS: https://superuser.com/questions/973009/conclusively-stop-wake-timers-from-waking-windows-10-desktop/973029#973029

[-]

bensonmojo@reddit

This article is how we fix it: https://www.ans.co.uk/docs/operatingsystems/windows/server2016/windowsupdate/

[-]

Ninevahh@reddit

Looks about the same as what my teammate came up with. The big thing missing, though, is that sometimes the file isn't even present until Update Orchestrator decides that it needs it. So, we setup a GPO that creates an empty file and sets the permissions on it to prevent the OS from making any changes to it.

[-]

McAdminDeluxe@reddit

is this the update orchestrator task (reboot) that automagically gets created and nuked each patch cycle? i had my own scheduled task deploy to find and disable it on our 2016 servers.

[-]

Ninevahh@reddit

I believe so

[-]

Ninevahh@reddit

Oh, my teammate mentioned to me that he found the task history for those Scheduled Tasks would clearly indicate that they had initiated the reboot, so that was a big clue that he was on the right track.

[-]

DeathEater25@reddit

I'm seeing some of my 2022 boxes with this as well, but inconsistently. Some already hit but some didn't. Thankfully just for my dev env, but still. GPO is set to download but notify for install.

[-]

ironclad_network@reddit

GPO Settings?
Is is all servers or just some?

can't say that i like this... as we have a schedule and timeslots on the patching on our servers.

[-]

ITStril@reddit

Its only on Windows 2022 with GPO „updates disabled“

[-]

1grumpysysadmin@reddit

Testing in progress a day late due to a server going belly up in an unrelated problem... Normal testing to 2016, 2019, 2022 and Windows 10/11... Nothing currently to report other than decline the optional update that may trigger the 2025 upgrade.

[-]

jtsa5@reddit

Only hit a few test servers so far but one 2019 sever rebooted two additional times after the reboot for the updates. Nothing unusual in the logs.

[-]

emwinger@reddit

Seeing CoPilot installed on Windows 10 22H2 boxes after installing the November cumulative update. Anyone else seeing this?

[-]

TheLostITGuy@reddit

Yup.

[-]

emwinger@reddit

There is a user based registry / GPO to turn it off, but it doesn’t appear to honor it, even after reboot. sigh

[-]

YouKnowThatMattGuy@reddit

The registry key no longer works for us: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsCopilot Name = "TurnOffWindowsCopilot" Type = REG_DWORD Value = 1

Deploying a script via SCCM for removal post install:

Get-AppxPackage -Name "Microsoft.Copilot" -AllUsers | Remove-AppxPackage -AllUsers

[-]

emwinger@reddit

Ah, yeah I was testing the HKCU portion of that reg key, but wasn’t having any luck. My next step was to deploy a post patch script to remove the appx package. Thanks!

[-]

Automox_@reddit

89 vulnerabilities released, and 1 Zero-Day for this Patch Tuesday! You can tune into our Patch Tuesday podcast or read our analysis here. We recommend you pay special attention to:

NTLM Hash Disclosure Spoofing Vulnerability

This vulnerability is confirmed and exploitation has been detected. The only current remediation is an official fix. Prioritize patching this vulnerability to prevent unauthorized access.

Microsoft Defender for Endpoint Remote Code Execution Vulnerability

An attacker could exploit this by sending a malicious link via email or instant messaging. Once clicked, the attack unfolds without requiring further interaction from you. In addition to immediate patching, it is recommended to enhance your email filters and educate users about the dangers of unsolicited links.

Windows Task Scheduler Elevation of Privilege Vulnerability

To mitigate this vulnerability, patching is your most effective strategy. Microsoft has acknowledged the existence of functional exploit code for this vulnerability, making it imperative to apply any available updates promptly.

[-]

pcrwa@reddit

Am I reading correctly that the MDE vulnerability affects iOS, Android, and Linux, but NOT Windows?

[-]

Lukage@reddit

Their link at https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-5535 suggests this is the case. I'm inclined to believe that they just mistakenly didn't list those platforms instead of this unusual case.

[-]

SilentLennie@reddit

Actually, I think it's correct, notice it said: openssl

On Windows they use MS own SSL/TLS library.

CC /u/pcrwa

[-]

Forgery@reddit

Thanks. Lots of blogs get re-posted here, but only yours seems to list all of the updates.

[-]

hoeskioeh@reddit

So, is this KB5044284 issue resolved? or still block worthy?

[-]

unixuser011@reddit

yes, Microsoft pulled it a few days ago

[-]

jake04-20@reddit

I could never recreate the 2025 upgrade issue. I approved the update in WSUS but it wouldn't download or install.

[-]

1st_Edition@reddit

Server 2025 isn't showing up in my WSUS catalogue, is it named something vague or am I just missing something?

[-]

jake04-20@reddit

The confusing part is the update that triggered all the problems was actually a Win 11 update.

[-]

CCContent@reddit

It only affected you if you were someone that approved and pushed security patches instantly. All of our machines had it in their list off available updates when we checked Windows Updates, but rescanning for updates removed that option.

That means we would have been bit had we been auto-approving and patching.

[-]

zm1868179@reddit

It only affected you if you used 3rd party systems to patch if you were using wsus, SCCM, arc, or any other Microsoft update tool is didn't happen. 3rd party's misclassified the upgrade as a security update Microsofts tools did not.

[-]

jake04-20@reddit

It only affected you if you were someone that approved and pushed security patches instantly

What do you mean by instantly? Did Microsoft make a mistake and pull it quickly after?

[-]

CCContent@reddit

https://patchmypc.com/windows-server-2025

It really just applied to people using 3rd party patching solutions. Not an issue if you used WSUS, GPOs, SCCM, etc.

[-]

jake04-20@reddit

Gotcha, thank you for clarifying!

[-]

jtheh@reddit

Microsoft released some info about this:

Windows Server 2022 and Server 2019 unexpectedly upgraded to Windows Server 2025

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2025#3404msgdesc

[-]

Tetrapack79@reddit

Patch My PC explained why it wasn't a Microsoft issue: https://patchmypc.com/windows-server-2025

[-]

CCContent@reddit

I don't agree with this assessment.

We are a smaller shop with only 55 servers, so we just use the built-in Windows Updates and then a script to kick them off when we're ready. I checked all of our machines after the 2025 upgrade news hit, and every single one of them had that update available, but it went away when I triggered a rescan for updates.

[-]

switched55@reddit

The W11 issue of running as another user - SHIFT+Right click to ‘run-as’ from the taskbar is finally fixed!

I raised this couple of months ago, I’m glad they fixed it this month.

The workaround for me was running ADUC from a desktop shortcut instead of the taskbar.

[-]

AnDanDan@reddit

One that might help - Ctrl + Shift + Enter on start prompts run as admin, I end up running aduc as Windows -> typing 'Ac' -> Ctrl + Shift +Enter. Works for all sorts of programs if youre used to opening shift via start menu.

Good to know I can shift + right on the taskbar though.

[-]

extremetempz@reddit

Glad to hear it, any user that complained to me about it I updated to 24H2 so I don't have to take that step anymore.

[-]

Icy_Employment5619@reddit

Got 2 laptops next to me, which are in our first update ring, just taking an absolute age to download...

[-]

atcscm@reddit

hi Guys, does anyone know if the November patch includes this fix? October 22, 2024—KB5045594 (OS Build 19045.5073) Preview - Microsoft Support - https://support.microsoft.com/
We have had a lot of issues related to this.

[-]

jtheh@reddit

Since these are cumulative updates, yes - all fixes from previous versions are included if not stated otherwise.

[-]

atcscm@reddit

Yes but we know that sometimes they are not :/

[-]

FCA162@reddit

Microsoft EMEA security briefing call for Patch Tuesday November 2024

The slide deck can be downloaded at aka.ms/EMEADeck

The live event starts on Wednesday 10:00 AM CET (UTC+1) at aka.ms/EMEAWebcast.

The recording is available at aka.ms/EMEAWebcast.

The slide deck also contains worth reading documents by Microsoft.

What’s in the package?:

A PDF copy of the EMEA Security Bulletin Slide deck for this month
ESU update information for this month and the previous 12 months
MSRC Reports in .CSV format, for this month’s updates including detailed FAQ’s and Known Issues data.
Microsoft Intelligence Slide
A Comprehensive Handbook on "Navigating Microsoft Security Update Resources" !

Also included in the downloadable package are handy reference reports produced using the MSRC Security Portal PowerShell Developer Functionality: https://portal.msrc.microsoft.com/en-us/developer

October 2024 Security Updates - Release Notes - Security Update Guide - Microsoft

KB5046616 Windows Server 2022

KB5046615 Windows Server 2019

KB5046612 Windows Server 2016

KB5044411 Windows Server 2012 R2 (last month for Year 1 ESU licensing)

KB5044413 Windows Server 2012 (last month for Year 1 ESU licensing)

KB50446617 Windows 11, version 24H2

KB5046633 Windows 11, version 22H2, Windows 11, version 23H2

KB5044280 Windows 11, version 21H2 (All editions of Windows 11, version 21H2 are at end of service)

KB5046613 Windows 10, version 21H2, Windows 10, version 22H2

Download: Microsoft Update Catalog

[-]

FCA162@reddit

Product Lifecycle Update
Products reaching end of servicing in November 2024

PowerShell 7.2 (LTS)
.NET 6.0 (LTS)

[-]

gumice@reddit

On Win11 23H2 and applied the updates. All seemed OK but when I checked "Windows Update" in settings it's display "Get the newer version if Windows to stay up to date" / "Your version of Windows has reached the end of service. Learn More". Clicking on "Check for updates" does not clear the message. Rebooting and rechecking also does not clear the message. PC working OK otherwise

Clearly Win11 23H2 is not EOL !!!

[-]

gumice@reddit

FYI - this issue has been picked up by other users in the r/Windows11 group

[-]

gumice@reddit

Just "self resolved". No error now. Not sure what changed

[-]

DeltaSierra426@reddit

So going pretty smooth so far besides one reporting slow updating on Server 2022 and one saying "Getting error 80070643 on Win10 machines when I install the KB5048239 along with the cumulative update"?

So far so good on just a few different machines I've successfully installed the W10 and W11 CU's.

[-]

ceantuco@reddit

Tenable's report: https://www.tenable.com/blog/microsofts-november-2024-patch-tuesday-addresses-87-cves-cve-2024-43451-cve-2024-49039

[-]

derfmcdoogal@reddit

Getting error 80070643 on Win10 machines when I install the KB5048239 along with the cumulative update. Retrying after the restart proceeds fine. Not an issue on the Win11 machines I've tested so far.

[-]

asfasty@reddit

did someone get the .net KB5046266 for windows server 2016 on the first 'check for updates' ?

Currently have 2 servers are just downloading and installing KB5046612.

The 2022 servers had their .net update right on the first check

[-]

valiantiam@reddit

I believe that update has been completely pulled by Micro$oft

[-]

Forgery@reddit

Lots of blogs seem to only list a few issues. Here's a good page that lists all of the fixes this month:

https://www.ghacks.net/2024/11/12/microsoft-releases-the-november-2024-security-updates-for-windows/

[-]