[-]

jcarroll11@reddit

Anyone else's ReAgent.dll not update? According to the list of files that are supposed to be updated, ReAgent is supposed to go 10.0.20348.3089. None of ours updated and now being flagged as a vulnerability.

[-]

trf_pickslocks@reddit

Will be pushing to ~30,000 PCs/Servers Saturday night and will report back Monday morning. I will edit my post with any issues reported.

[-]

ceantuco@reddit

If you are in the US, you are brave! MLK weekend lol good luck!

[-]

jake04-20@reddit

I'm in the US but do not get MLK day off. I've thought about how nice it would be to get off, but all my friends that do get MLK day off, had to work Friday after Thanksgiving, Christmas Eve, and New Years Eve. Just curious if that's how it is for you too? They get more than just MLK day off in exchange for the other two holidays, I'm just drawing a blank on what they are. Something stupid like president's day or something.

[-]

Usernameentryfield@reddit

I don't get Christmas eve, New Years Eve or the Friday after Thanksgiving off. We also work MLK day, President's day, etc. I don't see a point in anyone getting MLK, Presidents Day, Lincoln's or Washington's birthdays, day after Thanksgiving, as paid holidays.

[-]

atari_guy@reddit

We get MLK off, along with Veterans Day, day after Thanksgiving, and Christmas Eve. But not New Years Eve. And we lost getting our state holiday off when we got Veterans Day and MLK.

[-]

ceantuco@reddit

ohhh I see.

[-]

ceantuco@reddit

lol i am also working mlk lol but i am def not doing updates this weekend lol a few years ago, the company switched MLK holiday to a personal day that can be taken any time so even better lol

[-]

trf_pickslocks@reddit

We are international, and unfortunately our US offices are open on Monday.

[-]

ceantuco@reddit

ohh I see.

[-]

FCA162@reddit

KB5014754: Certificate-based authentication changes on Windows domain controllers - Microsoft Support

Certificate-Based Authentication Changes and Always On VPN | Richard M. Hicks Consulting, Inc.

Full Enforcement mode

Unless updated to Audit mode or Enforcement mode by using the StrongCertificateBindingEnforcement registry key earlier, domain controllers will move to Full Enforcement mode when the February 2025 Windows security update is installed. Authentication will be denied if a certificate cannot be strongly mapped. The option to move back to Compatibility mode will remain until September 2025. After this date, the StrongCertificateBindingEnforcement registry key will no longer be supported.

/!\ regkey to be deployed on all DCs before Patch Tuesday in Feb! /!\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement

1 – Checks if there is a strong certificate mapping. If yes, authentication is allowed. Otherwise, the KDC will check if the certificate has the new SID extension and validate it. If this extension is not present, authentication is allowed if the user account predates the certificate.

2 – Checks if there’s a strong certificate mapping. If yes, authentication is allowed. Otherwise, the KDC will check if the certificate has the new SID extension and validate it. If this extension is not present, authentication is denied.

0 – Disables strong certificate mapping check. Not recommended because this will disable all security enhancements.

[-]

RiceeeChrispies@reddit

If you're using Intune, make sure you get the variable {{OnPremisesSecurityIdentifier}} added to your SCEP certificate SAN asap. Relevant article here.

[-]

bu3nno@reddit

I've done this but still can't authenticate with the issued certificate. Does this work for you?

[-]

RiceeeChrispies@reddit

I’m the person from your r/Intune post, yes it works for me.

[-]

bu3nno@reddit

So you are :D

As you can tell, I still can't get this to work, despite the certificate showing the new SID.

[-]

RiceeeChrispies@reddit

Yeah, admittedly I’m a bit bamboozled. The SID in the SAN should be all you need.

Did you try manually creating a Wi-Fi profile on the endpoint to map the certificate to?

[-]

bu3nno@reddit

How do you define the certificate to use? I've tried but there doesn't appear to be a way to select my client authentication cert.

[-]

RiceeeChrispies@reddit

If you're using Windows 11, go to Settings --> Network & Internet --> Wi-Fi --> Manage Known Networks and then 'Add Network'.

Grab the thumbprint of your certificate (in mmc.exe) and put that in the 'Trusted certificate thumbprints' field.

[-]

bu3nno@reddit

Thanks. I'm still unable to authenticate, however looking at NPS logs I can see that the user SID is null. I think I need to understand why this is, and hopefully this puts me onto the right path towards a fix.

[-]

RiceeeChrispies@reddit

That’s interesting, especially if the SID in the SAN of the cert matches up. I would expect to see the user mapped.

If that’s the same message you see when authenticating with your Intune profile, I think you’re going in the right direction.

What you need to definitely make sure of is that you have UPN listed in subject name, and also as a SAN. I had an issue where it didn’t map due to UPN not also being in the SAN.

[-]

bu3nno@reddit

Can you give me an example of the subject name format? I currently have mine set to CN={{UserName}},E={{EmailAddress}}

[-]

RiceeeChrispies@reddit

CN={{UserPrincipalName}}, that’s all.

[-]

bu3nno@reddit

I meant to ask, are you using on-prem PKI or CloudPKI?

[-]

RiceeeChrispies@reddit

ADCS PKI, traditional SCEP issuance w/ NDES

[-]

bu3nno@reddit

Same issue unfortunately =(

[-]

FearAndGonzo@reddit

Anyone got a script that checks for the warning event IDs in the event logs for this?

[-]

IveGot10Toes@reddit

Check this PowerShell script out.

Make sure the regkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\StrongCertificateBindingEnforcement is set to 1 (audit) at minimum so the events can be logged.

[-]

EggarTheBug@reddit

Documentation also indicates that if the key doesn't exist, then its considered a 1 (compatability) as default

[-]

RiceeeChrispies@reddit

If you're using Intune, make sure you get the variable {{OnPremisesSecurityIdentifier}} added to your SCEP certificate SAN asap. Relevant article here.

[-]

CrimPhoenix@reddit

I haven’t ruled it out yet, but we might be having potential issues with this coupled with our HYPR certificates. Wanted to ping to see if any other HYPR customers are seeing issues after installing.

[-]

ceantuco@reddit

thankfully we do not use certificate based authentication.... we use good ol' user name and password lol

[-]

joshtaco@reddit

I don't remember inviting any shadows into my house...ready to push these out to 11,000 PCs/servers tonight

[-]

sysadmin_dot_py@reddit

Microsoft just posted a Windows Health Advisory on SgrmBroker. They're stating it hasn't been in use in a very long time and they're removing it from Windows. For now, they say it can be disabled. They say do not start it or try to remove it manually.

[-]

Lando_uk@reddit

Hi, do you have a link to to info please?

[-]

joshtaco@reddit

Windows Health Advisory on SgrmBroker

Link to this? Not seeing it anywhere

[-]

Immortal_Elder@reddit

All I can say is, thank GOD for Reddit! I usually play the waiting game for a week or so, since I'm a one-man army, just sitting back to see what’s going to break next. It's like a reality show, but with more software and fewer dramatic confessionals!

[-]

way__north@reddit

I like to wait a couple days to a week with my DC's. That saved me some work when the jan 23 updates caused boot loops.

Otherwise, I start with some less important stuff before pushing out to the rest of the servers

[-]

DeltaSierra426@reddit

I can't really disagree except that Microsoft says patch DC's before clients. Basically, this means patch just a few DC's, wait a bit, and then move on to the rest when you think you're in the clear.

[-]

way__north@reddit

Microsoft says patch DC's before clients

never heard of before, got any links?

[-]

DeltaSierra426@reddit

I'm sorry, I misspoke. Microsoft doesn't directly say this -- at least not from what I could find either. Instead, it's inferred from the fact that domain authentication could break when clients have registry changes, vulnerability fixes and mitigations, and other updates related to authentication that domain controllers don't have. In recent times, this can be updates to certificate handling, PAC validation, kerberos, NETLOGON, and others.

Darnit though, I'd almost swear that I saw that or heard it somewhere and right from the horse's mouth... though maybe it was a security SME, Microsoft MVP, etc.

[-]

SysSorcerer@reddit

...idk, i've seen some dramatic confessionals on here. haha. jk.

[-]

1grumpysysadmin@reddit

It's true... this place does have its share of confessionals.

[-]

ceantuco@reddit

Win 10 machines showing this error. Win 11 machines have the SgrmBroker.exe service disabled.... wonder if it was disabled after installing the update or before bleh.

[-]

Lando_uk@reddit

Yet to update, but System Guard Runtime Monitor Broker seems to be disabled on all my systems anyway.

[-]

joshtaco@reddit

Interesting

[-]

smarthomepursuits@reddit

Results? I rely on a good Joshtaco rollout.

[-]

FCA162@reddit

Can someone help me identify the shadows...?
It sounds like we're ready for an exciting new year! 🚀 Pushing this update out to 200 Domain Controllers (Win2016/2019/2022) in coming days.

[-]

cbiggers@reddit

EDIT1: Installing CU .NET (KB5050187) took a very long time to install (>1H), while install KB5049983 was pending ...

Seeing the same thing, on both virtual and physical hardware.

[-]

Trooper27@reddit

Let's go!!!

[-]

ceantuco@reddit

lets do it!

[-]

sinnyc@reddit

gif

[-]

epsiblivion@reddit

fixes for 24h2 worth upgrading now?

[-]

raphael_t@reddit

It still breaks 802.1x, we are in a support case for around 2 months now

The workaround we got works partially, but we pointed down the issue to the docking stations ourselves last week.

No movement from Microsoft to implement the highly necessary fix into their feature updates. Fun times ahead for everyone with NAC

[-]

RiceeeChrispies@reddit

We've been gradually rolling out to prod, it's okay.

It's not okay if you are using Remote Credential Guard though, it's still broken for double-hop auth. Very bad if you are Passwordless/WHFB.

[-]

mwerte@reddit

On ~10% of our machines it completely breaks the networking stack. Another 10% it makes unbearably slow and the only fix is to revert back to 23H2 for both issues.

[-]

RiceeeChrispies@reddit

That’s strange, what are you using for auth? I know PEAP and MSCHAP is very broken, but flawed and shouldn’t be used.

[-]

mwerte@reddit

Uhhhh, great question. How do I find out?

[-]

RiceeeChrispies@reddit

It should tell you in your Wi-Fi configuration profile (GPO/Intune) and/or Network Policies within NPS (if that's what you're running for RADIUS).

[-]

mwerte@reddit

Yeah we have a NPS server.

Extensible Authentication Protocol Method: Microsoft: Smart Card or other certificate OR Microsoft: Protected EAP OR Microsoft: Secured Password (EAP-MSCHAP v2)

But even if I create a new policy, under Authentication and AllowedEAP Types there's no EAP-TLS.

I need to change my flair back to "in way over my head" lol.

[-]

RiceeeChrispies@reddit

Obv test policy and group this...

Smart Card or other certificate, that's an EAP type. Remove PEAP and EAP-MSCHAPv2 as options - and remove all the 'less secure authentication methods' option. For Smart Card, select the relevant CA that is associated w/ the client certs you issue.

You then create a Wi-Fi policy, setup and target to EAP-TLS.

[-]

mwerte@reddit

I know we have a server that issues certificates for all devices, how do I make sure they're compatible?

[-]

RiceeeChrispies@reddit

If they have Client EKU and it's an AD integrated CA, you should be fine. Obviously, test it out with a test ring.

[-]

ceantuco@reddit

I have update a few production machines to 24H2 with no issues. I actually used the reg fix to upgrade a few Optiplexes 7010 to 24H2 and they are running without issues. am I lucky? lol

[-]

SmEdD@reddit

This issue was resolved in Nov, can confirm the fix as we are passwordless and use web login for shared devices.

That said the update bug the stopped you from updating to Nov or Dec builds was painful.

Note there still is an issue where some users need to hit some gn in twice for web login to appear.

[-]

RiceeeChrispies@reddit

The Remote Credential Guard double-hop definitely isn’t solved, are you sure you aren’t on bout the Web Sign-In issue with TAP on 24H2?

[-]

deltashmelta@reddit

Our rule of thumb for new windows 2xH2 updates is: 6mo minimum before bringing into testing to test for prod use.

New windows and server versions have a one year timer, before internal eval.

[-]

DeltaSierra426@reddit

CIS also recommends a 180-day wait in their Windows Benchmarks, which can be employed using Windows Update for Business policy. That said, we prefer a 120-day delay for feature updates as we're stuck on Pro licensing, not Enterprise.

[-]

ProfessionalITShark@reddit

Considering they release around October, and nothing is perfect first month. Second month and third month is holidays, so full dedicated work isn't really done until fourth month, which releases on fifth month.

Sixth month is just an extra shoring up, but yeah it makes sense.

If MS released these versions in the very begining og the year I'd only wait 3 months. But October releases? 5- 6 months.

[-]

deltashmelta@reddit

Pretty much. In no great hurry.
Enterprise feature releases have 36mo of support in Win11.

There are a number of times that feature updates don't make it to our prod till a year after release -- 23H2 was on that timetable, due to some standing issue in Win11.

[-]

ZAFJB@reddit

6mo minimum

Crazy. That is a whole six months of unnecessary risk.

[-]

marek1712@reddit

Pretty sure OP meant feature updates (like 23H2->24H2), not monthly patches.

Unless that was sarcasm from you and the joke flew over my head...

[-]

ceantuco@reddit

im currently testing it in Prodcution lol no issues so far.

[-]

Pure_Fox9415@reddit

On a 5th day after installation of this update on VM (vmware 8.0u2) after a few successful working days and reboots we`ve faced something like "CPU leack". Only on VM with windows and installed updates of 01/2025 consumes 100% CPU and a lot of GHz, with no reason, and there is no processes in task manager or resource monitor that consume (sum) more than 30%. Reboot of VM and host didn`t help. Removing update resolve situation as of now. We continue to monitor load, and I`ll write update on this later.

[-]

VinSkoh@reddit

Hello everyone,
I've noticed that since this patch we have the choice of upgrading all our computers to Windows 11, but we have a feature update on Intune that blocks these upgrades (which has always worked) :
Upgrade Windows 10 devices to Latest Windows 11 release : No

However, since this patch the user has the choice of upgrading. (screenshot)

Can you tell me if you've encountered a similar case? And if there's a way to block/hide this upgrade?

I found this registry key to hide the upgrade offer banner in windows update:
reg add “HKLM\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings” /v SvOfferDeclined /t REG_QWORD /d “1646085160366” /f

[-]

Ehfraim@reddit

Probably this one.. Microsoft is forcing Win11 even more: https://borncity.com/win/2025/01/19/microsoft-has-started-to-force-the-upgrade-to-windows-11-24h2-since-january-16-2025/

[-]

burger_yum@reddit

Pushed a small update out to a group of 35 desktops and 3 servers. So far no issues. Will pushout to the remaining 450 systems later.

[-]

TheMartinezF@reddit

I found the same problem with KB5049993 on Windows Server 2016. It seems to have been installed on a server but now I see that our wsus shows that it is not. :/

[-]

Better-Assumption-57@reddit

I've been having the same issue with KB5049993 on one server so far (still awaiting results from others since we didn't realize the SSU was a prereq). Tried both with Windows Update and from the MSU and it fails either way. Frustrating.

[-]

burger_yum@reddit

I'm kind of confused by it. I saw this post here about how you had to have KB5050109 installed before you can install the KB5049993. When I checked, we did have it installed, but still fails. I have left it for now. let me know if you find anything out about it.

https://www.reddit.com/r/SCCM/comments/1i21bp2/ssu_required_kb5050109_but_cu_kb5049993_not_until/

[-]

Better-Assumption-57@reddit

Yeah, that servicing stack update is needed before the OS even figures out that it can install that cumulative update, otherwise it doesn't think it's needed. I'm trying to chase down the specifics... for now I'm doing the usual stuff that Microsoft support always says (and rarely does anything) like an "sfc /scannow" or a "dism /online /cleanup-image /scanhealth" (and /restorehealth if needed).

SFC found nothing, all good. DISM found nothing, all good. I suppose it'll be time to install with the MSU again and see what the logs say, using the wusa.exe /log option.

[-]

CozyBear4006@reddit

Having the same issue with this KB on a server. Pre-req is installed, but now the download for KB5049993 forever sits at 0% downloading even though it tried to install twice.

[-]

Jost80@reddit

We have patched a few servers so far and on Windows Server 2022 we get alerts that the System Guard Runtime Monitor Broker service cant start. Fails with an access denied.

[-]

FCA162@reddit

This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time.
This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.
The service can be safely disabled in order to prevent the error from appearing in Event Viewer.

[-]

Jost80@reddit

Sounds good. Is there any official documentation that confirms this? I havent found any.

[-]

Jost80@reddit

I posted this to soon. Checked my mailbox and had a mail from Microsoft confirming it.

[-]

Hauke12345@reddit

For us, KB5049983 is breaking kerberos. SAP Systems running on Windows Server 2022 can't start anymore because the SSO solution we use can't get it's kerberos ticket anymore.
Uninstalled KB5049983 - all good again.

[-]

Hauke12345@reddit

N Fri Jan 17 09:25:06:196 2025
N        GetUserName()="SAPServiceXXX"  NetWkstaUser="SAPServiceXXX"
N        GetUserNameEx(SamCompat)="NA\SAPServiceXXX"
N        GetUserNameEx(UserPrinc)="SAPServiceXXX@my.domain.com"
N  SncInit():   found snc/data_protection/max=1, using 1 (Authentication Level)
N  SncInit():   found snc/data_protection/min=1, using 1 (Authentication Level)
N  SncInit():   found snc/data_protection/use=1, using 1 (Authentication Level)
N  SncInit(): found  snc/gssapi_lib=E:\usr\sap\XXX\SYS\exe\gx64krb5.dll
N    File "E:\usr\sap\XXX\SYS\exe\gx64krb5.dll" dynamically loaded as GSS-API v2 library.
N    The internal Adapter for the loaded GSS-API mechanism identifies as:
N    Internal SNC-Adapter (Rev 1.0) to Kerberos 5/GSS-API v2
N    FileVersionInfo: InternalName= GX64KRB5-Release, FileVersion= 1.0.9.2
N  SncInit():   found:    snc/identity/as=p:SAPServiceXXX@my.domain.com
N  *** ERROR => SncPAcquireCred()==SNCERR_GSSAPI  [D:/depot/bas/75 1465]
N        GSS-API(maj): No valid credentials provided (or available)
N        GSS-API(min): SSPI::AccSctx#1()==Logon attempt failed
N      Could't acquire ACCEPTING credentials for
N  
N      name="p:SAPServiceXXX@my.domain.com"
N    FATAL SNCERR -- Accepting Credentials:    "krb5"    (0x0002) not available!
N      (debug hint: default acceptor = "p:SAPServiceXXX@my.domain.com")
N  <<- SncInit()==SNCERR_GSSAPI
N           sec_avail = "false"
M  ***LOG R19=> ThSncInit, SncInitU ( SNC-000004) [thxxsnc.c    279]
M  *** ERROR => ThSncInit: SncInitU (SNCERR_GSSAPI) [thxxsnc.c    281]
M  in_ThErrHandle: 1
M  *** ERROR => SncInitU (step TH_INIT, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action STOP_WP, level 1) [thxxhead.c   2805]

[-]

TundraIT@reddit

We saw this same issue. It does not seem related to the PAC enforcement. Not certain what is causing the issue.

[-]

J53151@reddit

So per posts below this update breaks System Guard Runtime Monitor Broker on all systems. Is this actively used by MS?

[-]

FCA162@reddit

No. This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time.
This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.
The service can be safely disabled in order to prevent the error from appearing in Event Viewer.

[-]

joshtaco@reddit

we believe so and thus they should be fixing it in the optionals later this month...but who really knows at this point

[-]

Br3zzly@reddit

For the people having problem with the Service "System guard runtime monitor" (SgrmBroker.exe) not starting on servers:

Uninstalling the January 2025 Security Patch "KB5049983" and rebooting the server fixes the issue.

[-]

gt@reddit

do we need that service

[-]

FCA162@reddit

No. This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time.
This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.
The service can be safely disabled in order to prevent the error from appearing in Event Viewer.

[-]

burger_yum@reddit

Lots of people are reporting this issue. I did read somewhere in one of the posts that it had to do with something being depreciated but not fully removed properly in the latest patches. people are saying that removing KB5049983 is solving their issue. it doesn't sound like it's a major issue leaving it though.

System Guard Runtime Monitor Broker (SgrmBroker.exe) is a service created by Microsoft that has been built into the core operating system since Windows 10 version 1709 and it is a part of Windows Defender System Guard. (Source: https://www.minitool.com/news/system-guard-runtime-monitor.html)

[-]

pede1983@reddit

They released some new Information:
WI982633 WI982632

As some already stated it, it´s not need and you could disable the service.

....
1) Open a Command Prompt window. This can be accomplished by opening the Start menu and typing 'cmd'. The results will include “Command Prompt” as a System application. Select the arrow to the right of “Command Prompt” and select “Run as administrator”.

2) Once the window is open, carefully enter the following text:

sc.exe config sgrmagent start=disabled

3) A message may appear afterwards. Next, enter the following text:

reg add HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /d 4 /t REG_DWORD

4) Close the Command Prompt window.

...

[-]

Therealshakira@reddit

Seems like KB5049983 breaks the "System Guard Runtime Monitor Broker" service.

[-]

FCA162@reddit

This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time.
This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.
The service can be safely disabled in order to prevent the error from appearing in Event Viewer.

[-]

Jazzlike-Love-9882@reddit

As suspected, can be safely ignored. As per MS:

“SgrmBroker.exe refers to the System Guard Runtime Monitor Broker Service. This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time. Although Windows updates released January 14, 2025 conflict with the initialization of this service, no impact to performance or functionality should be observed. There is no change to the security level of a device resulting from this issue. This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.

Note: There is no need to manually start this service or configure it in any way (doing so might trigger errors unnecessarily). Future Windows updates will adjust the components used by this service and SgrmBroker.exe. For this reason, please do not attempt to manually uninstall or remove this service or its components.

Workaround: No specific action is required, however, the service can be safely disabled in order to prevent the error from appearing in Event Viewer. To do so, you can follow these steps:

1) Open a Command Prompt window. This can be accomplished by opening the Start menu and typing ‘cmd’. The results will include “Command Prompt” as a System application. Select the arrow to the right of “Command Prompt” and select “Run as administrator”. 2) Once the window is open, carefully enter the following text: sc.exe config sgrmagent start=disabled 3) A message may appear afterwards. Next, enter the following text: reg add HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /d 4 /t REG_DWORD 4) Close the Command Prompt window.

This will prevent the related error from appearing in the Event Viewer on subsequent device start up. Note that some of these steps might be restricted by group policy set by your organization.

Next steps: We are working on a resolution and will provide an update in an upcoming release.”

[-]

Therealshakira@reddit

Is this public somewhere?

[-]

FCA162@reddit

M365 Admin Center: WI982633

[-]

Jazzlike-Love-9882@reddit

Received it by email. Haven’t checked but am assuming you’d be able to find it via the M365 Admin Center, think that’s where I subscribed to their ‘Windows Release Health’ notifications.

[-]

Tier2_Pleb@reddit

Yeah I'm having the same issue on Server 2022 after the latest update, hopefully it's not a super critical service.

[-]

Suspicious-Tear6508@reddit

It looks to break the service on both Server 2019 and Server 2022

[-]

Suspicious-Tear6508@reddit

I've just tested the update on a brand new install (i.e. with no other software) and it does the same. Makes you wonder how this passed any testing at all...

[-]

Waste_Monk@reddit

Makes you wonder how this passed any testing at all...

Microsoft quality control operate under the Ostrich protocol

[-]

ceantuco@reddit

we are the testers.

[-]

Volidon@reddit

Makes you wonder how this passed any testing at all...

Easy, it installed and ignore all errors

[-]

welcome2devnull@reddit

Same issue here on a W10 22H2 - service doesn't start anymore.

[-]

yankeesfan01x@reddit

KB5049981?

[-]

welcome2devnull@reddit

Yes, installed in the morning together with .NET Framework Update, reboot, System Guard Rumtime Monitor Broker doesn't start anymore

[-]

satsun_@reddit

In the System event log I'm seeing:
The System Guard Runtime Monitor Broker service terminated with the following error:
General access denied error

Found this reddit thread showing that the service is apparently related to MS Defender and is deprecated:
https://www.reddit.com/r/WindowsHelp/comments/177nfbg/the_service_system_guard_runtime_monitor_broker/

Perhaps they intend for it to be gone and didn't cleanly remove it.

[-]

Jazzlike-Love-9882@reddit

Have applied the update on a pilot group, and my two Server 2022 guinea pigs have this issue yep.

[-]

FCA162@reddit

MS Windows release health:
Event Viewer displays an error for System Guard Runtime Monitor Broker service. (SgrmBroker.exe)

Status: Mitigated
Affected platforms: Win10, 22H2 (KB5049981) & Windows Server 2022 (KB5049983)

The Windows Event Viewer might display an error related to SgrmBroker.exe, on devices which have installed Windows updates released January 14, 2025 (the Originating KBs listed above) or later. This error can be found under Windows Logs > System as Event 7023, with text similar to ‘The System Guard Runtime Monitor Broker service terminated with the following error: %%3489660935’.

This error is only observable if the Windows Event Viewer is monitored closely. It is otherwise silent and does not appear as a dialog box or notification.

SgrmBroker.exe refers to the System Guard Runtime Monitor Broker Service. This service was originally created for Microsoft Defender, but it has not been a part of its operation for a very long time. Although Windows updates released January 14, 2025 conflict with the initialization of this service, no impact to performance or functionality should be observed. There is no change to the security level of a device resulting from this issue. This service has already been disabled in other supported versions of Windows, and SgrmBroker.exe presently serves no purpose.

Note: There is no need to manually start this service or configure it in any way (doing so might trigger errors unnecessarily). Future Windows updates will adjust the components used by this service and SgrmBroker.exe. For this reason, please do not attempt to manually uninstall or remove this service or its components.

Workaround: No specific action is required, however, the service can be safely disabled in order to prevent the error from appearing in Event Viewer. To do so, you can follow these steps:

1) Open a Command Prompt window. This can be accomplished by opening the Start menu and typing 'cmd'. The results will include “Command Prompt” as a System application. Select the arrow to the right of “Command Prompt” and select “Run as administrator”.

2) Once the window is open, carefully enter the following text:

sc.exe config sgrmagent start=disabled

3) A message may appear afterwards. Next, enter the following text:

reg add HKLM\System\CurrentControlSet\Services\SgrmBroker /v Start /d 4 /t REG_DWORD

4) Close the Command Prompt window.

This will prevent the related error from appearing in the Event Viewer on subsequent device start up. Note that some of these steps might be restricted by group policy set by your organization.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

[-]

mike-at-trackd@reddit

1 of 2 because Reddit hates my comment?

\~\~ January 2025 Microsoft Patch Tuesday Damage Report \~\~

** 72 hours later **

Whelp, this month’s been a chatty one so far. We even have one report of Blue Screens of Death popping up. Of note though, we have two reports of local Windows authentication services causing disruptions (Kerberos and Local Security Authority Process), and System Guard runtime Monitor Broker Service not running after updates (this service protects the operating system from malicious code execution).

Some other mildly annoying disruptions have been reported as well, so certainly not a home run we were expecting to kick off the new year.

No disruptions detected or reported on the trackd platform.

[-]

mike-at-trackd@reddit

2 of 2 because Reddit hates my comment?

\~\~ January 2025 Microsoft Patch Tuesday Damage Report \~\~

** 72 hours later **

Windows 11

Microsoft Teams no longer starting automatically/disappearing altogether

Server 2022

Server 2016

Office 365 apps crashing (has since been fixed)

Miscellaneous

[-]

AforAnonymous@reddit

Nobody gonna talk about the Outlook zero click OLE exploit? https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-21298

[-]

H3ll0W0rld05@reddit

Was wondering the same...That has the biggest attention at my place.

[-]

AforAnonymous@reddit

There's a glitch in the ODT CDN it seems, think MSFT forgot to mark the version number as latest, only way to get it rn seems to be manually forcing the version number inside the xml, but even then it doesn't provide the x64.cab. You get the x64_versionsstring.cab tho which one can copy and rename (hashes are always identical) to get it to work, but that's ridiculous workaround. Without that, for Current channel, it's stuck on the December update. (not even the early January build!)

[-]

AforAnonymous@reddit

Update: Yesterday's new build seems to have fixed that issue

[-]

ZAFJB@reddit

Patch is there. What do you need to know?

[-]

AforAnonymous@reddit

There's a glitch in the ODT CDN it seems, think MSFT forgot to mark the version number as latest, only way to get it rn seems to be manually forcing the version number inside the xml, but even then it doesn't provide the x64.cab. You get the x64_versionsstring.cab tho which one can copy and rename (hashes are always identical) to get it to work, but that's ridiculous workaround. Without that, for Current channel, it's stuck on the December update. (not even the early January build!)

[-]

AforAnonymous@reddit

Update: Yesterday's new build seems to have fixed that issue

[-]

joshtaco@reddit

it's patched...so why are you acting like it isn't?

[-]

AforAnonymous@reddit

There's a glitch in the ODT CDN it seems, think MSFT forgot to mark the version number as latest, only way to get it rn seems to be manually forcing the version number inside the xml, but even then it doesn't provide the x64.cab. You get the x64_versionsstring.cab tho which one can copy and rename (hashes are always identical) to get it to work, but that's ridiculous workaround. Without that, for Current channel, it's stuck on the December update. (not even the early January build!)

[-]

AforAnonymous@reddit

Update: Yesterday's new build seems to have fixed that issue

[-]

ceantuco@reddit

sorry I've been under a rock for the past 12 hours dealing with data storage issues. Has this CVE been patched or do we have to apply the workaround regardless? Thanks!

[-]

ZAFJB@reddit

It is in the Tuesday release see: https://msrc.microsoft.com/update-guide/releaseNote/2025-Jan

[-]

ceantuco@reddit

thanks! :)

[-]

firsmode@reddit

Fortinet Released Security Updates to Fix 15 Vulnerabilities That Affect Multiple Products
2025-01-14 17:29:29Z on CyberSecurityNews.com

Fortinet has released a security update with the fixes for 15 vulnerabilities that affect multiple products with distinct security issues, ranging from critical to high severity. Among the most severe issues resolved is a critical vulnerability (CVE-2024-55591) affecting FortiOS and FortiProxy. This flaw could potentially allow authentication bypass, posing a significant risk to affected systems. […]

The post Fortinet Released Security Updates to Fix 15 Vulnerabilities That Affect Multiple Products appeared first on Cyber Security News.

CyberSecurityNews.com Article

[-]

ARPG_Hobby32@reddit

Don't ignore this one guys - also make sure we're not exposing our management interfaces to the internet as well...

[-]

Fallingdamage@reddit

Yeah. I patched our Fortigate within about 6 hours of new patches being available. Our usual background noise on listening services is ~80-150 probes/attempts a day. The last two days my deny policy has hit 20k+ every 24 hours. Attackers are really hoping to find someone who isnt paying attention.

[-]

nachodude@reddit

Is it me, or 7.0.17 does not show up on the support portal yet?

[-]

ARPG_Hobby32@reddit

I've been refreshing all morning. It's not available. Amazing.

[-]

OldAppointment6115@reddit

So, testing is not going so well here. We have 4 Active Directory Forests, 3 non-Prod, 1 Prod.
Due to the failures we’re seeing, we’re holding off on any Prod machines. Currently waiting for response from Microsoft. Strange thing, the failures we’re see match pretty closely to errors from Jan of 2022.

Testing Jan patches in first non-Prod environment (Lab) - 4 DCs total (Server 2022) in 2 AD Sites.
-All DCs are Server 2022 VMs on Hyper-V -DC1, DC3, and DC4 restarting every view minutes - Often times the DCs restart all at the same time. -DC2 (PDCE) - not affected -No member servers or Workstations affected

-Event logs show 2-3 Kerberos errors before initiating a restart - Source LSA (LsaSrv) - EventID 5000 “The security package Kerberos generated an exception. The exception information is the data.

-Source Application Error Event ID 1000 Faulting application name: lsass.exe, version: 10.0.20348.3089, time stamp: 0x343412e1 Faulting module name: LSAADT.dll, version: 10.0.20348.3089, time stamp: 0xc0ebf479 Exception code: 0xc0000005 Fault offset: 0x000000000002022b Faulting process id: 0x330

-Then the system restarts The process wininit.exe has initiated the restart of computer DC3 on behalf of user for the following reason: No title for this reason could be found Reason Code: 0x50006 Shutdown Type: restart Comment: The system process ‘C:\Windows\system32\lsass.exe’ terminated unexpectedly with status code -1073741819. The system will now shut down and restart.

-Another error A critical system process, C:\Windows\system32\lsass.exe, failed with status code c0000005. The machine must now be restarted.

-Removed KB5049983 from DC3 stops the errors and restarts -DC1 and DC4 continue to restart -Removed KB5049983 from DC1, both DC1 and DC4 stopped restarting! DC4 still had KB5049983 installed -Reinstalled KB5049983 on DC1, both DC1 and DC4 began restarting once again -Removed KB5049983 from DC1 and DC4 and no issues overnight

Notes: -In DEV environment, non-Change controlled, all DCs patched, no issues -In second non-Prod environment(Test) 6 of 14 DCs patched - no issues -New software only existing in LAB, Splunk Universal Forwarder and Microsoft Defender for Identity -Also noticed in LAB, Secure boot issues, “Event 1796 - The Secure Boot update failed to update a Secure Boot variable with error The parameter is incorrect..”

[-]

KlaasKaakschaats@reddit

Deployed to 50 test servers, all seems to work fine (Server 2016/2019/2022 and 2025). However we have an issue that Office 2016 patches that are deployed (and show required) are not showing in Software Center. Doesn't matter which OS it is running (Win 11 24H2 or Server 2022). Anyone else notices this?

Patches for LTSC 2024 are working from the same deployment but not the Office 2016 updates.

[-]

MyWorkAccountShhh@reddit

Patching our 2016 servers the CU didn't show up until after the 2016 Servicing Stack Update was installed, so 2016 took rounds to finish up.

[-]

sp00nd@reddit

Praying for Kerberos fixes on server 2025.

https://gitlab.freedesktop.org/realmd/adcli/-/issues/40

[-]

gabrielgbs97@reddit

Issue still observed on WS2025 with 01-2025 patch.

[-]

Kuipyr@reddit

They didn't fix the remote guard issue so I doubt it. They've got auth all jacked up on 24H2/2025.

[-]

RiceeeChrispies@reddit

Pushing passwordless but breaking key functionality, cheers Microsoft.

[-]

Kuipyr@reddit

Strange thing I discovered though, If I run "klist get krbtgt/AD.DOMAIN.COM" it will throw an error, but I am able to access share drives again. Accessing SYSVOL still fails though.

[-]

TheGreatAutismo__@reddit

Nothing has been listed on here so I doubt it. I'm still waiting for some acknowledgement of the Alt+Tab and Windows Snap keys not working on Server Core 2025.

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2025

[-]

CeC-P@reddit

They added a UI to 2025? lol

[-]

DevonshireCreamTea1@reddit

2025-01 Cumulative Update for Windows 11 Version 24H2 for x64-based Systems (KB5050009) fails to install with 0x800f081f

Only blocker is this:

2025-01-16 13:00:34, Info CBS Exec: Processing complete. Session: 31156246_255523150, Package: Microsoft-Windows-Client-LanguagePack-Package\~31bf3856ad364e35\~amd64\~en-GB\~10.0.26100.1, Identifier: Language Pack [HRESULT = 0x800f081f - CBS_E_SOURCE_MISSING]

[-]

FCA162@reddit

The version of the missing package is 10.0.26100.1, which refers to the RTM release and can not be fixed with the standard tools dism, sfc, ...

BUT you can try to run this .ps1 file in an admin PowerShell, reboot the device and reapply the Patch Tuesday KB.
It has already helped many people.

Patch Tuesday Megathread (2024-09-10) : r/sysadmin

[-]

FCA162@reddit

If this trick does not work.
Try this one: add an additional language pack e.g. en-US. Uninstall the existing language pack, in your case en-GB, reboot and reinstall the en-GB language pack.

[-]

DevonshireCreamTea1@reddit

Thanks for that. First one went further but was still failing on another package. Tried the second one this morning but didn't have much success as well.

Clean installed using latest media and all seems well now

[-]

Grizfisher@reddit

New report from Feedly. It's auto-generated within min of Microsoft's release and updated in real-time with new information from the Web. It's downloadable and free. https://feedly.com/cve/security-advisories/microsoft/2025-01-14-january-2025-patch-tuesday-10-critical-vulnerabilities-amid-159-cves

Click on any CVE for more details.

[-]

FCA162@reddit

Great resource. Thank you for notifying us !

[-]

workaccountandshit@reddit

Is that a fucking Duvel? Great taste

[-]

TheLostITGuy@reddit

Oh I like feedly. Thats kinda neat. Thanks for sharing.

[-]

MarkTheMoviemaniac@reddit

We ran into the issue with Office 365 apps crashing on one of our Server 2016 servers.
Many of you probably already are aware of this but Microsoft's solution was to revert back to the previous version from Dec 2024. Had to turn off Updates as well for the apps. Those of us who have run into this, may just want to double check your version of Office after updating to make sure MS didn't do some crazy thing like update Office anyway.
As far as I have read rolling back is the only solution from MS. The Build should be Version 2411 (Build 18227.20162)
I know how MS likes to sometimes auto enable things with patches even if you choose not to have them update so, just a friendly reminder.

[-]

pede1983@reddit

Version 2412: January 16

Version 2412 (Build 18324.20194)

Office Suite

We fixed an issue where apps would exit unexpectedly when running on Windows Server 2016.Version 2412: January 16 Version 2412 (Build 18324.20194) Office Suite We fixed an issue where apps would exit unexpectedly when running on Windows Server 2016.

https://learn.microsoft.com/en-us/officeupdates/update-history-microsoft365-apps-by-date

[-]

skipITjob@reddit

FYI:
Microsoft 365 Apps is supported on Windows Server 2016 until October 2025.

Windows Server end of support and Microsoft 365 Apps - Microsoft 365 Apps | Microsoft Learn

[-]

wrootlt@reddit

We have this issue on AWS workspaces (VDI, Windows Server 2016) since Friday or so. So far maybe 50 users affected our of 800 or so. Well, all are affected, but many don't use Office or haven't noticed or reported. There is actually one "better" workaround, to replace react-native-win32.dll with one from that previous version. Then you can stay on latest version and check for updates is not replacing it. Of course, this dll might be important and cause issues in the future, so i personally don't like this approach. We are for now rolling back to previous or upgrading users to new workspaces with 2022 version. MS support said rolling back is the only option and that they might turn on automatic rollback and postpone of latest version for that OS. But who knows if this is true or when they will do it. Still getting a few tickets every day.

[-]

MarkTheMoviemaniac@reddit

Always great when Microsoft breaks its own stuff. Thanks for the alternative suggestion.

[-]

J53151@reddit

Anyone having an issue with Jan .NET 3.5/4.81 update stalling? Multiple similar computers I had to force shut off after leaving it sit for 50 minutes. Installs fine on reboot.

I also noticed there are two instances of the Jan update showing.

[-]

joshtaco@reddit

no, but some did need a second reboot

[-]

philrandal@reddit

Server 2022, .Net update stalled at 0%.

After a reboot, the server 2022 CU wouldn't install.

All fine after a repair install.

[-]

Zaphod_The_Nothingth@reddit

I'm not sure if Microsoft has changed something this month, but I'm seeing my computer groups in WSUS apparently being ignored by the CUs. I've approved installation to my Pilot and Test groups, but it seems to be installing on all workstations.

KB5050021 is approved for 30 machines, and is installed on 202 so far.

Anyone else?

[-]

FCA162@reddit

Microsoft EMEA security briefing call for Patch Tuesday January 2025

The slide deck can be downloaded at aka.ms/EMEADeck (not yet available)

The live event starts on Wednesday 10:00 AM CET (UTC+1) at aka.ms/EMEAWebcast.

The recording is available at aka.ms/EMEAWebcast.

The slide deck also contains worth reading documents by Microsoft.

What’s in the package?:

A PDF copy of the EMEA Security Bulletin Slide deck for this month
ESU update information for this month and the previous 12 months
MSRC Reports in .CSV format, for this month’s updates including detailed FAQ’s and Known Issues data.
Microsoft Intelligence Slide
A Comprehensive Handbook on "Navigating Microsoft Security Update Resources" !

Also included in the downloadable package are handy reference reports produced using the MSRC Security Portal PowerShell Developer Functionality: https://portal.msrc.microsoft.com/en-us/developer

January 2025 Security Updates - Release Notes - Security Update Guide - Microsoft

[-]

yankeesfan01x@reddit

Is there a North American call scheduled?

[-]

immewnity@reddit

There is, takes place through EventBuilder - not sure how to get on the email list though

[-]

FCA162@reddit

Not that I know of.

[-]

FCA162@reddit

Enforcements / new features in this month’ updates

KB5037754: PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 | Enforced by Default Phase:

Updates released in or after January 2025 will move all Windows domain controllers and clients in the environment to Enforced mode. This mode will enforce secure behavior by default. This behavior change will occur after the update changes the registry subkey settings to PacSignatureValidationLevel=3 and CrossDomainFilteringLevel=4.
The default Enforced mode settings can be overridden by an Administrator to revert to Compatibility mode.

April 8, 2025: Enforcement Phase: The Windows security updates released in or after April 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.

Reminder: Upcoming Updates/deprecations

February 2025

KB5014754 Certificate-based authentication changes on Windows domain controllers (CVE-2022-34691, CVE-2022-26931 and CVE-2022-26923) | Full enforcement
Unless updated to Audit mode or Enforcement mode by using the StrongCertificateBindingEnforcement registry key earlier, domain controllers will move to Full Enforcement mode when the February 2025 Windows security update is installed. Authentication will be denied if a certificate cannot be strongly mapped. The option to move back to Compatibility mode will remain until September 2025. After this date, the StrongCertificateBindingEnforcement registry key will no longer be supported.

April 2025

KB5037754: PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 Enforcement Phase: The Windows security updates released in or after April 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing the April 2025 update.

[-]

finalpolish808@reddit

When applying updates through SCCM, and choosing the option to apply all updates possible within a 1 hour window, has anyone got the .NET and OS security updates to apply in series, then only require one reboot? We have either seen a mandatory reboot after .NET, or no reboot but failed OS update after .NET before reboot. Users are upset that a "batch" of MS updates is requiring multiple reboots. They expect Adobe and others to require separate reboots, but not MS in the same release batch.

[-]

Moru21@reddit

You can’t reasonably control how fast the instance installs the patches.

[-]

finalpolish808@reddit

Oh for sure; that one hour thing is just a setting within the SCCM client and even though these updates apply quickly, they are still requiring their own reboots.

[-]

joshtaco@reddit

tell em to shut up

[-]

DanielArnd@reddit

Anyone else missing the outlook signature text appears blank / labels missing? Monthly enterprise channel.

[-]

Nervous-Equivalent@reddit

Yeah I've had signature issues since updating to 18324.20190 on Current Channel.

[-]

Master_Tiger1598@reddit

Yes, noticed this today.

[-]

DanielArnd@reddit

Any known solution to this?

[-]

HeroesBaneAdmin@reddit

I did some research. This bug only effects Office 2411, and is resolved in 2412. So it should be fixed in next months patch for people on Enterprise Channel. There is a strange fix if you cannot wait. Putting parentheses ( ) around the signature title. Explained by "Colin Chow1" in this Microsoft Community thread
outlook signature drop down showing blank - Microsoft Community

[-]

joshtaco@reddit

no

[-]

yankeesfan01x@reddit

I've seen this happen in the past and I don't think Microsoft has addressed it. I've manually updated Office and/or installed Windows patches, rebooted, and then the Outlook signature was not showing on new email. It doesn't completely remove the signature as in when you click new email then insert the custom sig is still listed it's just not applying to new email.

[-]

HeroesBaneAdmin@reddit

Are you running a Signature plugin? One of my clients is running one, so I was wondering if it was an issue with their outlook plugin or just vanilla outlook with no signature plugins?

[-]

ceantuco@reddit

Updated test 2016 and 2019 servers. I noticed that 2019 servers running on Vmware show the message below after rebooting:

User hive is loaded by another process (Registry Lock) Process name: C:\Windows\System32\svchost.exe

rebooted a few more times and the error has not come up again.

Updated test Win 10 and Win 11 workstations without issues.

[-]

1grumpysysadmin@reddit

I have Windows 11 24H2 bugs I am hoping are on the block of being addressed soon... including a scanner related issue.

Testbed as per normal: Windows Server 2016, 2019, 2022. Windows 11.

Just kicked off everything, hoping for nothing crazy.

[-]

MeanE@reddit

Reply if it fixes scanner issues please. It was supposed to last month but no luck for us.

[-]

1grumpysysadmin@reddit

I need to toss one of my problem users into my Day 1 group to see if it fixes it but we have a workaround from Fujitsu/Ricoh right now to get it to work. I'm hoping you're 100% spot on in our case as well.

[-]

BoneyT@reddit

Do you mind sharing the workaround?

[-]

MeanE@reddit

Fujitsu/Ricoh

https://fi-faq.pfu.ricoh.com/hc/en-us/articles/39468376902041-No-scanner-can-be-found-on-Windows-11-version-24H2-SX03047E

[-]

BoneyT@reddit

Thanks!

[-]

1grumpysysadmin@reddit

Thank you. I was just about to link that. It's an easy work around. It is just annoying as hell to deal with.

[-]

ceantuco@reddit

what issues are you experiencing?

[-]

1grumpysysadmin@reddit

Servers seem to be ok at this point. We'll monitor during rollout. Hoping no surprises happen.

[-]

asfasty@reddit

yup, was the first I noticed when downloads began... increases reboot time on this crappy server 2016 again :-)

[-]

Ashketchum1992316@reddit

after the update one of my VMs cant find the nic card now. anyone else have any issue like that? running hyper v windows server 2022

[-]

joshtaco@reddit

no

[-]

ARPG_Hobby32@reddit

Am I stupid - Microsoft's patch notes says it contains improvements from last month's CU.. Since there was no preview patch and no notes, am I assuming there are just zero fixes for 24H2's laundry list of issues?

[-]

joshtaco@reddit

There is one patch note from updating the blocked drivers for BYOD policy. Nothing else

[-]

KindlyGetMeGiftCards@reddit

So they blocked the drivers better? Hmm, seems someone didn't code the patch correctly in the first place.

[-]

joshtaco@reddit

Not sure if you're understanding why they're doing it...

[-]

KindlyGetMeGiftCards@reddit

Sorry, no I don't know why, if there is an article I would love to read it.

[-]

joshtaco@reddit

https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-vulnerable-driver-blocklist-sync-issue/

[-]

rollem_21@reddit

Using WSUS, Server 2016 the CU KB5049993, is showing 0 required, but the separate servicing stack KB5050109 for Jan is showing 46 2016 servers that require it. Is anyone else seeing this ?

[-]

j8048188@reddit

Having this same thing on my Server 2016 systems. First round of updates installs .net and the servicing stack, then a reboot (because .net requires it), and then the Jan 2025 cumulative shows up. I'm running WSUS for update management.

[-]

eatfesh@reddit

Can confirm it's the same for us - our servers are getting updates via WSUS and the Server 2016's are not installing the CU (KB5049993) until the Servicing Stack Update KB5050109) is installed, requiring a second install/reboot task.

[-]

ARPG_Hobby32@reddit

Yeah mine is making us install the Servicing stack update before it will even show the CU as available (Action1 for us, not WSUS).

[-]

Easy_List658@reddit

Do you know if this is new behavior or has been doing this for awhile? We use NinjaOne to patch, and I could see this messing with the flow of patching during our change window.

[-]

ARPG_Hobby32@reddit

This is new behavior, at least for me. We're pretty new on Action1 but I am having to reboot servers twice to push updates this month.. Not ideal.

[-]

ahtivi@reddit

SSU installation should not require a reboot. I usually deploy SSU's s day or 2 before CU update schedule without restarting the servers (SCCM/WSUS)

[-]

jmbpiano@reddit

Can confirm. I haven't actually pushed it yet (that'll be tonight), but the restart behavior for the current 2016 SSU (KB5050109) is showing as "Never restarts" in WSUS.

[-]

calamarimeister@reddit

I have seen this before.... and its a pain. Not sure why MS has done it like this for this month. Whether it is a true requirement to install SSU first.. or they buggered up.

[-]

rollem_21@reddit

Ah that confirms it then cheers :)

[-]

L1ttleCr0w@reddit

Yep using Ivanti and seeing this behaviour, too
Used to be a standard thing on 2008, but haven't seen a Monthly cumulative have a prerequisite for the SSU in a very long time

[-]

PepperdotNet@reddit

Notes for 5049993 say that 5050109 is required for it to install so that would affect the detection too. Just approve both of them anyway.

[-]

the_lazy_sysadmin@reddit

I wonder if they split them this month. Try installing the SSU (shouldn't require a reboot, as far as I know, unless some things drastically changed), then try having that server with the SSU reach back out to WSUS and see if its showing as needed.

[-]

rollem_21@reddit

Thanks will do.

[-]

AspiringTechGuru@reddit

Let's see how we start our year

[-]

ceantuco@reddit

ugh not starting the year correctly. our SAN has issues and an internal component needs to be replaced. bleh

[-]

AspiringTechGuru@reddit

Oof, does it at least have dual controller?

[-]

ceantuco@reddit

it does but to replace the midplane the whole thing needs to be powered off lol

[-]

AspiringTechGuru@reddit

Well could be worse, at least it didn't cause any unplanned downtime. Planned downtime is better than unplanned downtime lol. We have a SAN for our cluster and we'd need to shut down half of our infra, would not be fun. There was one day where controller A was acting weird and a reboot fixed it, but I still don't know why it was acting weird.

[-]

ceantuco@reddit

ugh yeah! dealing with SANs get my stress level to the roof because of the potential of data loss. I am running a full backup tonight. will be replacing the component tomorrow morning. wish me luck!

hahaha yeah wonder if mine will be fixed with a reboot? IBM says otherwise lol

[-]

AspiringTechGuru@reddit

Can you restart a single controller? Never hurts to try. Good luck on the replacement!

[-]

ceantuco@reddit

what a cluster f*** that was.... but we finally back up and running after 10 hours down.

okay now I have to catch up to all patch tuesday messages lol

[-]

AspiringTechGuru@reddit

What went wrong with the replacement?

Also I pushed updates to ~100 devices, so far no issues (except my laptop, it’s always our stuff or C-suite stuff, am I right lol)

[-]

ceantuco@reddit

the replacement part seemed to be defective but it took support a long time after troubleshooting to come up with that conclusion. Weird enough, we installed the old part back and the errors went away lol not complaining. i am happy we are back up.

Thanks for the update. I will probably update my test servers tomorrow and production sometime next week. I need a beer or 10 lol

[-]

ceantuco@reddit

since we have a contract with IBM, I am not going to touch it lol thanks man! wont sleep tonight thinking about tomorrow's replacement bleh

[-]

jamesaepp@reddit

Both of you please move this into a different thread/chat/whatever.

A megathread for the latest patching is not the correct place for such discussions and I (for one) prefer this thread to be strictly topical.

Yes, I recognize the irony in this comment. Necessary evils and that.

[-]

ceantuco@reddit

didn't know you were the reddit police... btw reddit was down

[-]

Mission-Accountant44@reddit

It's jamesaepp... He gets off on being the police in /r/sysadmin.

[-]

ceantuco@reddit

lol

[-]

jamesaepp@reddit

didn't know you were the reddit police

If I were the reddit police I wouldn't have said "please". ;)

[-]

ceantuco@reddit

haha

[-]

dtee403@reddit

Have a few users get a bluescreen when booting

[-]

AforAnonymous@reddit

Error code? Anything?

[-]

dtee403@reddit

I believe it was a rtwlane02.sys error

[-]

ejhall@reddit

Work at an MSP - we have two reports so far this morning of calculator disappearing/uninstalled/greyed out. Weird. Reinstalling from MS store worked. No GPOs and no restrictions on MS Store, the calc app was just gone. Just an FYI.

[-]

thedirtylimey@reddit

Several of my intune based kiosks have had their auto login reg key revert to 0 from 1 immediately after Jan updates. Anyone else seeing this?

[-]

ARPG_Hobby32@reddit

I've patched a bunch of 2016 and 2019 servers with no issues so far.

[-]

techvet83@reddit

Are these WinRE requirements new or just a summary of previous statements? We have never much messed with WinRE in our environment. From KB5050410: Windows Recovery Environment update for Windows Server 2022: January 14, 2025 - Microsoft Support:

IMPORTANT This update will not be offered if your Windows Recovery Environment (WinRE) meets any of the following conditions:

If the WinRE recovery partition does not have sufficient free space, see the NOTE in the "Summary" section. The note provides instructions about how to increase the available free space in the WinRE recovery partition.
If the WinRE recovery partition was manually updated by using the procedure in Add an update package to Windows RE and is already up to date.
If the WinRE image has a version greater than or equal to version 10.0.20348.3081. To determine the version of your WinRE image, check the WinREVersion registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion.
If your running PC does not have a WinRE recovery partition. To verify if you have WinRE enabled, run the following command in an elevated command prompt: reagentc /info. If WinRE is enabled, you will see Windows RE status in the output with a value of Enabled. In this scenario, this update might be needed.

[-]

joshtaco@reddit

this has been a thing forever

[-]

iloose2@reddit

Cisco Identity Services Engine (ISE) supports certificate-based authentication with endpoints. Recent communication from Microsoft indicates that there have been changes in the Windows behavior that mitigates certificate spoofing. These changes will impact Cisco ISE authentication capabilities. Certificate-based logins will fail for users or devices on the local Active Directory and integration with Microsoft Intune Mobile Device Management (MDM) when Windows enforces strong mapping on February 11, 2025.

https://www.cisco.com/c/en/us/support/docs/field-notices/742/fn74227.html

[-]

iamnewhere_vie@reddit

"Recent communication from Microsoft" - they mean the change announced in 2022/2023? :D

[-]

Geh-Kah@reddit

Patched 250 server 2016/2019/2022 and two 2025 just seven hrs ago. Around 300 win11 clients so far. Monitoring tells me good, everything up and running so far. Employees starting work in 2hrs. Ill be off for buying a used synology DS3617sxII with expansion NAS, cant wait to pick up those phones then 🤣

[-]

frac6969@reddit

Not sure bug or feature, but installing on Windows 11 24H2 test group. After restarting Teams wouldn't automatically start, and on one computer it disappeared and had to be reinstalled. Testing some more...

[-]

FCA162@reddit

Skilling snack: Hotpatch on Windows client and server

Hotpatch updates, now in public preview for Windows 11 Enterprise 24H2, enable immediate installation of security updates without device restarts, ensuring rapid protection and maintaining productivity, previously available only on Windows Server, with detailed reporting and prerequisites for virtualization-based security and ARM64 devices.

What’s new in Windows Autopatch: December 2024

Autopatch’s December 2024 update enhances reporting by expanding availability beyond Autopatch groups, introducing new quality and feature update reports with real-time compliance tracking, and integrating these features into Microsoft Intune.

[-]

CeC-P@reddit

It's 9:45 central and our patch management software is saying there are no new patched. I assume that's false?

[-]

belgarion90@reddit

It's not a Patch Tuesday thread without at least one person not knowing when the patches actually release.

[-]

CeC-P@reddit

If you're counting on Microsoft to do something consistently and correctly then you must be new here. I learn as little as possible about those morons and their trash systems because as soon as I do, they'll change it.

[-]

belgarion90@reddit

lol ok

[-]

Foofightee@reddit

They are not released yet, so it's accurate.

[-]

CeC-P@reddit

The heck are they waiting for? Thought it released at midnight eastern or something.

[-]

frac6969@reddit

10 AM PST.

[-]

belgarion90@reddit

The fact that that's noon CST is just further proof that Central Time is God's own time zone.

[-]

sinnyc@reddit

Microsoft Patience (TM)

[-]

spatch35@reddit

I was about to ask the same thing. Wanted to make sure the issue wasn't my WSUS...

[-]

FISKER_Q@reddit

Kiosk Mode still broken from https://old.reddit.com/r/sysadmin/comments/1hav717/patch_tuesday_megathread_20241210/m1n0qr5/ patch Tuesday, customshellhost.exe still crashing.

[-]

EsbenD_Lansweeper@reddit

Here is the Lansweeper summary and audit report. 159 New fixes, with 10 rated as critical and 3 exploited. The highlights being three exploited elevation of privilege vulnerabilities in Hyper-V, critical Microsoft Excel vulnerabilities and a critical Windows OLE RCE.

[-]

jaritk1970@reddit

Zdi blog https://www.zerodayinitiative.com/blog/2025/1/14/the-january-2025-security-update-review

[-]

jaritk1970@reddit

https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2025-patch-tuesday-fixes-8-zero-days-159-flaws/

[-]

beangreen@reddit

Be aware of a potential issue with 2019 and 2022 servers with Citrix on when installing the Jan 2025 OS updates.

Easy workaround:

https://support.citrix.com/s/article/CTX692505-microsofts-january-security-update-failsreverts-on-a-machine-with-2411-session-recording-agent?language=en_US

Other than that, looks like a normal month o' updates.

[-]

Automox_@reddit

First 2025 Patch Tuesday! Here's what we think you should pay special attention to:

CVE-2025-21293: Active Directory Domain Services Elevation of Privilege Vulnerability

This impacts Active Directory Domain Services by allowing attackers to escalate their privileges if exploited.

CVE-2025-21335, CVE-2025-21333, and CVE-2025-21334: Hyper-V Elevation of Privilege Vulnerabilities

Attackers exploiting these may gain elevated privileges if they access guest systems and execute code.

Read our analysis here or listen to our podcast here! Patch regularly, patch often!

[-]

JewelyaZ-423@reddit

Downloading now... hopeful that things will go well this month.

[-]

MikeWalters-Action1@reddit

With today's Patch Tuesday upon us, here’s a recap of last month's most critical third-party updates:

Google Chrome: 4 vulnerabilities in version 131, including critical CVE-2024-12692 and CVE-2024-12695
Mozilla Firefox: 20 vulnerabilities in version 134
WordPress: CVE-2024-9707 and CVE-2024-50498 (RCE, CVSS 9.8) in Hunk Companion and WP Query Console plugins
Ivanti: zero-days CVE-2025-0282 and CVE-2025-0283 in Connect Secure appliances
Palo Alto Networks: CVE-2024-3393 (CVSS 8.7) in PAN-OS DNS security
Apache MINA and HugeGraph: Mitigated critical CVE-2024-52046 (CVSS 10.0) in MINA and CVE-2024-43441 in HugeGraph
Sophos: CVE-2024-12727 (SQL injection) and CVE-2024-12728 (weak SSH passphrase) in Sophos Firewall
Fortinet: CVE-2023-34990 (CVSS 9.6) and CVE-2024-48889 in FortiWLM and FortiManager
Apple: CVE-2024-45490 and multiple kernel vulnerabilities in iOS and macOS
Apache Tomcat: CVE-2024-56337 (CVSS 9.8) in versions up to 11.0.1

[-]

Emergency_Ad4098@reddit

Buckleup! Yesterday some outage on MFA on M365 whats gonna go today....