Windows – Born's Tech and Windows World

Windows Update [German]Microsofts updates for Windows, released on April 9, 2019, are causing issues in Windows 7, Windows 8.1 and Windows 10, if third party antivirus software from Sophos, AVAST and Avira is installed.

I had blogged Tuesday/Wednesday night about the updates, Microsoft released on patchday (April 9, 2019) – see the links at the end of the article. But then my blog went down, now, after a day, I’m able to bring things together.

KB4493472 for Windows 7/Windows Server 2008 R2

Update KB44493472 (Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1) is a security update that contains improvements and bug fixes that were already included in the previous month’s update. The update addresses a number of issues, including updating protection against Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) on VIA-based systems.

Furthermore the kernel is patched in win32k.sys and the IE 11 in WININET.DLL. Personally, I would not have installed this update, but rather installed the security-only update KB4493448 after waiting a few days of time.

Block all April 9, 2019 Windows updates

Shortly after release I received some user comments within my German article Patchday: Updates für Windows 7/8.1/Server (9. April 2019):

That went right through the absys. We currently have massive problems with Windows 7 clients that have installed all updates: After the reboot the computer stops at “Updates will be configured”.

Remove update doesn’t work, only rolling back to the last restore point, which is created automatically.

German blog reader mentioned within this comment, that a Sophos security suite may be involved and linked to this discussion thread in German forum administrator.de.

Good morning, everyone,
I just wanted to point out that after the above mentioned updates at my 2 VM´s with Windows Server 2008 R2 the machines stopped for more than 1.5 hours at “Configure Updates”.
The VM´s are running under VMware vSphere 6.5.0, 9298722.
I can’t say anything about the exact cause. I will now restore the machines from the backup.
So please be careful that you don’t have to do this in the early morning.

As it quickly crystallized, not every system was affected, but a lot. I found articles at askwoody.com, ghacks.net and spiceworks.com. Sophos has published this forum post.

SAV service hangs after installing KB4493472

Hello,

Last night one of my Windows 2008R2 servers hung after installing Microsoft patch KB4493472. After initial examination I discovered that SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592.

The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working.

I rebooted the server in to safe mode and disabled the Sophos services. After this, I was able to reboot normally. Then I uninstalled Sophos, rebooted and tried to install again but this time the installation didn’t complete and the server hang again. I rebooted again in safe mode, disabled services, rebooted and uninstalled sophos again. After checking the Windows logs I realised that the server had installed update KB4493472 last night. I uninstalled the patch, rebooted and installed sophos again. This time there was no problem.

Currently we are trying to unauthorise KB4493472 on our update system.

Is there any known issues with KB4493472 on Windows Server 2008R2?

Thank You.

The Sophos support article, Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update, dated of 11 April 2019, is now online. The following updates will cause install issues:

KB4493467 (Security-only update)
KB4493446 (Monthly Rollup)
KB4493448 (Security-only update)
KB4493472 (Monthly Rollup)
KB4493450 (Security-only update)
KB4493451 (Monthly Rollup)

for the following versions of Windows, if Sophos Endpoint Security and Control or Sophos Central Endpoint Standard/Advanced is installed:

Windows 7
Windows 8.1
Windows 2008 R2
Windows 2012

In the support article, Sophos also gives hints on what those affected can do. You should avoid restarting when the patch has been installed. Instead, uninstall the update immediately. If this is not possible, boot the machine into safe mode and uninstall the update. Should fix the problem.

At askwoody.com there is a hint that users report the same problem with AVAST. So be careful! Also at Heise someone has reported issues with AVAST.

Administrators should block these updates in WSUS for clients and servers. Client users should block the update installation in Windows Update. Also Update KB4493435 seems to be critical.

Windows 8.1 and Windows 10 also affected

Meanwhile I have several reader comments, pointing out, that also Windows 10 cumulative updates are problematic, if Sophos is installed. Here is a list of updates to avoid:

Windows 10 1709: KB4493441
Windows 10 1803: KB4493464
Windows 10 1809: KB4493509
Windows 10 1903: KB4495666

And if you run Windows 10 V1507 Enterprise LTSC or Windows 10 V1607 Enterprise or Windows Server 2016/2019, the related updates are also affected. I got also the feedback, that Windows 8.1 users and thus Windows Server 2012/R2 instances are also affected by the issue. Some comments confirms updates KB4493446 (Rollup) and KB4493467 (Security-only) as critical. It also seems to affect systems with AVAST and AVIRA antivirus.

[German]The manufacturers of antivirus products, AVAST and Avira have officially confirmed that their products will cause issues with Windows after installing April 2019 Windows updates.

It is only an addendum to my articles yesterday (see April 2019 updates freezes Windows 7, 8.1, 10 & Server and the link list at end of article). Now an official confirmation by the software manufacturers is available.

Looking back: Heavy issues with Windows updates

The Windows updates released on April 9, 2019 caused install issues problems on some machines. Already on Wednesday, April 10, 2019, there were first reports that updates freezes the systems during installation.

First hints referred to update KB4493472 and clients with Windows 7 as well as Windows Server 2008 R2. Later it became clear, that Windows Server 2008, Windows 8.1, Windows Server 2012/R2 as well as Windows 10 and its server counterparts were also affected.

Not all users have been affected. While some users reported hassle-free update installations, others reported the system hanging. I ‘ve blogged about this in the article April 2019 updates freezes Windows 7, 8.1, 10 & Server. The only remedy was to boot the machine in safe mode, uninstall the causing update and block it for installation.

Antivirus solutions from Sophos, AVAST and Avira cause antivirus problem

It soon became clear that the cause was related to installed security solutions from third-party manufacturers. Sophos Endpoint Protection and solutions from AVAST and Avira – mostly for corporate environments – were named.

Sophos and Microsoft respond

On 11 April 2019, Sophos confirmed its support with the article Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update.

SAV service hangs after installing KB4493472

Hello,

Last night one of my Windows 2008R2 servers hung after installing Microsoft patch KB4493472. After initial examination I discovered that SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592.

The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working.

I rebooted the server in to safe mode and disabled the Sophos services. After this, I was able to reboot normally. Then I uninstalled Sophos, rebooted and tried to install again but this time the installation didn’t complete and the server hang again. I rebooted again in safe mode, disabled services, rebooted and uninstalled sophos again. After checking the Windows logs I realised that the server had installed update KB4493472 last night. I uninstalled the patch, rebooted and installed sophos again. This time there was no problem.

Currently we are trying to unauthorise KB4493472 on our update system.

Is there any known issues with KB4493472 on Windows Server 2008R2?

Thank You.

The Sophos kb article contains detailed descriptions of how to proceed if a machine is affected. Microsoft has resynchronized the relevant updates for WSUS and blocked them for clients with Sophos, see also the German comment here and here. The KB article on the affected updates now contains the following information:

Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to freeze or hang upon restart after installing this update.

Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. For more information see the Sophos support article.

Response from Avast

This statement is now also available from AVAST (thanks to Ralf Lindemann for the comment). It concerns Avast for Business and CloudCare, which freeze Windows systems.

Windows machines (particularly those running Windows 7) are becoming locked or frozen on startup after Microsoft updates KB4462223, KB4493472, KB4493448, KB4464520, KB4462230 and KB4493435.

Avast customers are reporting their Windows machines with Avast for Business and Avast CloudCare products are becoming stuck or frozen on the login/Welcome screen. Some of these machines are completely unable to log in, and some log in after a very extended period of time. We have determined that these issues are most likely related to Microsoft updates KB4462223, KB4493472, KB4493448, KB4464520, KB4462230 and KB4493435.

The support article describes the steps to get a affected machine up and running again.

Statement from Avira

There is also an article published by the vendor Avira (askwoody had linked it), which explains why systems suddenly run so slowly.

Why does my system run very slow?

We could reproduce the described behavior.
This is occurring because of a current Windows Update.

Our development is working on a solution.

Uninstall Windows 10 Update KB4493509

Uninstall Windows 7 Updates KB4493472 and KB4493448

This probably also explains why some Windows 10 users get a slower system and observe further malfunctions (see Windows 10 V1809: Slow down with Update KB4493509?).

April 2019 updates freezes Windows 7, 8.1, 10 & Server
Windows 10 V1809: Slow down with Update KB4493509?

[German]The access of unauthorized third parties to Microsoft’s email services such as outlook.com or hotmail.com was deeper than Microsoft first admitted. More details are slowly coming to light.

What Microsoft has admitted so far

On Sunday I had reported within the article Microsoft’s mail services (outlook.com, hotmail.com) hacked about the hack. Microsoft’s email services were hacked and the attackers could access email accounts (@msn.com, @hotmail.com, @outlook.com etc.) of users of these services. A user who is affected has opened a thread at reddit.com about that matter. Microsoft had confirmed the hack (see following picture), but according to the company’s statements it looked like only metadata could be seen by the hackers…

(Click to zoom, Source: reddit.com)

In other words, according to Microsoft, the hackers ‘only’ came to the e-mail addresses of the affected users, the folder names in the mailbox, the subject lines of e-mails and the names of other e-mail addresses with which the user communicates. That’s bad enough. However, Microsoft stressed that no access “to the contents of emails or attachments”, nor – as it seemed – to credentials such as passwords, was possible.

Microsoft has confirmed to TechCrunch that a “limited” number of users of Microsoft web email services such as @msn.com and @hotmail.com were hacked. However, between January 1, 2019 and March 29, 2019, one or a group of unauthorized persons had access to the compromised account of a Microsoft support agent.

This isn’t the end – also access to calendar/mails

osph Cox from Motherboard has now published the article Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support, which draws a very different picture. In short, Microsoft didn’t tell the whole trutht. The hackers could misuse the Microsoft customer support portal through the compromised support employee’s account to read the emails and calendar data from ‘non-business’ accounts on Outlook, MSN and Hotmail.

In fact, this means that all private mail accounts at the three Microsoft email services mentioned were open to attackers. Only paying business customers were not affected by this hack – as we know today (don’t know, what comes to light in future). The source behind the hack probably described the attack to Motherboard, and also addressed the question of how he gained access to the accounts by misusing Microsoft’s customer support tool.

On Sunday Motherboard’s source repeated these details and provided more information and screenshots about what kind of access the hackers had to the Microsoft email accounts. Some of the screenshots made available to Motherboard show a panel with a list of account information that the hacker could access. It also showed access to the client’s calendar and date of birth. In the upper part of the window there are several sections such as “Profile”, “Mailbox Folder Statistics”, “Admin Center” and “Login History”.

After Microsoft had claimed that the attack had no access to the e-mail content, the source adds a proof of accessed e-mail bodies. The source confirmed to Motherboard that the attack technique allows full access to email content. On Sunday, the source provided another screenshot of another side of the panel, with the label “Email Body” and the text of an email edited by the source.

The source said that the Microsoft support account used belonged to a highly privileged user, which means he probably has more access to material than other employees. When Motherboard presented this screenshot to Microsoft, the company confirmed that it had also sent notification emails about such violations to some users. Microsoft states that this applied to about 6 percent of a small number of affected customers. However, the company remains silent about the absolute number of affected customers. A Microsoft spokesperson told Motherboard in a statement:

“We addressed this scheme, which involved a limited subset of consumer accounts, by disabling compromised credentials and blocking access by the perpetrators”.

Many open questions

Microsoft suggest for users to change their password for login to their e-mail account. But let’s make clear: Each user created a Microsoft account in Windows 8, 8.1 and 10 using Microsoft’s default process, has been assigned such a free e-mail account with the same password used for Windows login. Also onedrive and many other Microsoft services are associated to this account. A German user has listed several MS services associated to such an Microsoft account here. Are these MS services affected too – I would say yes.

Finally, the open questions remain: Is that really all, or will we soon receive the next bad news? And are European users affected? If so, what does this mean with regard to the GDPR? This is a GDPR incident that has to be reported to the authorities. For me, there is a simple conclusion: For online data it seems only a matter of time before it falls into the hands of non-authorized persons.

[German]In April 2019, Microsoft closed the CVE-2019-0859 vulnerability in Windows with a security update. Kaspersky security researchers have observed multiple attacks attempting to exploit this vulnerability in Windows 7 to 10.

Vulnerability CVE-2019-0859 in Windows

Vulnerability CVE-2019-0859 is located in Win32k.sys and allows attackers to elevate privileges. The vulnerability exists in Windows if the Win32k component does not properly process objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code in kernel mode. He could then install programs, view, modify, or delete data, or create new accounts with full user privileges.

However, to exploit this vulnerability, an attacker must first log on to the system. He could then run a specially developed application that could exploit the vulnerability and take control of an affected system. The CVE-2019-0859 vulnerability exists in all versions of Windows, but cannot be exploited remotely. However, malware delivered to users as downloads or mail attachments could exploit this vulnerability.

Microsoft documented the vulnerability in April 2019 and patched the still supported Windows versions with an update. The problem is that these updates in conjunction with various security products from Avast, Avira and Sophos cause installation problems (see April 2019 updates freezes Windows 7, 8.1, 10 & Server). Some users and administrators have therefore hidden the updates for a while.

Kaspersky discovered exploit in March 2019

Kaspersky security specialists point out that the CVE-2019-0859 vulnerability in win32k.sys is likely to be actively attacked. As early as March 2019, Kaspersky security researchers discovered an attempt to attack Win32k.sys by exploiting the proactive security technologies used in the products. The analysis revealed the zero-day vulnerability CVE-2019-0859 in win32k.sys. Kaspersky then informed Microsoft.

After Microsoft patched this vulnerability last week, Kaspersky reveals some information. The security vendor writes in this document (German, here is an English article) that CVE-2019-0859 is a use after free vulnerability in the system function that handles available dialog boxes, more specifically their complementary styles. According to Kaspersky, the ITW exploit pattern found during attack attempts targeted all 64-bit operating system versions of Windows 7 up to the latest builds of Windows 10.

The exploit of the vulnerability allows the malware to download and execute a script written by the attackers. In the worst case, this can give attackers complete control over the infected device. According to Kaspersky, a previously unidentified criminal APT group could gain sufficient privileges to install a backdoor created with Windows PowerShell using the vulnerability.

Theoretically, this should enable cybercriminals to remain undetected, writes Kaspersky. The backdoor was used to download the payload, which the cybercriminals could use to gain complete control over the infected computer. For more details on how the exploit works, see this report on Securelist.

Kaspersky recommends that you install the relevant security updates and use your own security software to protect against these exploits (they now detect the exploit). However, the installation of security updates is a problem if they cannot be installed due to problems.

April 2019 updates freezes Windows 7, 8.1, 10 & Server
Windows 10 V1809: Slow down with Update KB4493509?
AVAST and Avira confirms April 2019 Update issues

[German]One week after Microsoft released Windows security updates causing install issues, the situation for victims are not clear. Here’s an overview, what we know so far. Addendum: Avira has updated its knowledge base article, I’ve added that information.

After Microsoft released security updates for Windows on April 9, 2019, reports about serious issues spread within internet forums. Some users claims freezes or slowdown from Windows 10 (see Windows 10 V1809: Slow down with Update KB4493509?), while others are facing startup and login issues.

Later on, antivirus vendors Sophos, Avast and Avira confirmed, that their products interferes with the April 2019 security updates. I’ve addressed this within my blog post AVAST and Avira confirms April 2019 Update issues. Now we are a week older, but things doesn’t become more transparent.

Microsoft’s extended known issues list

Some days after Microsoft has released the April 9, 2019 patches, the company has extended the knows issues sections of their kb articles dealing with Windows Updates. Most kb articles dealing with updates for Windows 7, Windows 8.1 and Windows 10 (and it’s server pendants) contains now the following know issues (see kb4493467 for Windows 8.1 for instance):

Issue	Remark
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing this update.	Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed until a solution is available. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing this update.	Microsoft has temporarily blocked devices from receiving this update if Avira antivirus software is installed. We are presently investigating this issue with Avira and will provide an update when available.
Microsoft and Avast have identified an issue on devices running Avast for Business, Avast CloudCare, and AVG Business Edition antivirus software after you install this update and restart. Devices may become unresponsive at the login or Welcome screen. Additionally, you may be unable to log in or log in after an extended period of time.	Avast has released emergency updates to address this issue. For more information and AV update schedule, see the Avast support KB article.

The Microsoft support article for KB4493509 (April 9, 2019, cumulative update for Windows 10 V1809) contains another entry:

Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing this update.

No issues with Sophos, Avast or Avira are mentioned. ArcaBit is a polish antivirus vendor, not known to me before. Microsoft says ‘ArcaBit has released an update to address this issue.’ The know issues entry doesn’t provides details so far.

Withdrawn vendor statements

While Microsoft mentions ArcaBit has released an update, other things went odd. Within Microsoft’s support article for KB4493509 they say in the known issues section ‘For more information, see the Arcabit support article’. But the link to Arcabit’s support article isn’t to helpful. It seems, that Arcabit deleted the article – the linked page just contains a sentence in polish, that support for customers is available from 8.00 a.m. to 4 p.m. and the phone and e-mail contact data.

Also Avira decides to withdraw their first statement. While Microsoft still write within its knowledge articles:

Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing this update.

Avira is tight lipped. Within my blog post Windows 10 V1809: Slow down with Update KB4493509? I cited from a Avira knowledge base article, title Why does my system run very slow?. Within this article Avira says, that systems may be slowed down by Windows 10 V1809 update KB4493509. And they mentioned also Windows 7 Updates KB4493472 and KB4493448. Avira also confirmed, that they can reproduce this behavior, and recommended to uninstall those updates. But now, the support article has been deleted without further comments. And Microsoft doesn’t write a word about issues within it’s kb article for Windows 10 V1809 update KB4493509.

German blog readers confirmed, that there are issues with Windows April 2019 updates in conjunction with Avira antivirus solutions and Windows //10. After uninstalling either Avira or the security updates, this issues are gone. Also a comment I received for my article a German news site Heise reported similar things. On the other hand, I came across these comments to my Heise article. A user writes there:

My computer hasn’t limped since a few days ……

although I didn’t uninstall the update KB4493472, and the Avira virus scanner (under Windows 7) is still installed and active.

The extremely long boot time and the “hangs” when booting seem to have disappeared again. Four days ago it looked quite different.

One could almost think that Avira secretly did a software update …

A second user confirms this observation. Maybe sombody affected can commont on this observation. All in all not a good and transparent situation.

Addendum from Avira

On 18.4.2019 Avira informed me, that the Knowledge Base article 1976 had been updated. This article (which was empty in the meantime) now contains the following information:

Why does my system run very slow?

We have looked into the issue that you described, where the system slows down after a Windows update, and have found a way to fix it.

We have recently released an update that should fix this issue. Your Antivirus Pro will be automatically updated, and you don’t have to do anything else in the product.

If you have uninstalled the incompatible Windows Update, you can now restore it using the Windows Update function.

Affected Windows Updates

Windows 10: KB4493509

Windows 7: KB4493472, KB4493448

Due to the latest update provided by Avira, the unwanted behavior should now be removed. Can anyone of the affected confirm this?

Updates and more details from Avast and Sophos

Sophos has the most detailed knowledge base article about these issues, released on April 15, 2019. Microsoft has temporarily blocked devices from receiving this update if the Sophos Endpoint is installed. And Sophos provides temporary solutions to overcome issues with these Windows updates. For Enterprise Console customers Sophos is performing an update that will automatically add Windows exclusions to all Anti-virus and HIPS policies in Enterprise Console. Details are given within the kb article linked above. Also Avast has begun to ship micro updates, according to this support article.

But after a week, things seems still broken and neither Microsoft nor the antivirus vendors are acting with transparent and reliable information about these issues. On the other hand, Windows security updates are intended to fix serious 0-day vulnerabilities. Imho an odd situation, or what’s your opinion?

[German]Windows 10 Windows 10 (but also Windows 8.x) use Live tiles in Apps to display content in the Start menu. German security researcher Hanno Böck was able to takeover the subdomain for the corresponding service and was able to display any content on the Live tiles in the start menu.

Windows Live Tiles

Since Windows 8 you could pin apps as tiles in the start menu. And if the app used a certain service, information could be dynamically displayed on the app tile. The function was called Microsoft Live Tiles. Thus, the weather app could be dynamically displayed weather conditions on its tile. There were apps for stock market news, news apps with the latest headlines and so on.

After take down the mobile business, Live Tiles wasn’t anymore within Microsoft’s scope. So the Live Tiles concept and also the service used to display live content was taken down.

The hijacked Live Tiles

Security researcher Hanno Böck became aware, that Microsoft has abandoned the service that could be used to write content from websites on live tiles. When the corresponding web service was switched off, the company failed to delete the corresponding name server entries, according to Hanno Böck.

The service was set up under the Azure domain notifications.buildmypinnedsite.com. This enabled Hanno Böck to launch a so-called subdomain take-over attack for the live tile service. This is a popular method to take over orphaned subdomains during attacks. Golem described this approach in this older article. An English article about that may be found here.

Hanno Böck could then take over the orphaned sub-domain via the CNAME name server entry via his Azure account. After the successful subdomain take-over attack for the live tile service hosted on an Azure domain, the service was under the control of Hanno Böck. Hanno Böck was then able to display any images and text in the tiles of other websites (which were configured as Live Tiles in the Windows Start menu).

Live-Tile Takeover in Windows 10 Startmenu
(Source: Screenshot from Video)

The picture above is a screenshot from a demonstration video Böck published. In the lower right corner of the Windows 10 start menu you can see live tiles with skulls and the title ‘pwn’. Böck provided this with content via the hijacked service.

Hanno Böck reported this to Microsoft – perhaps to gain bug bountiest. However, there was no reaction from Microsoft, so he decided to disclose it. This was done today (17.4.2019) at 7:15 (MEZ) am in the article Microsoft loses control over Windows Tiles at news site Golem. This article contains many details about technical aspects. German magazine Heise, who were contacted by Böck, writes here that the Azure service in question is no longer available. Microsoft obviously deleted at least the CNAME name server entry on the hijacked sub-domain.

The episode shows once again how wobbly and risky the whole Microsoft tile rubbish is. But there are rumours that the tiles will be abolished with ‘Windows Lite’. Would have been just a swerve of several years, starting from Windows 8 over Windows 10, in which the stuff should somehow be brought to people – praised like sour beer. No matter how you turn it: it’s embarrassing for Redmond, but I’d say ‘and it’s typical’. What’s your opinion?

[German]Occasionally, Windows users are facing an update error 0x80246001 and the update install process aborts. This can occur on Windows 7 to Windows 10, but also on Microsoft Office. Here is some information about this error.

A brief error description

I recently came across the problem with Windows update error 0x80246001 within this comment here in the blog. The user writes:

Hello, [I] have here several failed update KB4474419 installation at the in Win7 x64 Pro.
Code: 0x80246001 (Download failed)

One possible cause, a missing Servicing Stack Update (SSU), can be excluded according to this error description.

However, the update error occurred many years ago, when SSUs were not yet an issue. I found the first hit from 2005 during a short search for a Windows XP update. Another post from the Microsoft Answers forum is from 2015 and refers to Windows 10.

Windows Update error 0x80246001
(Source: Microsoft Answers)

What does update error 0x80246001 stands for?

For error diagnosis it is helpful to decode the error code as accurately as possible. The specification ‘Download failed’ in the description above is not very helpful. I have listed the known or documented 0x8024xxxx update errors in the blog post Windows 10: Update errors 0x8024xxxx detailed.

Update error code 0x80246001 stands for WU_E_DM_URLNOTAVAILABLE and there is the explanation: ‘A download manager operation could not be completed because the requested file does not have a URL’. In plain text: There is an update request, but it simply does not contain a URL to download the requested file from the Microsoft update servers.

Problem solving approaches

In order to address the problem in a structured way during the update installation, it is advisable to go through various possible solutions. I have put together some approaches here that you can try.

Fix #1: Download and install update manually

In a first step, I would try to download the relevant update from the Microsoft Update Catalog using a browser. Simply search for the KB number on the page and then select the appropriate update package to download.

Afterwards you can select this as an administrator by double clicking on it, to start an for installation. It is possible that the update will be installed successfully. Otherwise it is possible that manifest files have an incorrect reference and cause the installation error. Then the following diagnostic steps should be carried out..

Fix #2: Check, if foreign virus scanner is the root cause

Not Windows compatible foreign virus scanners can damage Downloads in such a way that the several errors may occurs. In order to exclude this source of error, installed third-party virus scanners should at least be deactivated for testing purposes. But this is often not enough – then I would uninstall the external virus scanner for testing purposes and then run a Clean Tool from the AV provider to clean the system of installation remnants. If the AV suite is not the cause of the malfunction, you can reinstall it after a successful diagnosis.

Fix #3: Check Windows for damages

Damaged Windows system files can also lead to the most impossible errors. As a precaution, and to eliminate this source of error, the system should be scanned for corrupted files. The exact procedure depends on the version of Windows. In Windows 7, sfc /scannow and the CheckSUR tool can be used. See this KB article and System Update Readiness Tool for Windows 7 (KB947821) for details.

From Windows 8 to Windows 10 it is necessary to check the system with sfc /scannow for damaged files. The component store can then be checked for errors using dism. These approaches are described in the blog post Check and repair Windows system files and component store. Both methods try to repair detected damages at the same time. With a little luck, it also fixes the update error.

Fix #4: Reset Windows Update Components

Windows stores information about downloaded and installed updates in a component store. Damage in this area can lead to misreferences to non-existent files. Checking the component store with dism should be able to repair some things. But a broken download might not be fixed.

Therefore it is recommended to reset the Windows Update components. There is an update troubleshooter for different versions of Windows for this purpose. But this rarely helps. Therefore I would try the reset manually.

To do this, stop services and then delete certain files. One approach is described in this Microsoft Answers forum article. There qmgr*.dat is deleted from the user profile. In a further step the download folder for updates and the folder DataStore as well as the folder catroot2 can be deleted manually. More details can be found in this Microsoft support article. I also explained the steps to delete certain folders in more detail in the blog post Windows Update Error 0x8007042B.

Didn’t help?

You should also check your internet connection. Below are some linked articles on the diagnosis of update errors. Maybe some of the approaches mentioned here will help.

Finally, a warning: If you search for the error code, you will also find result pages that offer the download of a repair tool. Such solutions should not be used for security reasons. Nobody knows what is being done to you, and maybe it won’t work either. If then a chargeable download was transacted, the annoyance is large. Also the offered help sides with Chat function should avoid concerning.

How to decode Windows errors?
Windows 10: Analyze upgrade errors
Windows: How to decode update 0x8024…. errors
Windows 10: Update errors 0x8024xxxx detailed.

Uninstalling ‘uninstallable’ Windows Updates
How to block Windows 10 updates
Stop Windows from installing updates over and over again

Like a little ‘Schadenfreude’? I just came across a tweet from an ex-employee who was responsible for Windows 8. The guy bricks his Windows devices in series so that they can only boot into the UEFI.

he ‘boy’ is none other than Steven Sinosfsky, head of Windows 8 development at the time. With Windows 8.1 Sinofsky had to say goodbye to Microsoft in 2012. But Sinofsky is also responsible for the jump to the UEFI train.

I had noticed Sinofsky the last time in August 2018 because a Windows RT update had brickt his Surface RT (see A Windows Update bricked Steven Sinofsky’s Surface RT). Sinofsky was probably one of the last Mohicans who uses a Surface RT with Windows RT – for which he was responsible. Now Sinofsky has become attension with another tweet..

Pretty excited that my PC did this and now only boots into the UEFI setup. pic.twitter.com/6KkI8Jbp4v

— Steven Sinofsky (@stevesi) 22. April 2019

So he has a PC that has made the slide and can only boot into the UEFI setup mode. This usually means that the boot files are damaged (by updates). But Sinofsky knew how to help himself and has chosen the standard procedure ‘Reset Windows by Recovery Mode’.

Update: could not get out of a UEFI loop but booting into Recovery mode got me to regular Windows eventually.

FWIW this is the third different PC where this has happened to me in 2019.

— Steven Sinofsky (@stevesi) 22. April 2019

All I can think of is ‘eat your own dog food’. And especially exhilarating was his statement that this was already the third PC in 2019 where this happened. Hilarious. (via)

Windows Update [German]A little addendum to the April patchday issues in Windows, which were caused by third party antivirus scanners. In the meantime, the root cause for this behavior is known.

Antivirus software causes issues with April updates

Windows users had significant issues with the security updates for Windows released on April 9, 2019.

Shortly after the release of the April 2019 updates, there were reports worldwide that the systems with Windows 7 and Windows Server 2008 R2 were freezing during the update installation.
Later it became known that the problems also affect Windows 8.1 and Windows Server 2012 R2 as well as Windows Server 2008.
Windows 10 users has also reported these issues through updates. This ranges from an extreme slowdown to context menus no longer works.

Vendor, Sophos, quickly confirmed that there are problems when Sophos Endpoint Security and Control or Sophos Central Endpoint Standard/Advanced are installed. The following versions of Windows were affected.

Windows 7
Windows 8.1
Windows 2008 R2
Windows 2012

Later, confirmations from the antivirus vendors Avira, Avast and Mc Afee were added. Microsoft has also documented the problems associated with its April 9, 2019 update in its support articles on updates (see KB4493467 for Windows 8.1, for example). At the same time, Redmond had stopped the delivery of updates on systems where affected antivirus products were installed. I had reported about these problems in several blog posts (see linked posts at the end of the article). Sophos hasn’t, according to this article, provides a solution (just a workaround) till yet. And the updates are blocked further. Meanwhile, the other affected AV vendors have released updates for their products that work with the affected Windows updates.

But what was the root cause?

It was unclear to me, as an outside observer, why it hit the AV providers and who was ‘to blame’. I can’t answer the question ‘who was to blame’, but the root cause is now known. Antivirus vendor Mc Afee has covered it in a single sentence in this statement:

Changes in the Windows April 2019 updates for Client Server Runtime Subsystem (CSRSS) introduced a potential deadlock with ENS.

The Client Server Runtime Subsystem (csrss.exe) is responsible for the administration of the command line and the starting and stopping of processes and threads in the current Windows versions. As the only system component, csrss.exe is marked as a “critical process”, the unexpected termination of which leads to an immediate crash of the system. The abbreviation ENS stands forMc Afee Endpoint Security.

A change to the Client Server Runtime Subsystem (CSRSS) caused by the April 2019 updates has resulted in a situation that ends in a dead lock with the antivirus products. Dead lock is a situation where two processes wait for each other to release a resource (e.g. a file). So the processes block each other. Arstechnica describes it here: The antivirus applications try to gain access to a resource, but they are prevented from doing so because they have already gained exclusive access to the resource.

Ultimately, it’s up to the AV programs and defining exceptions for the scan, where the AV program directories are excluded, helped as a workaround. The updated versions of the antivirus products take this into account so that the dead lock no longer occurs and the Windows updates can be installed.

Just a brief note, because I received mails from blog readers. It seems, that Microsoft doesn’t provide preview updates (Rollups) for Windows 7 and Windows 8.1 and also no preview cumulative updates for Windows 10. There have been no patches released in C (3td) and D (4th) week of April 2019. There’s room for speculations, as Woody Leonhard writes. Some users guess, it’s because of the Easter holidays. But I guess, it might have something to do with the April 9 2019 patch disaster, caused by third party antivirus products. And Microsoft probably has moved some developers to help improve the upcoming Windows 10 V1903.

[German]A brief of information for users of Sophos enterprise security solutions. Sophos has just begun to deliver an update to correct the Windows patchday problems caused by its products. Here is some information on the subject.

Some background

On 9 April 2019, Microsoft released several security updates for different versions of Windows, which caused installation problems when certain third-party antivirus software was installed. This ranged from no longer booting and freezing to extremely slow systems. I had reported about it in several blog posts, among others in the article Windows Windows patchday issues–one week later (April 17, 2019).

Regarding Sophos, the vendor and Microsoft were able to identify a problem on Sophos Endpoint Protection devices that either have Sophos Central or Sophos Enterprise Console (SEC) installed and/or managed by these protection solutions. The system may stop responding to reboots after this update has been installed.

Microsoft has therefore temporarily excluded all Windows systems from receiving the affected April 2019 security updates on which Sophos Endpoint is installed . According to Microsoft, this will apply until a solution is available. More details can be found in the text below.

Micro updates and workarounds

Sophos then published workaround instructions for Sophos Endpoint and Sophos Enterprise Console customers on how to resolve the issue with affected systems. At the same time, micro-updates were released as a quick fix to the issue. The following happened under the hood: The micro-patches added scan rule exceptions so that the Sophos product directories under:

%programfiles(x86)%\Sophos\Sophos Anti-Virus\

have been excluded from scans. See this Sophos support article for details. On Thursday, 25 April 2019, I chatted with an administrator using Sophos solutions in corporate environments. He complained that ‘no updates’ were still available 2 weeks later. When I asked him that there were updates from Sophos, he wrote:

No, I’m afraid they haven’t. Only exceptions set that certain folders are not monitored. I was able to check this in the Enterprise Console. Also wait for the update from Sophos.

This is exactly the workaround that Sophos suggests in its support article. Sophos has kept silent on the root causes of the issue. But in the blog post Windows issues with April Updates and AV-Programs–root cause known, I had revealed a piece of information cited by Mc Afee that names the cause of the problem. In my opinion, the description also applies to the Sophos protection solutions.

Seems to be a bigger issue

I’ve wondered recently about the absence of the der Windows preview updates for a long time (see Still no April 2019 Preview Updates for Windows). But now those updates arrived, after a long delay. Since the early morning of April 26, 2019 (CET), Microsoft has provided preview updates for the various Windows versions.

But within the Known Issues sections of the KB articles I found the hint from Microsoft that the preview updates also had problems with antivirus software from Sophos, Avast, Avira etc. For Sophos, it was still explicitly stated that Microsoft was investigating issues with the vendor and blocking the distribution of updates to machines with the appropriate products.

Sophos becomes more concrete and provides an update

But the whole thing seems to be quite dynamic. On Friday I received a notation from a news editorial team, that Sophos ‘provides an updates’. Checking again the Sophos Support article 133945, I found it has been updated on April 26, 2019. Now Sophos says:

Microsoft has released updates on April 9, 2019 that are impacting some security AV vendors, causing some customers using Windows 7, Windows 8.1, Windows 2008, Windows 2008 R2, Windows 2012 and Windows 2012 R2 to occasionally experience system fails or hangs during boot up after application of the update.

Sophos has been working non-stop to resolve the issue. We quickly coordinated a temporary block that prevents the Microsoft update from being visible for download if the Sophos endpoint is installed. This has been successful in preventing system failures, and allowed us to investigate a permanent resolution. The block will remain in place until the resolution is fully tested and rolled out to customers.

The temporary solution includes an exclusion that works for all of our customers. These exclusions have been automatically added in Sophos Central and Sophos Enterprise Console (versions 5.5.x) and can also be manually added to SEC 5.4.1, UTM Managed Endpoints and Standalone Endpoints/Servers. The exclusions prevent system issues even if the Microsoft update is installed.

We have identified a permanent fix and are now automatically rolling out the fix to customers starting 25th April 2019. This will take place over a two to three week period. To check if you have received the fix see the ‘How to confirm if you have received the fix’ section linked under each product.

Administrators should be careful!

Administrators in enterprise environments who use Sophos security solutions need to be careful. As long as there is no update installed for the Sophos antivirus solution, Windows updates may cause trouble. Sophos has described how to check for the update in support article 133945. It also lists the different versions which already contain the fix.

For administrators, it is also important to note that Microsoft continues to block the distribution of (preview and security) updates to affected machines (via Windows Update). However, Microsoft plans to end this temporary blockade as of May 6, 2019. That’s just 1 and a half weeks, but Sophos says they need 2 to 3 weeks to rollout the patches. This could possible lead to another update desaster, if Microsoft lifts the update blocker.

[German]Antivirus vendor Sophos has released a maintenance update to its unified threat management program, Sophos UTM, which upgrades it to 9.602. The update addresses a number of security issues.

German blog reader Thorsten Sult contacted me a few hours ago by email and drew my attention to this update. Thorsten has already addressed the issue in this German blog post.

Sophos UTM Version 9.602 fixes vulnerabilities

The maintenance update to version 9.602 was announced in this Sophos community post. The changelog lists a number of fixes:

NUTM-10728 [Access & Identity] Race condition on configuration change of RED device
NUTM-9877 [Access & Identity] Configurable RADIUS timeout for L2TP over IPsec
NUTM-10190 [Basesystem] CVE-2018-15473: OpenSSH username enumeration
NUTM-10362 [Email] MIME type detection doesn’t work as expected – header Content-Type always considered
NUTM-10480 [Email] Mail Based XSS in Sophos UTM 9
NUTM-10484 [Email] POP3 Proxy stops working sometimes
NUTM-10545 [Email] Update SPX placeholder description
NUTM-10521 [Logging] /tmp partition getting full when using livelog
NUTM-10291 [Network] DNS Host object not updated/unresolved
NUTM-10460 [Network] GeoIP dropping traffic from allowed region
NUTM-10537 [Network] Additional IP address on a bridge interface exist in back-end even after deleting it
NUTM-10536 [RED] Wifi traffic on the internal RED15w AP is always routed through the RED tunnel
NUTM-10594 [RED] RED50 disconnects randomly
NUTM-10595 [Sandstorm] Sandbox Activity Tab not accessible due to license error
NUTM-10852 [Sandstorm] Sandboxd complaining on missing column in database/sqlite
NUTM-10626 [WAF] Let’s Encrypt certificate renewal fails because of failing terms of service check
NUTM-10644 [WAF] mod_session_cookie does not respect expiry time (CVE-2018-17199)
NUTM-10661 [WAF] SSL redirect broken for wildcard certificates
NUTM-10322 [Web] Proxy crash with coredump on UTM 9.508
NUTM-10633 [Web] New web templates for content warn does not work in 9.6
NUTM-10657 [Web] httpproxy uses up all CPUs in peak hours, resulting in slow browsing
NUTM-10668 [Web] Quota relevant web page are accessible when using AD SSO
NUTM-10758 [Web] Application Control – Skiplist not working for destination IP
NUTM-10546 [Wireless] Updating to 9.6 GA with REDw devices causes corrupt payload and AP becomes inactive

The maintenance update closes the CVE-2018-15473 vulnerabilities in OpenSSH, NUTM-10480 XSS in Email Protection and CVE-2018-17199 for WAF in older versions of Sophos UTM.

The update is rolled out in waves

The maintenance update is rolled out in shafts. In phase 1, users can download the update package from the Sophos FTP server and install it manually. In phase 2, Sophos will distribute the update via its Up2Date servers. As the firmware is not yet rolled out via Up2date, you should wait before using it productiv environments. Thanks to Thorsten for the hint.

[German]Citrix has updated its Workspace app to version 1904. This app is now distributed for the first time without the Visual C++ Redistributable (Runtime) in the installer. Here some information about this app.

What is the Citrix Workspace app for Windows?

The Citrix Workspace app for Windows is installable software that allows users to access applications and desktops from a client system using Citrix virtual apps and desktops. The Citrix Workspace app provides access from your desktop, start menu, Citrix Workspace user interface or web browser, as the company writes on this page.

Users can use the Citrix Workspace application on domain and non-domain PCs, tablets and thin clients. Using Citrix StoreFront in conjunction with the Citrix Workspace app enables organizations to provide self-service access to applications and desktops. The advantage: There is a common user interface, regardless of the terminal hardware, the operating system (32-bit and 64-bit versions), or form factor.

(Source: YouTube)

The above video shows how to use the Citrix Workspace app for Windows. On April 30, 2019, Citrix released the Workspace app 1904 for Windows. The app runs under

Windows 7,
Windows 8.1
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows 10
Windows Server 2016
Windows Server 2019

as well as Thin PC. The download is possible on this website. A detailed overview of the functions and ‘advantages’ can be found on the Citrix product page.

VC++ runtime won’t ship from Version 1904 onwards

Let’s get to the point of this blog post. On Twitter I became aware of an innovation of Citrix, the Workspace app 1904 for Windows. Marco Hoffmann (Citrix Technology Advocate) has sent the following message.

Hurray, this meets my support case request :)
Was a rocky way to get them convinced it causes installation issues.
I hope they’ll keep theirs updated in the installation directory.

— al Qamar (Karl) (@tweet_alqamar) 1. Mai 2019

Starting with version 1904, the required binary files of the Microsoft Visual C++ Redistributable are no longer delivered with the Citrix Workspace App Installer. What at first glance looks like a step backwards was welcomed with applause by user Al Qamar (Karl). By chance I know the background of the whole thing and had discussed it here in the blog in a different context. Here is the short version:

In the Microsoft Visual C++ Redistributable packages there are always serious security gaps. These are patched by Microsoft.
But Microsoft often doesn’t get the chance to deliver the installer packages with the latest tools and installers. This is how patched VC++ redistributable variants with known vulnerabilities in the installers are distributed.
To top it all off, outdated Microsoft Visual C++ redistributable packages, which have been integrated into products by software vendors, will be installed.

This misery I had discussed several times in the following blog posts. With the latest development at least Citrix does not install the Visual C++ redistributables. The administrator of the systems is then responsible for providing this runtime environment and keeping it up to date. Karl fought long enough for this step.

But Karl implicitly points to another construction site. The Visual C++ Runtime included in the Citrix App-Installer was often good for installation problems. This older support article from 2017 or this article from the same year deal with several problems at once.

Microsoft is planning BitLocker management enhancements in both Microsoft Intune and the System Center Configuration Manager (SCCM). The release is scheduled for the second half of 2019.

Bitlocker is no longer limited to a Windows client, but can be used OnPremise on local clients/servers, but also in the cloud on Azure. Irrespective of whether the administrative infrastructure is maintained on site or in the cloud, robust BitLocker management is required so that modern end devices can be secured by companies. It is precisely for this scenario that Microsoft plans to expand BitLocker management capabilities.

Cloud-based BitLocker Management with Microsoft Intune
BitLocker on-site management with System Center Configuration Manager (SCCM)
Microsoft BitLocker Administration and Monitoring (MBAM)

Bitlocker-Verwaltungszyklus
(Source: Microsoft)

The details of what Microsoft is planning for the second half of 2019 are described in this tech community article.

[German]A brief note ‘from the past’ for administrators of a WSUS (Windows Server Update Service). Microsoft has extended the URL to download updates for WSUS.

I suppose the majority of WSUS administrators have noticed and taken this into account. But as a reminder, I’ll provide the information here.

What’s the problem?

In WSUS, you can enter URLs of web servers that you want to connect to at the time of WSUS synchronization. These URLs are described in the Microsoft document Step 2: Configure WSUS in Section 2.1. Configure network connections. Microsoft added a URL to this document some time ago. The list now includes the following URLs:

http://windowsupdate.microsoft.com
http://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
http://*.update.microsoft.com
https://*.update.microsoft.com
http://*.windowsupdate.com
http://download.windowsupdate.com
https://download.microsoft.com
http://*.download.windowsupdate.com
http://wustat.windows.com
http://ntservicepack.microsoft.com
http://go.microsoft.com
http://dl.delivery.mp.microsoft.com
https://dl.delivery.mp.microsoft.com

Microsoft’s article is from 2017 and does not have an update date. But the last two entries in the list above has been added sometime in February / March 2019. Blog-reader Markus K. has informed me about this announcement in the japanese Technet-Blog in the middle of February 2019. I interpret the text in such a way that Microsoft successively uses the latter two servers to provide various updates. In February 2019, according to the Japanese Microsoft employees, only the update KB4486996 for Windows 10 Version 1709 was synchronized via these URLs. Perhaps this is of interest to some WSUS admin who did not update the URL list. Thanks to Markus for the hint (bummed around in my To Do list and is now finished).

Just a brief note to users of newer nVidia graphics cards. nVidia has released an driver update for Geforce chipsets. The Geforce 430.64 WHQL driver for Windows 7, Windows 8.1 and Windows 10 is available.

According to the release notes, the driver contains some improvements for games like RAGE 2, Total War: Three Kingdoms, and World War Z. Two SLI profiles for Imperator: Rome and Insurgency Sandstorm are also updated. The driver introduces the following software modules

nView – 149.77
HD Audio Driver – 1.3.38.16
NVIDIA PhysX System Software – 9.19.0218
GeForce Experience – 3.18.0.102
CUDA – 10.1
Standard NVIDIA Control Panel – 8.1.940.0
DCH NVIDIA Control Panel – 8.1.953.0

but has some known issues, which are described in the release notes. More important in my eyes is that the new driver fixes several security problems at once. nVidia released a Security Bulletin: NVIDIA GPU Display Driver – May 2019. This describes three vulnerabilities CVE-2019-5675, CVE-2019-5676 and CVE-2019-5677, which are classified with different score values from 5.6 to 7.7.

[German]Exciting question: On how many devices does Windows 10 actually run now? And what is the operating system share on desktops? I came across several information during the last days that I would like to present here.

There are now 825 million Windows 10 devices

Paul Thurrott reports within this article that he could read at the BUILD 2019 conference an internal Microsoft document. According to Thurrott, this document stated that Windows 10 is currently active on over 825 million devices worldwide. However, it’s unclear to Thurrott, why Microsoft did not disclose this figure at the BUILD 2019.

Where is Windows 10 going?

Within his article, Thurrott also writes that after a recent reorganization, he got a better understanding of how the company will evolve Windows. Following Terry Myerson’s departure in 2018, Microsoft promoted Eran Megiddo to Corporate Vice President of Windows and Education.

Megiddo will focus on the direction and strategy of the Windows client and report to Joe Belfiore. Belfiore will lead the Essential Products (“EPIC” internal) team at Microsoft. EPIC is part of Microsoft 365 and responsible for Windows 10 Apps, Microsoft Edge, OneNote, Android and iOS mobile experiences (Microsoft Launcher, Microsoft Edge, OneNote, Microsoft To-Do, Microsoft News and more). Eran and the Windows team have three goals for the near future:

Clarify Microsoft’s strategy for Windows.
Manage and improve cross-device experiences between Windows and mobile devices.
Continue the penetration of Windows into education.

There are a variety of new tasks and roles within Microsoft associated with this reorganization. But I’m not sure where Windows 10 is heading. Thurrott is also worried about the actual product. Perhaps one forgets from all these strategies and cross-devices experiences that it is an operating system that has to work on the desktop.

Windows market share

Let’s now have a look on to the market shares of desktop operating systems and the distribution between Windows versions. In this April 2019 report, AdDuplex shows a 29.3% share for Windows 10 V1809 on Windows 10 systems. Although these figures are very uncertain, this version is struggling to conquer the desktop. A total of 63.2% of machines continue to run Windows 1803.

Windows 10: 44,10 %
Windows 7: 36, 43 %
Windows 8.1: 4,22 %
Windows XP: 2,45 %
Windows 8: 0,82%

Netmarketshare.com shows the above distribution for Windows on the desktop for the end of April 2019. Windows 10 has now clearly overtaken Windows 7 in ‘market share’ – Martin Geuß has unraveled the profit and loss account here. Windows runs on 88.22% of all desktop systems. mac OS 10.14 is 5.23% and mac OS 10.12 2.00%, by the way. All mac OS versions have a market share of 8.38%, while Linux remains at 1.99%.

(Desktop-Betriebssystemverteilung April 2019, Quelle: Netmarketshare.com)

Windows Update [German]As of May 14, 2019, Microsoft has released numerous security updates for Windows clients and servers, for Office, etc. Here is a compact overview.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. can be found in separate blog posts.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001.

Notes on updates

All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes until Patchday.

The updates can also be downloaded via Microsoft Update Catalog. Updates for Windows RT 8.1 and Microsoft Office RT are only available through Windows Update. For information about the support period for Windows 10, see the Windows Lifecycle Windows Lifecycle Facts Sheet.

Critical Security Updates

Internet Explorer 11
Internet Explorer 10
Internet Explorer 9
ChakraCore
Microsoft Edge
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server
Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 version 1709 for 32-bit Systems
Windows 10 version 1709 for x64-based Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core Installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Adobe Flash Player
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Office 365
Microsoft Office Online Server
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
Office 365 ProPlus for 64-bit Systems

Important Security Updates

Team Foundation Server 2015 Update 4.2
Team Foundation Server 2017 Update 3.1
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2018 Update 3.2
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017 version 15.0
Microsoft Visual Studio 2017 version 15.9
Microsoft Visual Studio 2019 version 16.0
Azure DevOps Server 2019
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.6.2
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.7.1/4.7.2
Microsoft .NET Framework 4.7.2
Microsoft .NET Framework 4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.8
.NET Core 1.0
.NET Core 1.1
.NET Core 2.1
.NET Core 2.2
.NET Core 3.0
ASP.NET Core 2.1
ASP.NET Core 2.2
Microsoft SQL Server 2017 for x64-based Systems (CU+GDR)
Microsoft SQL Server 2017 for x64-based Systems (GDR)
Microsoft Azure Active Directory Connect
Microsoft Exchange Online
Oulook.com
Nuget 5.0.2
Skype 8.35 when installed on Android Devices
Microsoft Dynamics 365 (on-premises) version 8.2
Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft Dynamics CRM 2015 (on-premises) version 7.0

Critical update for Windows XP up to Windows 7 (May 2019)
Microsoft Security Update Summary (May 14, 2019)
Patchday: Updates for Windows 7/8.1/Server (May 14, 2019)
Patchday Windows 10 Updates (May 14, 2019)
Patchday Microsoft Office Updates (May 14, 2019)

[German]On May 14, 2019, Microsoft released an urgend security update for older Windows versions up to Windows 7 that closes a critical vulnerability CVE-2019-0708 in Remote Desktop Services. The vulnerability is considered to be so critical that Windows XP and Windows Server 2003 as well as Windows Vista will also receive the update. Systems with Windows 8 or higher are not affected.

If you still run systems with Windows XP or Windows Server 2003 or Windows Vista as well as Windows 7, Windows Server 2008 and 2008 R2, which are still in support, in network environments, you should read the following information carefully. Because in these Windows versions there is a critical vulnerability CVE-2019-0708 in the remote desktop service. Microsoft estimates the potential threat as critically as the vulnerability that made WannaCry infection with Ransomware possible at the time.

CVE-2019-0708 in Remote Desktop Services

Microsoft has published details of the vulnerability in security advisory CVE-2019-0708. In Remote Desktop Services – formerly known as Terminal Services – there is a serious vulnerability. An unauthenticated attacker can connect to the target system via RDP by sending specially crafted requests. Then the attacker does not need to authenticate to gain access to the system.

An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges. To exploit this vulnerability, it is sufficient for an attacker to send a specially crafted request via RDP to the Remote Desktop Service of the target system. This critical vulnerability exists in the following Windows versions:

Windows XP
Windows Server 2003
Windows Vista
Windows 7
Windows Server 2008
Windows Server 2008 R2

Starting with Windows 8, the vulnerability no longer exists in the Remote Desktop service. Windows 7, Windows Server 2008, and Windows Server 2008 R2 receive a patch to close the vulnerability with regular Monthly Rollup or Security Online updates.

For Windows versions that have already dropped out of support, the user must download the update himself. Users of Windows Vista can download the updates (Monthly Rollup or Security Online) of Windows Server 2008 from the Update Catalog and install them manually. Users of Windows XP and Windows Server 2003 can find the corresponding variants for the update KB4500331in Microsoft Update Catalog for manual download. KB article KB4500331 provides information about these operating system versions. In the Security Advisory, Microsoft also suggests workarounds if you cannot install the security update on Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Microsoft have announced on May 17, 2019 Windows Server containers support in Azure Kubernetes Service. A public preview is available now.

I became aware of this new development via twitter, when Kubernetes co-founder brendandburns announced the public preview:

Windows containers are now in public preview in @Azure Kubernetes Service!!!https://t.co/ANfWHkbZrV

Many, many thanks to Patrick Lang, Michael^2 and the folks in SIG-Windows and AKS team for helping us achieve this milestone!

Get started here:https://t.co/Xnk5YTNdbx

— brendandburns (@brendandburns) 17. Mai 2019

Further details may be found within this Microsoft Azure blog post.