[English]A brief information about C++ runtime libraries and their distribution as redistribution packages with all problems of a side-by-side installation with different versions. Microsoft has responded to criticism in Visual C ++ 2019 Redistributable and uses the same files as for VC++ 2015/2017.

Some background details

Most programs require runtime libraries to run. With Visual C++ this is the redistributables (runtime libraries) that are installed with the respective application. If VC++Runtime libraries are updated by security updates, Windows installs them in most cases side-by-side.

Why the runtime libraries are installed side-by-side is explained in the German blog post Windows 7/8.1/10: Fehler Side-by-Side-Konfiguration ungültig, but in an other context.

In short: Runtime libraries are stored centrally so that the applications do not have to install the same DLLs separately into program folders each time. You can save storage space by sharing the libraries.

The problem: If two applications use different versions of a runtime library, conflicts would arise if the last application installed simply overwrote the existing runtime files.  This would cause a conflict when installing the application, formerly known as “DLL hell”.

To avoid this problem elegantly, the Side by Side configuration was introduced in the WinSxS folder (Windows component store). When installing an application, the runtime libraries, DLLs, and other resources are stored in a separate subfolder of the WinSxS folder. This prevents multiple files from interfering with each other at the same time. Further insides can be found in the mentioned blog post.

In practice, however, this leads to a variety of problems – including the unsafe, patched versions that end up on a computer via software and updates. I had addressed this, with the help of blog reader Karl, in a series of articles (The problem with C++ Redists & 3rd Party security patches – I). We had also brought this to Microsoft.

Runtime for VC++ 2019 with V2015/2017

That seems to have been fruitfull at the end of the day. Blog reader Karl informed me yesterday on Twitter about a change that Microsoft is introducing with the Runtime for VC++ 2019.

All that care to manage C++ redists MS has released C++ 2019 which will include and replace 2015 and 2017.
Great work as this finally ends the side by side installation of outdated redists by software. All in one Runtimes isn’t yet updated.@ComputerBase
Fyi @etguenni

— al Qamar (Karl) (@tweet_alqamar) 20. Juni 2019

If you have to take care of the administration of VC ++ redistributables, you get relief now (if Microsoft does its job correctly – you have to wait and see). In the newly released runtime environment for C++ 2019, the redistributable of VC++ 2015 and VC++ 2017 is included, according to the tweet above. Microsoft published this KB article at the end of May 2019. Quote from the article:

Note Visual C++ 2015, 2017 and 2019 all share the same redistributable files.

For example, installing the Visual C++ 2019 redistributable will affect programs built with Visual C++ 2015 and 2017 also. However, installing the Visual C++ 2015 redistributable will not replace the newer versions of the files installed by the Visual C++ 2017 and 2019 redistributables.

This is different from all previous Visual C++ versions, as they each had their own distinct runtime files, not shared with other versions.

This means that you no longer has to worry about these last two versions. But nothing changes with the runtime libraries of VC ++ 2013 or earlier. In a personal mail Karl informed me about the following:

By the way, the change has been around since C++ 2017 (14.10 / 14.16), which replaces C++ 2015 (14.0) for the first time in history.

In practice, however, there were problems with some programs compiled with 2015. However, there was another update for the 2017 Runtimes and now the 2019 (14.21) I will roll them out soon at the customer with the problems and see if there are then fewer problems. It was a novelty for me that with newer runtimes there is “stress” at all. Probably bad code.

Especially in 2013 or older it comes to applications or games (Steam) again and again replaced runtimes. But the problem will probably fade away itself in time if you only use new applications. 2005 are probably already out of support and 2008 I think. Which doesn’t mean that I wouldn’t install them anymore.

It’s always better to install the last current runtimes than none at all, which then causes even older installations – depending on how they have programmed their installer checks – so the same or newer: leave / older: install side by side.

Karl also points out that since C++ 2008 there are no more updates for C++ via Windows Update / WSUS. He also writes:

Windows Update for Business patches only Windows components anyway. So C++ would be 3rd party software. Up today, obsolete C++ 2005, 2008 and 2012 redists are distributed via the Microsoft download pages and Windows Update. At least older than the ones available at my.visualstudio.com or via Patrick Kuhnke AIO runtimes. I don’t think anybody wants to care about it anymore and they let it fade out like that.

Karl then posted some screenshots on Twitter, what a cleaned system should look like..

This is how it should look like in with a cleaned / secure environment (AIO Runtime 2.4.8 C++ & C++ 2019) AIO will remove insecure C++ redists as Windows Update still won’t update them correctly. some of the updates here are outdated, too.https://t.co/BIIBbV8RsV pic.twitter.com/G39J2RzmQ3

— al Qamar (Karl) (@tweet_alqamar) 20. Juni 2019

The abbreviation AIO stands for All in One Runtime, which is maintained by Patrick Kuhnke. That’s what I wrote in my blog post The problem with C++ Redists & 3rd Party security patches – III with Karl’s support.

Similar articles:
The problem with C++ Redists & 3rd Party security patches – I
The problem with C++ Redists & 3rd Party security patches – II
The problem with C++ Redists & 3rd Party security patches – III
Citrix Workspace-App comes w/o VC++ Runtime from V1904
Vulnerabilities in Microsoft Visual C++ Runtime

[German]The BlueKeep vulnerability CVE-2019-0708 is still unpatched in many systems, as new figures show. In addition, the US government warns of unpatched Windows 2000 systems.

The BlueKeep vulnerability CVE-2019-0708

Within Remote Desktop Services of older Windows systems (Windows XP up to Windows 7), a serious security vulnerability CVE-2019-0708 has been known since May 2019 (see articles at end of article). An attacker can connect to a target system via special requests via RDP without further authentication.

All systems prior to Windows 8 are affected, although there are updates for Windows XP to Windows 7 (see Critical update for Windows XP up to Windows 7 (May 2019)). Attackers who have successfully exploited this vulnerability can execute remote code on the target system. This includes installing programs, viewing, modifying, or deleting data, and creating new accounts with full user privileges.

How to check systems for vulnerability through the vulnerability CVE-2019-0708 or an installed patch is described in the blog post How To: BlueKeep-Check for Windows. So we have now security updates, and there are ways to check if these updates are installed. This even works within a network. But people don’t patch.

Statistics: patch status insufficient

The following tweet states that 83.4% of the systems available worldwide that can be reached via the Internet and attacked via the BlueKeep vulnerability do have yet security updates.

Another update – worldwide update rate for CVE-2019-0708 numbers are up to 83.4%. KEEEEEEP PATCHING! #BlueKeep #MDATP https://t.co/0xyDebfRes

— NotNinjaCat (@RavivTamir) 20. Juni 2019

If you go through the Twitter messages of the account concerned, you can see that the numbers have risen several times, from 57% to 72.4% and now to 83.4%. I do not know exactly how the figures are calculated. The hash tag #MDATP appears in the tweets.

New kid on the block for the #MDATP suite -Threat and Vulnerability Management. Now available for all preview customers (https://t.co/YadIDVWscF to join the preview).
Check your portal… https://t.co/zfHIXTMYHY

— Microsoft Defender ATP (@WindowsATP) 16. April 2019

A reference to the Microsoft Defender ATP-Komponente Threat & Vulnerability Management available since April 2019.

Warning about unpatched Windows 2000 systems

A few days ago, Bleeping Computer pointed out in this article that the Cyber Security and Infrastructure Security Agency (CISA) had published a warning for Windows users. Windows users are urged to patch the critical RCE vulnerability in Desktop Services (RDS), BlueKeep. The agency, which is part of the US Department of Homeland, writes that it successfully tested remote code execution attacks on a computer running a vulnerable version of Windows 2000.

CISA tested BlueKeep against a Windows 2000 machine and achieved remote code execution. Windows OS versions prior to Windows 8 that are not mentioned in this Activity Alert may also be affected; however, CISA has not tested these systems.

I would have said Windows 2000 doesn’t matter. But if CISA explicitly tests an exploit and then warns, the number of affected systems might be greater than 0.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
How To: BlueKeep-Check for Windows
Metasploit for Windows BlueKeep vulnerability

[German]Microsoft has released some ‘Microsoft Security Update Releases’ for Patchday and afterwards. The last one is from yesterday. Here is an overview about serveral security notifications I’ve received within the last 2 weeks. I’ve added also a list of current servicing stack updates and an overview about Spectre mitigation.

Security notification CVE-2019-1105 (June 20, 2019)

On June 20, 2019, Microsoft released the security warning CVE-2019-1105. This is a spoofing vulnerability in Microsoft’s Outlook app for Android. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.

An attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and execute scripts in the security context of the current user. A security update for the Outlook app fixes the vulnerability. After that, the attack in Outlook for Android can no longer be used by specially crafted e-mail messages.

Microsoft Security Advisory Notification (June 14 2019)

Microsoft has already published the following information in a Security Advisory Notification as of June 14, 2019. 

ADV990001: Current Servicing Stack Updates (SSUs)

Reason for notification: An SSU has been released for Windows 10 Version 1903 and Windows Server Version 1903 (Server Core Installation). The list of SSUs is maintained by Microsoft under ADV990001. Here is a quick overview, which was sent to me by blog reader Karl about patchlists.org – where the updates for version 1607, 1809 and 1903 refer to Windows 10 clients as well as the Windows Server counterparts.

• KB955430, 28. Apr. 2009, Win Vista SP2 / Server 2008 SP2 (6.0.x)
• KB4490628, 12. Mar 2019, Win 7 SP1 / Server 2008 R2 SP1 (+Embedded) (6.1.x)
• KB3173426, 12. Jul 2016, Win 8 / Server 2012 (6.2.x)
• KB3173424, 12. Jul 2016, Win 8.1 / Server 2012 R2 (6.3.x)
• KB4498353, 14. May 2019, Win 10 1507 SAC / LTSC (10.10240.x)
• KB4035632, 08. Aug 2017, Win 10 1511 SAC (10.10586.x)
• KB4503537, 11. Jun 2019, Win 10 1607 SAC / LTSC / Server 2016 LTSC (10.14393.x)
• KB4500640, 14. May 2019, Win 10 1703 SAC (10.15063.x)
• KB4500641, 14. May 2019, Win 10 1709 SAC / Server 2016 SAC (+ARM64) (10.16299.x)
• KB4497398, 14. May 2019, Win 10 1803 SAC / Server 2016 SAC (+ARM64) (10.17134.x)
• KB4504369, 11. Jun 2019, Win 10 1809 SAC / Server 2019 LTSC / SAC (+ARM64) (10.17763.x)
• KB4498523, 29. May 2019, Win 10 1903 RP (+ARM64) (10.18362.x)

Here are some hints on what certain SSUs for Windows 10 fix. 

Windows 10 V1903

For SSU SSU KB4498523 for Windows 10 V1903 applies:

• Fixes an issue that can prevent user profiles from loading correctly when you restart after installing certain updates.
• Fixes an issue that can occur when a language pack is installed while an update is pending.  The update might not install and you might receive the error “0x800f0982”.
  
• Fixes an issue that can occur when an optional feature, such as .Net Framework 3.5, is installed while an update is pending.  The function installation may fail, and you may receive a “0x800F080C” error.
  
• Fixes an issue that might prevent updates from being installed after the /resetbase command is run in DISM.

So a number of bugs in Windows Update with SSU have been fixed. .

Windows 10 V1809

For SSU KB4504369 for Windows 10 V1809 applies: Fixes an issue that can occur when a language pack is installed while an update is pending.  The update may not install and you may receive the error “0x800f0982”.

Windows 10 V1607

For SSU KB4503537 for Windows 10 V1607 applies: Fixes an issue that can prevent user profiles from loading correctly when you restart after installing certain updates.

ADV180002: Guidelines for Spectre Mitigation

Microsoft Security Advisory ADV180002 (Guidance to mitigate speculative execution side-channel vulnerabilities, released first at January 3, 2018) the table in FAQ #9 for 14.6.2019 has been supplemented with information for ARM processors. 

In addition to Microsoft’s information, I have the following list of patches for the various Spectre vulnerabilities from blog reader Karl (thank you for that). Maybe someone can use it.

SP = Service Pack, U = Update

[0] superseded, bugged should be declined
[1] or later cumulative security quality update. READ RESPECTIVE UPDATE HISTORY KNOWN ISSUES BEFORE APPLYING
[2] Exceptions apply to clients with AMD CPUs that need Registry AMD, refer MS advisories
[3] SSBD is never enable by default without Registry Intel, refer MS advisories

Registry values: Server:  kb4072698 Clients: KB4073119

Other advisories June 11, 2019

**************************************************************************************
Title: Microsoft Security Advisory Notification
Issued: June 11, 2019
**************************************************************************************

Security Advisories Released or Updated on June 11, 2019
====================================================================

* Microsoft Security Advisory ADV190015

– ADV190015 | June 2019 Adobe Flash Security Update
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190015
– Reason for Revision: Information published.
– Originally posted: June 11, 2019
– Updated: N/A
– Version: 1.0

* Microsoft Security Advisory ADV190016

– ADV190016 | Bluetooth Low Energy Advisory
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190016
– Reason for Revision: Information published.
– Originally posted: June 11, 2019
– Updated: N/A
– Version: 1.0

* Microsoft Security Advisory ADV190017

– ADV190017 | Microsoft HoloLens Remote Code Execution Vulnerabilities
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190017
– Reason for Revision: Information published.
– Originally posted: June 11, 2019
– Updated: N/A
– Version: 1.0

* Microsoft Security Advisory ADV190018

– ADV190018 | Microsoft Exchange Server Defense in Depth Update
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190018
– Reason for Revision: Information published.
– Originally posted: June 11, 2019
– Updated: N/A
– Version: 1.0

* Microsoft Security Advisory 190013

– ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling
   vulnerabilities
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190013
– Reason for revision: Microsoft is announcing that security updates 4503273
   (monthly rollup) and 4503287 (security only), released on June 11, 2019 for
   supported x64-based versions of Windows Server 2008, provide protections against
   the Microarchitectural Data Sampling vulnerabilities addressed in this advisory.
– Originally posted: May 14, 2019
– Updated: June 11, 2019
– Version: 2.0

* Microsoft Security Advisory 190009

– ADV190009 | SHA-2 Code Sign Support Advisory
– https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190009
– Reason for revision: To correct an issue with the SHA-2 support for MSI files,
   Microsoft is re-releasing KB4474419 for Windows Server 2008 Service Pack 2.
   Microsoft recommends that customers running Windows Server 2008 Service Pack 2
   reinstall update 4474419.
– Originally posted: March 13, 2019
– Updated: June 11, 2019
– Version: 3.0

****************************************************************************
Title: Microsoft Security Update Releases
Issued: June 11, 2019
****************************************************************************

Summary
=======

The following CVE has undergone a major revision increment: CVE-2017-8533

Revision Information:
=====================

– CVE-2017-8533
– Version: 5.0
– Reason for Revision: To comprehensively address CVE-2017-8533 for supported
   editions of Windows 7 and Windows Server 2008 R2, Microsoft is releasing security
   updates 4503292 (Monthly Rollup) and 4503269 (Security Only). We recommend that
   customers running supported editions of these operating systems install the
   appropriate June 2019 update to be fully protected from this vulnerability.
– Originally posted: June 13, 2017
– Updated: June 11, 2019
– Aggregate CVE Severity Rating: Important

[German]Short reminder for Windows 10 users who are still using older versions up to Windows 10 Version 1803. Be prepared that these machines will be upgraded to the Windows 10 May 2019 update. In addition, Windows Update will indicate when a machine is not ready for a feature update.

I decided to write a separate blog post, although I had already mentioned the topic within the blog post News from Windows 10 V1903: Images, Rollout, Show-Stopper. Because there are some peculiarities that I noticed during a test.

Microsoft’s announcement and the background

In the blog post News from Windows 10 V1903: Images, Rollout, Show-Stopper it is mentioned that Microsoft has announced that they have now started to build and train the Machine Learning Process (ML).

We are now beginning to build and train the machine learning (ML) based rollout process to update devices running the April 2018 Update, and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates and improvements.

This enables the AI-supported rollout of the feature update on machines with Windows 10 April 2018 Update (Version 1803) and earlier. This is to ensure that Microsoft can continue to maintain these devices and provide them with the latest updates, security updates, and enhancements. It won’t be clear to everyone what this means.

The information respectively the intension of Microsoft becomes clearer, if you have my older blog post Windows 10 May 2019 Update brings back Update control in mind. Microsoft had explained at that time that people should get more control when Windows 10 feature updates are installed. So you can delay the download and installation of the function updates by not clicking on the link within the Windows Update page.  

(Control feature updates to Windows 10 Mai 2019 Update, Click to zoomn)

But there are two conditions, where this approach will not been offered to to users of older Windows 10 versions up to and including the V1803.

• In May 2019, Microsoft distributed updates for Windows 10 that enable the functionality to control updates during function updates. However, these were only provided for Windows 10 versions 1803 and 1809. I briefly outlined this in the blog post Windows 10 Updates KB4497934, KB4499183 (May 21, 2019).  
• There is a special condition regarding installation control of feature updates for machines with a Windows 10 build installed that has reached or will soon reach the end of support with updates. Microsoft will then automatically install the feature update on that machine (if it appears compatible). This is to ensure that the machine continues to receive security and quality updates.

The latter condition is true for Windows 10 up to version 1803. Version 1803 for Home/Pro will be dropped from support on November 12, 2019, see this Microsoft page. Older Windows 10 versions have already dropped out of support in Home and Pro.

No matter how you turn it around, the older Windows 10 versions up to version 1803 are now being planned by Microsoft for a forced upgrade to Windows 10 V1903 and will be updated as soon as possible. I had also explained this in the blog post Windows 10 V1803 threatens a forced update as of July 2019.

Note: This blog post apply only to Windows 10 Home and Pro machines managed via Windows Update. For Windows 10 Enterprise for Enterprise environments, different policies apply (versions also receive more than 18 months of support).

The user will be notified

However, Microsoft has also stated (see Windows 10 May 2019 Update brings back Update control) that users will be automatically notified when a feature update is available for the machine and is recommended by Microsoft.

The machine learning based distribution of the feature update to Windows 10 Version 1903 is intended to ensure, however, that it is only offered on machines if these are compatible. It is therefore possible that someone is using an older version of Windows 10 and still does not receive a feature update. 

My experiences from a test

I tried to put an older test machine online, which still runs with an older build 1703 of Windows 10. It was noticeable that the feature update to version 1709 was displayed as a pending update, but with an installation error. Then, during the update search, the featureupdate to version 1803 was offered and installed without any issues after downloading and triggering a restart.

• The frequently reported step-by-step upgrade to the next Windows 10 version (here version 1709) was therefore definitely skipped here. I got Windows 10 V1803 on the machine.
• An option to go back to the previous Windows 10 version after upgrading was not available anymore.
• I also noticed that the user accounts were not set up again after the upgrade, but were immediately ready for work.

I don’t know if this has been done for a long time. It was my last test machine with an older Windows 10 version. Also interesting is the behavior of Windows Update after upgrading to version 1803. After successfully upgrading to Windows 10 version 1803, the Windows Update page displayed the following warning that support for this system is about to end and Microsoft recommends updating to the latest version of Windows 10. 

(Warning, that the support ends, Click to zoom)

On the system I had configured Automatic Updates via Group Policy -> Notify me before downloading and installing, but I specified that ‘pending updates shall not be downloaded and installed automatically’. Therefore the red warning ‘Some settings are managed by your organization.’ is shown within the above (German) screenshot.

When I switched the group policy in gpedit.msc to automatic installation and updated it with gpupdate /force, the red warning about managing some settings disappeared as expected. However, after a new update search, the following information was displayed on my German Windows 10.

(Warning, Support ends, click to zoom)

There, Microsoft merely announces that it is in the process of ‘completing the latest update with interesting features and security enhancements’. The user is asked to check for updates to see if an update is available. However, a multiple search did not yield any further details about the upgrade.

So Microsoft doesn’t seem to have it that fast with the upgrade yet. Probably the parameters of the machine (which hasn’t been online for a long time) are now being prozessed by the machine learning program in the hope that it spits out a recommendation.

What if the machine is not compatible?

Also in this case the user will receive a notification as Bleeping Computer reported here (citing WindowsLatest). The user is informed that the feature update is available on Windows 10 Version 1903. But the machine is not yet ready for installation. 

(Update notification on non compatible machines, Source: Microsoft/Bleeping Computer, Click to zoom)

This is not yet the case on my test machine. Meanwhile German readers have sent me similar screenshots as shown above. Microsoft then has set an upgrade stopper for this system. Unfortunately there is no further information about exactly what it is the root causeto. If the user clicks on Learn more, he will only be redirected to the Windows 10 V1903 status page, where some update blocker are listed. But the affected user can’t find out, what the concrete reason is, that causes compatibility issues on his system.

Articles
Windows 10 V1803: Force update to V1903 – Part 1
Windows 10 up to V1803: Details for Upgrade to V1903  – Part 2

Similar articles:
Windows 10 May 2019 Update brings back Update control
Windows 10 V1803 threatens a forced update as of July 2019
News from Windows 10 V1903: Images, Rollout, Show-Stopper

[German]There is a known issue with Windows SIM when a 64-bit Windows ADK is installed on the machine. Then administrators will get errors when creating auto anwer files for an installation. Microsoft has now released version 1903 for Windows SIM for error correction.

Windows System Image Manager (Windows SIM) is a tool for creating unattended response files for Windows Setup. The tool is part of the Windows Assessment and Deployment Kit (Windows ADK) and is described on this Microsoft page. Many years ago, I tested the tool for the last time as part of a book project on Windows 7.

Problem: 64 bit Windows ADK

It seems, however, that on machines where Windows ADK is installed in a 64-bit version, errors occur when using Windows SIM. Then you simply can’t create response files for a Windows installation anymore. Now Microsoft offers a solution.

If you have encountered an error using Windows SIM on a device running the Windows ADK on a 64-bit version of Windows, download the 1903 update (and follow the included installation instructions). https://t.co/jFYFxPJds7 pic.twitter.com/SZKyPsxJfm

— Windows IT Pro (@MSWindowsITPro) 21. Juni 2019

The above tweet of Windows IT Pro indicates that there is an update for those affected. In the know issues section the issues is confirmed. There it is recommended to download and install Windows SIM Version 1903. Then the problem should be solved. 

[German]Microsoft has released several Windows updates over the past 10 days to fix the bug in the Event Viewer that occurred after installing the June 11, 2019 security updates. Here is a brief overview.

I have mentioned these individual updates in the respective blog posts, but there has not been a comprehensive listing so far. Some blog readers have pointed out in comments for certain Windows versions that there is a bug fix for the event viewer (e.g. thanks to Dekre). Others had asked where updates could be found.

I had it all on the radar, but as long as Windows versions were still unconsidered, a separate blog post didn’t make sense. Today the last fix for Windows 10 version 1903 came with update KB4501375 (see Windows 10: Updates KB4501375, KB4504360, KB4506933 released). So I decided to create a separate blog post for my readers.

Some Background about the issue

Windows security updates released from Microsoft in June 2019 are closing numerous vulnerabilities, but also causing headache for administrators. As soon as the updates have been installed, the Event Viewer crashes, if custom views are selected..

(Click to zoom)

As soon as the error has occurred once, the event viewer can no longer be used. The reason for this is that the Event viewer snap-in automatically tried to load the last custom view selected during the next start.

I’ve discussed that issue in detail within my German blog post Windows 7-10: Ereignisanzeige hängt nach Juni 2019-Update (KB4503293/KB4503327 etc.) – a shorter English version is Windows 10: Updates KB4503293/KB4503327 kills event viewer. The article explains which Windows versions and updates are affected (virtually all). And I had sketched a workaround how to fix the Event Viewer at least (but no custom views can be used afterward).

A somewhat more in-depth approach can be found in the blog post Tip: PowerShell workarounds for June bug in Windows Event Viewer. Microsoft had confirmed the bug quite quickly and promised to fix it by July 2019.

Which updates do I need for which Windows?

The updates to fix the relevant bug in the Event Viewer trickled in between June 18 and June 28, 2019. The following list provides an overview of the relevant updates:

• Windows 10 Version 1903, Windows Server Version 1903: KB44501375, 27. Juni 2019
• Windows 10 Version 1809, Windows Server Version 1809, Windows Server 2019: KB4501371, 18. Juni 2019
• Windows 10 Version 1803: KB4503288|, 18. Juni 2019
• Windows 10 Version 1709, Windows Server Version 1709: KB4503281, 18. Juni 2019
• Windows 10 Version 1703: KB44503289, 18. Juni 2019
• Windows 10 Version 1607, Windows Server 2016: KB4503294, 18. Juni 2019
• Windows 8.1,  Windows Server 2012 R2: KB4503283, 20. Juni 2019 (Preview Rollup), or use update KB4508773.
• Windows Server 2012: KB4503295, 21. Juni 2019 (Preview Rollup)
• Windows 7 SP1,  Windows Server 202008 SP1: KB4503277, 20. Juni 2019 (Preview Rollup), or use update KB4508772.

All updates are optional and are offered via Windows Update. If you want to install these updates under Windows 10, you must actively search for the updates in the update page. The updates should also be offered on WSUS or SCCM. For a manual installation, the packages can be downloaded from the Microsoft Update Catalog via the above KB numbers.

A fix for Windows 10 LTSC V1507 (RTM) hasn’t been released yet.

What else should I keep in mind?

My tip would be to read the ‘known issues’ section within linked KB articles. Most updates mentioned above comes with serious side effects. If you decide, you can’t install an updates, use the hints given within my blog post Tip: PowerShell workarounds for June bug in Windows Event Viewer.

Similar articles:
Windows 10: Updates KB4503293/KB4503327 kills event viewer
Tip: PowerShell workarounds for June bug in Windows Event Viewer

AMD released its Radeon Adrenalin 19.6.3 driver for Windows. These drivers fixes some bugs of previous versions. A list of fixes and changes can be found in the Release Notes.

[German]A brief information for administrators and users. Trend Micro released Patch 1559 for its Worry-Free Business Security 10 for Windows security solution on June 28, 2019.

However, it took several days for Readme & Co. to be added to the Trend Micro website. I became aware of this topic at German site administrator.de via this post. According to the release notes, only bugs are fixed.

2.2 Resolved Known Issues
     ===================================================================
     This patch resolves the following issues:

     Issue 1:    (SEG-48748)
                 The URL filtering feature may not be able to block 
                 certain URLs.
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 1: This patch updates the UMH module to ensure that the URL 
                 filtering feature works normally.
     -------------------------------------------------------------------
     Issue 2:    (SEG-47383)
                 An error occurs when users save changes to the Scheduled 
                 Scan settings.
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 2: This patch updates the information in the database to 
                 resolve this issue.
     -------------------------------------------------------------------
     Issue 3:    (SEG-47596)
                 Microsoft(TM) Windows(TM) Server 2019 appears as "Windows 
                 Server 2016" on the Worry-Free Business Security web 
                 console.
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 3: This patch adds Windows Server 2019 to the mapping list.
     -------------------------------------------------------------------
     Issue 4:    (SEG-47699)
                 There is a typographical error on the "LiveStatus" page 
                 of the Worry-Free Business Security web console.
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 4: This patch corrects the typographical error on the 
                 "LiveStatus" page.
     -------------------------------------------------------------------
     Issue 5:    (SEG-49559)
                 An error occurs during Remote Installation.
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 5: This patch prevents the error so Remote Installation 
                 proceeds normally.
     -------------------------------------------------------------------
     Issue 6:    (SEG-49803)
                 The Device Control feature may not work under certain 
                 conditions.
                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     Solution 6: This patch updates the Behavior Monitoring module to 
                 ensure that the Device Control feature works normally.

You can download the file WFBS-100-WIN-ALL-Patch-1559.exe here from the tab Product Patch. At administrator.de it is also discussed whether this version of TM is compatible with Windows 10 V1903. The manufacturer remains silent about this. A user has tried it out and successfully installed TM WFBS 10 under this operating system version.

[German]A brief note for corporate administrators who distribute updates using WSUS. Microsoft shuts down an endpoint before the next patchday. I would also like to remind you of the SHA2 migration issue.

WSUS: Synchronization endpoint is decommissioned

Windows Server Update Services (WSUS) uses certain server URLs to synchronize updates. Now I have been alerted by the following tweet that Microsoft will disable such a synchronization endpoint for the upcoming patchday.

HEADS UP ENTERPRISE FOLKS, using SCCM & WSUS:
EP SYNC being Decommissioned.

Thank You: @MPECSInc

ICYMI: @SBSDiva @AdminKirsty @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @SwiftOnSecurity @pcper @MalwareJake @JobCacka @etguennihttps://t.co/2BEArylkU7

1/3

— Crysta T. Lacey (@PhantomofMobile) 3. Juli 2019

Microsoft announced within the Techcommunity articleWSUS synchronization endpoint being decommissioned on Monday, July 8, that the endpoint:

fe2.update.microsoft.com

will be decommissioned (shut down) next Monday, July 8, 2019. This URL will no longer be available for WSUS. For WSUS servers that are still configured for the old endpoint, this change should result in a one-time slow synchronization (typically only a few minutes), since the WSUS server automatically switches to the new endpoint.

Although the change should take place automatically, it is recommended to keep an eye on it as an administrator. If synchronization errors occur after Monday, those affected will find hints in KB article 4482416 – WSUS synchronization fails with SoapException to check whether they are affected by the problem. If this is the case, there are also instructions to fix it.

Note the mandatory SHA2 update for Win 7/Server 2008

Microsoft had announced in 2018 that it would only add SHA-2 signatures to its Windows updates from mid-2019 onwards – signing with SHA-1 would then no longer be necessary for security reasons. I had in the article Windows 7: From April 2019 ‘SHA-2-Support’ is required is needed and reported in further blog posts (see article end) about it.

Users of Windows 7 SP1 (as well as its server counterparts) and WSUS will need a special update from April 2019, which upgrades the machine for SHA2 code signatures. Without this update, these machines will not be able to process new updates in the future. As of March 12, 2019, Microsoft provided the required updates for Windows 7 SP1 and Server 2008/R2 as part of the patchday.

For Windows Server Update Services, Microsoft provided the standalone update KB4484071 for WSUS 3.0 SP2 (SHA-2 Support for Windows Server Update Services 3.0 SP2), according to this support article. This upgrades the SHA-2 support for WSUS 3.0 SP2. Administrators using WSUS 3.0 SP2 must manually install this update by June 18, 2019. Now it is ensured that updates for Windows 7 and Windows Server 2008/R2 can be distributed via WSUS 3.0 SP2. The prerequisite for manual installation of update KB4484071 is that the following updates:

• Windows Monthly Rollup KB4489880 (or later) for Windows Server 2008 SP2
• KB4489878 (or later) for Windows Server 2008 R2 SP1
• and .NET 3.5 were previously installed.

If this is ignored, errors may occur during installation. Microsoft also recommends backing up the WSUS database before installing these updates. If you have considered this, you can look forward to the July patchday on Tuesday, July 9, 2019.

Similar articles:
SHA-2 patch for Windows 7 arrives on March 2019
Windows 7: From April 2019 ‘SHA-2-Support’ is required

[German]Here is a tip for administrators in the corporate environment that I recently came across. It’s about the PowerShell script of the week, Local Administrator Password Solution (LAPS), which allows you to manage passwords for local accounts on domain computers.

Passwords are stored in Active Directory (AD) and are protected by ACL (Access Control Lists) so that only authorized users can read them or request a reset. In a tweet, Windows IT Pro (from Microsoft) points to a PowerShell solution for managing local administrator passwords.

Script of the week: Audit Local Administrator Password Solution (LAPS) usage in an Active Directory environment with #PowerShell – https://t.co/D6qc3RO9UZ. (What is LAPS? Visit https://t.co/9cJnHiQwIA for details and the download.)

— Windows IT Pro (@MSWindowsITPro) 21. Juni 2019

Local Administrator Password Solution (LAPS)

In environments where users must log on to computers without domain credentials, password management can become a complex issue. Such environments significantly increase the risk of a Pass-the-Hash (PtH) Credential Replay attack. The Local Administrator Password Solution (LAPS) provides a solution to the problem of using a shared local account with an identical password on each computer in a domain.

LAPS solves this problem by setting a different, random password for the shared local administrator account on each computer in the domain. Domain administrators using the solution can determine which users, such as help desk administrators, are authorized to read passwords.

LAPS simplifies password management and helps customers implement recommended defenses against cyber attacks. In particular, the solution reduces the risk of lateral escalation. This happens when customers use the same administrative local account and password combination on their computers.

LAPS stores the password for the local administrator account of each computer in Active Directory, which is stored in a confidential attribute in the corresponding Active Directory object of the computer. The computer can update its own password information in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

How does LAPS work?

The core of the LAPS solution is a GPO client-side extension (CSE) that performs the following tasks and can enforce the following actions during a GPO update:

• Checks whether the password of the local Administrator account has expired.
• Generates a new password when the old password is either expired or is required to be changed prior to expiration.
• Validates the new password against the password policy.
• Reports the password to Active Directory, storing it with a confidential attribute with the computer account in Active Directory.
• Reports the next expiration time for the password to Active Directory, storing it with an attribute with the computer account in Active Directory.
• Changes the password of the Administrator account.

The password then can be read from Active Directory by users who are allowed to do so. Eligible users can request a password change for a computer.

hat are the LAPS features?

The PowerShell LAPS solution includes the following features:

• Security that provides the ability to
  • Randomly generate passwords that are automatically changed on managed machines.
  • Effectively mitigate PtH attacks that rely on identical local account passwords.
  • Enforced password protection during transport via encryption using the Kerberos version 5 protocol.
  • Use access control lists (ACLs) to protect passwords in Active Directory and easily implement a detailed security model.
• Manageability that provides the ability to:
  • Configure password parameters, including age, complexity, and length.
  • Force password reset on a per-machine basis.
  • Use a security model that is integrated with ACLs in Active Directory.
  • Use any Active Directory management tool of choice; custom tools, such as Windows PowerShell, are provided.
  • Protect against computer account deletion.
  • Easily implement the solution with a minimal footprint.

he LAPS PowerShell script is available for the following versions of Windows:

• Windows Vista
• Windows 7
• Windows 8
• Windows 8.1
• Windows 10
• Windows Server 2003
• Windows Server 2008
• Windows Server 2008 R2
• Windows Server 2012
• Windows Server 2012 R2
• Windows Server 2016
• Windows Server 2019

Additionally required:

• Active Directory: (requires a D schema extensi)
  • Windows 2003 SP1 or higher
• Managed machines:
  • Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later. Itanium-based machines are not supported.
• Management-Tools:
  • .NET Framework 4.0
  • PowerShell 2.0 or later

The PowerShell solution can be downloaded free of charge from this Microsoft site. You will also find instructions on how to install the package. Maybe it’s helpful.

[German]Today still a tool introduction in form of the Open Source Task Manager TaskExplorer. The tool is developed by David Xanatos (an alias) for Windows.

David contacted me by mail a few day  ago and asked if I would like to introduce the tool. David wrote me the following:

Again I have a new tool to introduce, it is an Open Source Task Manager, called TaskExplorer. The tool is very similar to the old tool TaskInfo, but has much more functions, because it uses the KProcessHacker.sys driver.

The driver has a valid signature, so the tool can be used without any limitations, even if many AV products complain about the driver, ProcessHaker is a well-known Open Source Task Manager, a replica of sysinternals ProcessExplore. My TaskExplorer looks very similar to the tool TaskInfo, which is unfortunately closed source and has not been further developed since 2012. In contrast to the ProcessHacker, in which you have to open a new window for almost every additional info, in TaskExplorer everything is arranged in page tabs, so that you can get the maximum of information with as few clicks as possible. In addition, many of the information is updated in real time.

David states that the tool is now out of the pre-release phase and version 0.1 is ready for everyday use. A few things are still missing, but that will come in the next weeks. The tool is available in source code and as a ZIP archive on GitHub:

GitHub release there is also a description
Introduction on wilderssecurity.com

Some remarks

I have tested this tool in Windows 7 SP1 briefly. In the 64 bit version it didn’t start and crashed. But the 32-bit version showed the following window.

(Click to size)

Looks like it can be used. David writes something about his motivation to write the tool. He used TaskInfo since 2003 on a daily base and doesn’t want to miss it anymore. But the tool has, according to his statement, issues with Windows 10. It crashes on PC systems with more than 32 logical processors. David wrote:

Therefore I was forced to use ProcessHacker first, which was very cumbersome because of the very spartan UI. So I decided without further ado, because ProcessHacker is Open Source, with its backend TaskInfo, to build more than Open Source. It took me about a month of long weekends to do this, but now I use it instead of TaskInfo.

David wrote the UI for TaskExplorer with the platform independent Qt framework and made sure that everything was abstract when implementing the back-end interface. So that at some point somebody can simply implement on a unixoide backend, and the tool can also be used under Linux. Even if that will be a huge pile of work.

[German]As of July 9, 2019, Microsoft has released numerous security updates for Windows clients and servers, for Office, etc.. Here is a compact overview, what Microsoft has patched this month.

A list of the updates can be found on this Microsoft page. Details about the update packages for Windows, Office etc. can be found in separate blog posts.

Eine Liste der Updates findet sich auf dieser Microsoft-Seite. Details zu den Update-Paketen für Windows, Office etc. gibt es in separaten Blog-Beiträgen.

Servicing Stack Updates

Microsoft now publishes an overview of all current Servicing Stack Updates (SSUs). The list of SSUs can be found at ADV990001.

Notes on updates

All Windows 10 updates are cumulative. The monthly Patchday update includes all security fixes for Windows 10 and all non-security fixes up to Patchday.

Updates can also be downloaded from the Microsoft Update Catalog. Die Updates for Windows RT 8.1 and Microsoft Office RT are only available via Windows Update. Information about the support period for Windows 10 can be found in the Windows Lifecycle Facts Sheet.

In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features.

Critical Security Updates

Internet Explorer 11
ChakraCore
Microsoft Edge
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core
installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core
installation)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server
Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 version 1709 for 32-bit Systems
Windows 10 version 1709 for x64-based Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core Installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Microsoft Visual Studio 2010 Service Pack 1
Microsoft Visual Studio 2012 Update 5
Microsoft Visual Studio 2013 Update 5
Microsoft Visual Studio 2015 Update 3
Microsoft Visual Studio 2017
Microsoft Visual Studio 2017 version 15.9
Microsoft Visual Studio 2019 version 16.0
Microsoft Visual Studio 2019 version 16.1
Team Foundation Server 2010 SP1
Team Foundation Server 2012 Update 4
Team Foundation Server 2013 Update 5
Team Foundation Server 2015 Update 4.2
Team Foundation Server 2017 Update 3.1
Team Foundation Server 2018 Update 1.2
Team Foundation Server 2018 Update 3.2
ASP.NET Core 2.1
ASP.NET Core 2.2
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 AND 4.7.2
Microsoft .NET Framework 3.5 AND 4.8
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.6/4.6.1/4.6.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.8
Azure Automation
Azure DevOps Server 2019.0.1
Mail and Calendar

Important Security Updates

Microsoft Excel 2010 Service Pack 2 (32-bit editions)
Microsoft Excel 2010 Service Pack 2 (64-bit editions)
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office 2010 Service Pack 2 (32-bit editions)
Microsoft Office 2010 Service Pack 2 (64-bit editions)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2016 for Mac
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Outlook 2010 Service Pack 2 (32-bit editions)
Microsoft Outlook 2010 Service Pack 2 (64-bit editions)
Microsoft Outlook 2013 Service Pack 1 (32-bit editions)
Microsoft Outlook 2013 Service Pack 1 (64-bit editions)
Microsoft Outlook 2016 (32-bit edition)
Microsoft Outlook 2016 (64-bit edition)
Microsoft Outlook for Android
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2010 Service Pack 2
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Office 365 ProPlus for 32-bit Systems
Office 365 ProPlus for 64-bit Systems
Outlook for iOS
Mail and Calendar
Microsoft Lync 2013 Service Pack 1 (32-bit)
Microsoft Lync 2013 Service Pack 1 (64-bit)
Microsoft Lync Basic 2013 Service Pack 1 (32-bit)
Microsoft Lync Basic 2013 Service Pack 1 (64-bit)
Skype for Business 2016 (32-bit)
Skype for Business 2016 (64-bit)
Skype for Business 2016 Basic (32-bit)
Skype for Business 2016 Basic (64-bit)
Microsoft Exchange Server 2010 Service Pack 3
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 12
Microsoft Exchange Server 2016 Cumulative Update 13
Microsoft Exchange Server 2019 Cumulative Update 1
Microsoft Exchange Server 2019 Cumulative Update 2
Microsoft SQL Server 2014 Service Pack 2 for 32-bit Systems (CU+GDR)
Microsoft SQL Server 2014 Service Pack 2 for 32-bit Systems (GDR)
Microsoft SQL Server 2014 Service Pack 2 for x64-based Systems (CU+GDR)
Microsoft SQL Server 2014 Service Pack 2 for x64-based Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (CU+GDR)
Microsoft SQL Server 2014 Service Pack 3 for 32-bit Systems (GDR)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (CU+GDR)
Microsoft SQL Server 2014 Service Pack 3 for x64-based Systems (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (CU+GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 1 (GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (CU+GDR)
Microsoft SQL Server 2016 for x64-based Systems Service Pack 2 (GDR)
Microsoft SQL Server 2017 for x64-based Systems (CU+GDR)
Microsoft SQL Server 2017 for x64-based Systems (GDR)
Azure IoT Edge
Microsoft Azure Kubernetes Service
Microsoft.IdentityModel 7.0.0

Moderate Security Updates

Internet Explorer 9
Internet Explorer 10

Defense-in-Depth Updates

Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019

Similar articles:
Microsoft Office Patchday (July 2, 2019)
Microsoft Security Update Summary (July 9, 2019)
Patchday: Updates for Windows 7/8.1/Server (July 9, 2019)
Patchday Windows 10 Updates (July 9, 2019)
Patchday Microsoft Office Updates (July 9, 2019)

[German]After Microsoft released its Windows Update for July 9, 2019, the system file checker (sfc) command to repair broken files under Windows finds some damaged files, but can’t fix them. But an analysis shows, that it’s not caused by Windows 10 security updates released in July 2019. It seems that an updated signature file for Windows Defender is causing this issue since July 10, 2019.

What is sfc about?

In Windows, you can use an administrative command prompt window to check the system for corrupted files. To do this, simply use the command:

sfc /scannow

If the command finds corrupted files, the System File Checker (sfc) should be able to repair them. However, it happens again and again that this repair isn’t successful. And this case happened again, after Microsoft has released the July 9, 2019 updates for Windows.

I already got a comment from German blog reader Marco on July 2, 2019, who posted this to my blog post Windows Server 2016: Mai 2018-Update killt sfc from June 2018 . He found uncorrectable errors with sfc:

Status today July 2019 – just discover more problems with SFC /scannow under Windows Server 2016 1607 (Build 14393.3025) – SFC hangs at 45% (since more than one day) – no improvement even after restart – DISM command ran before without problems – DISM /online /cleanup-image /restorehealth – warnings like “Primitive installers committed for repair” or “Failed to internally open package” appear in CBS.log. HRESULT = 0x800f0805 – CBS_E_INVALID_PACKAGE]” or “Failed to OpenPackage using worker session [HRESULT = 0x800f0805]””.
Is anyone here familiar with anything?

Some hints for Windows 10

Yesterday I noticed also some comments from users at German site deskmodder.de. The comments here and here are claiming issues with sfc. One user tried sfc /cannow after installing the July 9, 2019 update on three Windows 10 V1903 systems and encountered issues. sfc found damaged files, but cannot fix them. Other users confirmed this in follow up comments.

There are also comments within this thread at wildersecurity.com, where several users are also describing this issue. Later I found at askwoody.com this post from Susan Bradley, mentions the same issue:

Starting today, Windows 10 users are finding that the /sfc scannow feature is no longer working and that it states it found, but could not fix, corrupted Windows Defender PowerShell files.

Instead, it appears to be related to the latest definition updates for Windows Defender, which were released this morning and are version 1.297.823.0.

Susan wrote, the scan error is caused by the last signature files of Windows Defender (version 1.297.823.0). Susan refers to the article here by colleague Lawrence Abrams on Bleeping Computer (see below).

Also issues in Windows 7?

German blog reader Dennis T. has left this night a comment to my blog post Patchday: Updates für Windows 7/8.1/Server (9. Juli 2019), because he run into a similar issue with Windows 7.

Yesterday I installed KB4507456 (Security Only) for Windows 7 for 32 bit and got an error message after running sfc /scannow. The log contains the files “tsgqec.dll” and “rdvidcrl.dll” which cannot be repaired (hash mismatch). Before installing KB4507456, sfc /scannow and dism /online /Cleanup image /scanhealth ran through cleanly. Here is my question and request: Did or can anyone run sfc /scannow after installing KB4507456 and tell if this is done without error message? I have tested 2 computers, both of them throw out the same error. Many thanks in advance

But I’m not sure, whether this is the same issue.

Analysis: Defender signature file is to blame

MVP colleague Lawrence Abrams has also noticed the comments within this thread at wildersecurity.com. Abrams was then able to reproduce the issue in a virtual machine running Windows 10, if Windows Defender was configured as virus protection. But surprisingly he had not installed the July 2019 security updates on that machine. He described his findings within this article here.

(sfc /scannow error, Source: Bleeping Computer, Click to zoom)

The above screenshot shows the error message. The sfc command stores its error messages in the following file:

C:\Windows\Logs\CBS\CBS.log

An evaluation by Abrams showed that sfc claimed, that the file hashes for the Windows Defender PowerShell component values in the folder

C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Defender

are not matching the component files in the WinSxS folder. Abrams writes that the component files are referenced via hard link. The error messages on deviating hash values are therefore not plausible.

The colleagues from German site deskmodder.de have also taken up the topic in this article. They write that there might be an error because the 32-bit and 64-bit hash values were wrongly compared.

In another analysis, Abrams writes that the problem is probably caused by the latest definition updates for Windows Defender to version 1.297.823.0, released on July 10, 2019. Some users then managed to repair the damaged files with the following dism commands:

DISM /Online /Cleanup-Image /CheckHealth
DISM /Online /Cleanup-Image /ScanHealth
DISM /Online /Cleanup-Image /RestoreHealth

If that doesn’t work, you have to wait and see whether Microsoft will release new definition updates for Windows Defender or otherwise correct them.

Note: At German site deskmodder.de user DK2000 added this comment with his analysis, what happened with defender signature update KB4052623. Cite:

The point is not that 32bit was confused with 64bit, but that KB4052623 directly updates the files in the 64bit package, cirumvents the component store, without updating the catalog. The component store doesn’t know anything about the new files and still compares the old files. So sfc expects the old files here as well, just like DISM with RetoreHealth.

Similar articles:
Patchday: Updates for Windows 7/8.1/Server (July 9, 2019)
Patchday Windows 10 Updates (July 9, 2019)
Windows Server 2016: May 2018 Update bricks sfc
Windows 10 V1703: Fix for DISM error 0x800F081F

[German]A brief warning for administrators using Windows Server 2012 to deploy via SCCM. The June 2019 update KB4503276 causes trouble because it prevents PXE booting (WDS). Microsoft has now confirmed the problem.

Update KB4503276 for Windows Server 2012 R2

Update KB4503276 is the June 2019 rollup update for Windows 8.1 and Windows Server 2012 R2 that was released on June 11, 2019. Microsoft even states in the KB article about the update that a problem in the Pre-Boot eXecution Environment (PXE) has been fixed. Quote from the KB article:

Fixes an issue that prevents the Pre-Boot eXecution Environment (PXE) from booting a device on a Windows Deployment Services (WDS) server for which the variable window extension is configured. This may cause the WDS server to disconnect prematurely when the image is downloaded. Clients or devices that do not use the variable window extension are not affected by this problem.

At the same time, some known issues are mentioned in the KB article, but PXE boot issues are not listed there.

A warning at Twitter

I don’t use SCCM, but I became aware Twitter about the warning posted in the Tweet below.

Friendly tip: Do not deploy June 2019 CU KB4503276 to your DP’s. The update is very likely to break PXE booting (WDS). Hard to debug too due to its intermittent nature. #ConfigMgr #SCCM pic.twitter.com/RY8k8nqaGn

— Johan Arwidmark (@jarwidmark) 8. Juli 2019

Johan Arwidmark warns against distributing update KB4503276 dated June 11, 2019 to Deployment Points (DPs) of SCCM. It is highly likely that the PXE boot (for the Windows Deployment Service, WSD) will break during this process. If it all happens, since it’s hard to debug because it occurs intermittently.  On  reddit.com is this thread from July 1, 2019, which also takes up the topic. Quote:

After June’s CU applied to our DPs we have intermittent problems with PXE boot again. Looking at KB4503276 I can see that the old issue with variable window extension from the March CU is supposed to be solved.

I tried to set that value back to 0 since that was the recommended workaround in previous months and it appeared to initially solve the problem. But now we see about half of the PXE boots failing with the same error code as in March. All google results point to the registry value.

We have uninstalled the patch on one DP and are waiting for confirmation from other IT staff if PXE boot is working again or not.

We’ve also opened a ticket with MS about this but we’ve gotten nowhere so far. Does anyone else have these problems again after the June CU?

The problem is confirmed by other readers there. The worse thing is that even uninstalling the update does not solve the issue anymore. A user has posted a fix where he sets the option “Enable a PXE responder without Windows Deployment Services”. See the reddit thread for more information.

Microsoft confirms the issue

I’ve had already written this post when I got another Twitter notification. The following tweet brought me to the right direction (thanks to (@PhantomofMobile for that).

HEADS UP ENTERPRISES; PXE START UP PROBLEMS:

ICYMI: @SBSDiva @AdminKirsty @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @SwiftOnSecurity @pcper @MalwareJake @JobCacka @etguennihttps://t.co/jsQEm5K7gq

1/2

— Crysta T. Lacey (@PhantomofMobile) 11. Juli 2019

Microsoft has released KB article 4512816 entitled ‘Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services or System Center Configuration Manager may fail to start with error “0xc0000001″’. The issue affects virtually all versions of Windows Server that are still in support. Details can be found in the KB article, where a workaround is also discussed. Well, it’s not my field of activity – but I assume that it will be helpful for those affected.

[German]Users of McAfee Endpoint Security 10.2 and earlier may have another issue. Endpoint Security blocks Windows logon. McAfee has confirmed that issue since a few days and provides workaround and fixes. 

Login blocked by Endpoint Security

McAfee has published KB91653 titled Unable to log on to Windows systems with Endpoint Security 10.2 (or earlier) after you apply Exploit Prevention content version 9418. Users cannot log on to Windows if Endpoint Security 10.2 (or earlier) is installed and the following is true:

• Exploit prevention is enabled, and
• the content version 9418 of Exploit Prevention is used.

However, the number of people affected is likely to be small, because according to Mc Afee, Endpoint Security 10.2 earlier versions have already dropped out of support since December 15, 2018 (End of Live, EOL).

McAfee offers a fix

Although Endpoint Security 10.2 is no longer supported, McAfee offers content version 9419 for Exploit Prevention. This was released on July 10, 2019 and fixes this issue. Because the systems can no longer be used due to the logon blocked by Endpoint Security, McAfee has therefore published a troubleshooting approach in the KB article. The article requires to boot into Safe Mode, delete some files and boot into normal mode. Then you should be able to update the content file for Exploit Prevention. Further details may be found within the KB article.

Addendum: I just recognized, softpedia.com has also an article, discussing this issue.

[German]The Commissioner for Data Protection and Freedom of Information in the German state Hesse, declaring that Windows 10 and Office 365 is not compliant with the GDPR for use in schools.

This is a slat into Microsoft’s jaw, the Data Protection and Freedom of Information officer of German state Hesse, Ronellenfitsch, has declared the use of Office 365 in schools inadmissible. The guiding principle of the data protector’s decision is as follows:

The use of Microsoft Office 365 in schools is not permitted under data protection law if schools store personal data in the European cloud.

According to Ronellenfitsch, Germany has been discussing for years whether schools can use the Microsoft Office 365 software in a data protection-compliant manner. In August 2017, the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) made a statement on this issue after an extensive review of the Germany cloud by Microsoft, the only German data protection supervisory authority.

First assessment: It’s possible with the Germany cloud

In its statement at that time, HBDI stated that Office 365 can be used by schools in the Germany cloud in accordance with data protection regulations, as long as the tools provided by Microsoft (e.g. role and authorization concept, logging, etc.) are properly used by the schools.

Germany cloud to be discontinued

In August 2018, Microsoft announced to the public that no more contracts will be offered for the Germany cloud and that the sale of this product will be discontinued. Since then, a large number of teachers and school administrators, as well as school authorities, have asked HBDI about the use of Office 365 in the European cloud. In addition, in recent months individual school authorities have massively promoted Office 365 into the school landscape, regardless of the unresolved data protection issues.

Use of Office 365 with Euro-Cloud not permitted

In a press release, the Hessian data protection commissioner goes into more detail on the question of why the use of Microsoft Office 365 in schools is currently inadmissible. According to the data protection officer, the use of cloud applications by schools is generally not a data protection problem. Many schools in Hesse are already using cloud solutions. Schools can use digital applications that comply with data protection regulations, provided that the security of data processing

The legal situation is different with Office 365 as a cloud solution. The regulatory authorities have been discussing this with Microsoft for years. The decisive aspect here is whether the school as a public institution can store personal data (of children) in a (European) cloud that is, for example, exposed to possible access by US authorities.

Public institutions in Germany have a special responsibility with regard to the permissibility and traceability of the processing of personal data. The digital sovereignty of state data processing must also be guaranteed. In autumn 2018, the Federal Office for Information Security drew the public’s attention to another problem.

When using the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, the contents of which have not been conclusively clarified despite repeated requests to Microsoft. Such data is also transmitted when Office 365 is used.

The data protector sees the use of Office 365 in the cloud as a violation of the DSGVO regulations that cannot be cured by parental consent. The reason is that the security and traceability of the data processing processes is not guaranteed. Data processing is therefore not permitted. The attempt to achieve a cure through a declaration of consent from the parents would also not take sufficient account of the special protective rights of children, e.g. under Art. 8 of the Basic Data Protection Regulation (DS-GVO).

Microsoft has to move or is out

HBDI is aware of the needs that schools have for the use of office packages. For this reason, there is also an interest in working with Microsoft to arrive at a data protection-compliant solution. However, this is not the fault of HBDI or the other German supervisory authorities, but mainly of Microsoft itself. As soon as, in particular, the possible access of third parties to the data stored in the cloud and the issue of telemetry data have been resolved in a comprehensible and data protection-compliant manner, Office 365 can be used as a cloud solution by schools. Until then, however, schools can use other instruments such as on-premises licenses on local systems.

[German]After Microsoft released its Windows Update for July 9, 2019, the system file checker (sfc) command to repair broken files under Windows finds some damaged files, but can’t fix them. Now Microsoft has confirmed this issue.

Windows: July 9, 2019 Updates breaks sfc

In Windows, you can use an administrative command prompt window to check the system for corrupted files. To do this, simply use the command:

sfc /scannow

If the command finds corrupted files, the System File Checker (sfc) should be able to repair them. However, it happens again and again that this repair isn’t successful. And this case happened again, after Microsoft has released the July 9, 2019 updates for Windows. I’ve discussed this issue within the blog post Windows: July 9, 2019 Updates breaks sfc.

Microsoft confirms the issue

Blog Reader EP pointed out within this comment, that Microsoft has confirmed this issue. Within KB4513240 (System File Checker (SFC) incorrectly flags Windows Defender PowerShell module files as corrupted), Microsoft writes:

The System File Checker (SFC) tool flags files in %windir%\System32\WindowsPowerShell\v1.0\Modules\Defender as corrupted or damaged. You see error messages such as the following: 

Hashes for file member do not match.

This is a known issue in Windows 10, version 1607 and later versions, and Windows Defender version 4.18.1906.3 and later versions. The files for the Windows Defender PowerShell module that are located in 

%windir%\System32\WindowsPowerShell\v1.0\Modules\Defender

ship as part of the Windows image. These files are catalog-signed. However, the manageability component of Windows Defender has a new out-of-band update channel. This channel replaces the original files with updated versions that are signed by using a Microsoft certificate that the Windows operating system trusts. Because of this change, SFC flags the updated files as “Hashes for file member do not match.”

Future releases of Windows will use the updated files in the Windows image. After that, SFC will no longer flag the files. Because SFC incorrectly flags the files in %windir%\System32\WindowsPowerShell\v1.0\Modules\Defender, you can safely ignore the SFC error messages regarding these files.

Similar articles:
Patchday: Updates for Windows 7/8.1/Server (July 9, 2019)
Patchday Windows 10 Updates (July 9, 2019)
Windows Server 2016: May 2018 Update bricks sfc
Windows 10 V1703: Fix for DISM error 0x800F081F

[German]Today, a look at the vulnerability CVE-2019-0708 (BlueKeep) in Windows Remote Desktop Services, for which Microsoft released updates from Windows XP to Windows 7 on May 14, 2019.

I had reported about the BlueKeep vulnerability CVE-2019-0708 in several blog posts. An explanation of the vulnerabilities can be found in the blog post Critical update for Windows XP up to Windows 7 (May 2019). There is a patch, but it has not been installed on all systems. Here is a short inventory.

No utilization so far

First, a look at the question of whether BlueKeep is being exploited. Security researcher Kevin Beaumont has been running a honeypot for some time now and has submitted a status message in the following tweet..

This is still up and running, no sign of blue screens or exploitation. Plenty of RDP bruteforce, as @SophosLabs have discovered too :D pic.twitter.com/5hlvfMnQRq

— Kevin Beaumont (@GossiTheDog) 17. Juli 2019

He has recognized a lot of brute forece attacks on the honeypot’s RDP access. But he hasn’t yet seen an exploit to trigger a blue screen on the target system or even an exploit to bypass the RDP login. It is still possible to give an ‘all-clear’ regarding the exploitation of the vulnerability..

Tenable: Probably still 800,000 systems unpatched

A few days ago, security provider tenable sent me a statement that many systems are still unpatched.

“Recent estimates show that over 800,000 systems are still vulnerable to the BlueKeep vulnerability – almost two months after patches were deployed. Although the number of unpatched systems has decreased since May, that’s not enough. While there is a lot of panic in the security industry, this is not the case – companies and users should not just dismiss BlueKeep as the next ‘hype’. The vulnerability is too dangerous for that: BlueKeep has the best prerequisites to become the next WannaCry or NotPetya. Our urgent appeal: “Patchen Sie!

Are my systems patched?

If one or the other administrator is faced with the question how to scan his systems for the BlueKeep vulnerability, this can be remedied. In my blog post How To: BlueKeep-Check for Windows, I looked at how a system can be scanned both locally for installed patches and on a network for vulnerabilities.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
How To: BlueKeep-Check for Windows

[German]Another warning – after someone has posted slide deck foils about the BlueKeep vulnerability on GitHut, it shouldn’t be long before a working exploit appears in practice.

Nothing is as old as yesterday’s news. A few hours ago I was able to find out in the article Windows: What about the BlueKeep vulnerability in July 2019? that so far no exploit has been known to exploit it to exploit the BlueKeep vulnerability on unpatched systems. This is likely to change soon.

Slides of a public presentation

At a security conference held in Beijing during the days, a speaker spoke about the Remote Desktop Services vulnerability CVE-2019-0708 (BlueKeep) and presented a concept for a working exploit.

On a security conference held in Beijing two days ago, someone talked about how to exploit CVE-2019-0708(BlueKeep). Here is slides: https://t.co/0xdRqy2Ufy pic.twitter.com/M6hnzf8oXc

— hjy (@hjy79425575) 22. Juli 2019

Die Folien fanden dann ihren Weg auf Dropbox und stehen nun auch auf GitHub zur Verfügung.

BlueKeep Warning: someone published a slide deck explaining how to turn the crash PoC into RCE. I expect we’ll likely see widespread exploitation soon.https://t.co/MG2IZfy5B5

— MalwareTech (@MalwareTechBlog) 22. Juli 2019

The previous publicly known approaches for a Proof of Concept (PoC) enabled a maximum crash of the Windows system. In the above tweet, MalwareTech expresses the suspicion that the slides that have become public will soon lead to an exploit that will enable a Remote Code Execution (RCE) attack.

The BlueKeep vulnerability

I had reported about the BlueKeep vulnerability CVE-2019-0708 in several blog posts. An explanation of the vulnerabilities can be found in the blog post Critical update for Windows XP up to Windows 7 (May 2019). There is a patch, but it has not been installed on all systems.

There is a patch, but it has not been installed on all systems. It is currently estimated that approximately 800,000 systems are still unpatched and accessible via the Internet. In my blog post How To: BlueKeep-Check for Windows, I explained how a system can be scanned both locally for installed patches and in a network for vulnerabilities.

Similar articles
A threat actor scans Windows systems for BlueKeep vulnerability
BlueKeep: Windows Remote Desktop Services vulnerability exploits status
Critical update for Windows XP up to Windows 7 (May 2019)
Nearly 1 million Windows machines with BlueKeep vulnerability
BlueKeep vulnerability: Microsoft warns about a wormable malware epedemia
BlueKeep: Patch for pirated copies; SSL tunnel as a risk factor
How To: BlueKeep-Check for Windows

How critical are unpatched vulnerabilities (0-day exploits) in their impact on the latest version of Windows? I’ve been able to get an interesting piece of information that indicates the trend since 2015.

The following overview is by Microsoft employee Matt Miller, who works in the Microsoft security team. He posted the following on Twitter.

This highlights that staying current with the latest version of Windows has remained a good defense for many of the zero day exploits observed in the wild that target Windows CVEs due in large part to the mitigations being added each release

— Matt Miller (@epakskape) July 23, 2019

Only about 40% of the 0-day exploits can work in the current version of Windows, since 66% of the vulnerabilities have already been considered. With Windows 10 this always refers to the last build like e.g. version 1903. Well, statistics is not very helpful in case of a problem.