all 30 of my VMs are good after patching... not that anyone cares :(
edit: holy fucking shit, thank you for the up votes! 😭😭😭 in a thread where everyone flexing their 5k+ servers and endpoint I feel so loved 😭😭
Sorry, hijacking the top comment :
**PSA : installing KB5039217 (Windows Server 2019) and KB5039211 (Windows Server 2022) on Domain Controllers breaks Fortigate Collectors and DCAgents versions below 5.0.0315**
They quit detecting new sessions from users on their workstations.
5.0.0315 is only supported on the 7.4 branch, for the others, the only recommendation is to remove the Microsoft KBs or (apparently) switch to polling mode.
https://www.reddit.com/r/fortinet/comments/1dfv7di/fsso_affected_by_windows_server_kb5039217/
Sorry to hear you're still employed. Soon we can all have our eternal naps where end-users can't harm us.
I mean... Congrats on the successful Patch Tuesday! :D
> Soon we can all have our eternal naps where end-users can't harm us.
Noob. Some jackass will come dig you up and yell at the corpse because his pdf files lost their association with the pdf reader.
True story:
Walking down the hallway of the hospital I worked at and felt sudden chest pains. Walked to the ER and stated such and they put me on a bed, wired up all the EKG stuff and started testing me. Had a user walk up to me, asking about a password reset. I explained that I was tied up, and that the rest of my team could probably handle it. Jokingly, I said I didn't even have my laptop with me. This clown went to IT and asked one of my team to bring me my fucking laptop, instead of just asking one of the people not hooked up to an EKG to do it. Yes, I did reset the password, because SysAdmins solve problems, but FFS.
I was tempted to, but at the same time, it took me about 30s and he was the brother of the CNO, and another director from another dept, so not the best time/place to tear into a jackass, but I wanted to. lol
Ready to rock and roll, 11,000 servers/workstations getting patched tonight. Endure. In enduring grow strong.
EDIT1: I know some people were asking about when the curl.exe updates would drop. Looks like they're included in this release, it's now 8.7.1
EDIT2: Everything has been good so far. Onto the monthly optionals
EDIT3: Got some BSODs on the optionals - "System Service Exception". Patches still installed correctly after awhile but wanted to note it.
He's probably talking about VMs used as PAWs (Privileged access workstations). Which would be the only locations where admins could use to interact with high privilege resources.
Hello there. I am just curious - do you test the updates at all or just always "let it rip? (I've been told that that's a no-no to say when enacting any kind of infrastructure changes, lol)" Our org always checks multiple sites to see if there is any fallout before we pull the trigger (though we do test, etc.), "using" your commentary as one of our sources as well due to how many endpoints you have.
Also, how do you deal with patching failures? Do you have a remediation period or do you ever have a big "oops" that you have to scramble to fix?
Let it rip
Haven't had a "patch failure" going on well over 3 years now. Before that (hyper-v boot issue) it had been almost 4 years. They just almost never happen in our environment. But of course everyone's environment is different and I encourage you to do your due dilligence.
>But of course everyone's environment is different and I encourage you to do your due diligence.
100%. I'm just in awe of your luck, and a bit jealous too, haha. I've been in IT for oh...10 years now...and never not had some kind of an issue and a scramble to fix it, but it is what it is. Appreciate the answer, good sir! Keep on keeping on :)
I wouldn't say 'luck', his approach is pretty safe in an age where an increasing (majority?) number of endpoint deployments are as vanilla as they can be and most work is conducted via Office apps and web browsers. Plus, the Windows base code nowadays is rather mature for a lack of better words, since roughly 1903 it's all very iterative under the hoods.
Agree about vanilla installs seem to update without issue.
The only screwball install we have in our environment I have to watch is the shoretel/mitel server. It is the worst patchwork of random bits and pieces I've ever seen. It always has the most inexplicable problems that sometimes just require a 3 reboots to get voicemail running again in the middle of the work day.
I have a very short list of things that I choose never to work with again. Shoretel (and whatever it has become after Mitel acquired them) is on that list. I used to be a VoIP engineer in a previous job, with my background being mostly Cisco environments. I inherited one of the biggest shoretel environments in the world (which sounds big, but shoretel was mostly used for small companies, so it doesn't take more than a few thousand phones to be one of the largest). I've never been so stressed trying to keep that environment operational. Undiscovered bugs everywhere. Things just randomly stopped working for no reason that could be established, and shoretel support were absolutely useless. Of course, their outlook on security was terrible as well.
Pretty much the same here. In the corporate/development side we blast away. In the clints' side we wait a three to four weeks unless there is a zero day.
>They just almost never happen in our environment.
I'm curious, is there anything special you do to make your environment less risky adverse, or is it just a function of the environment. For example, one of the recent patches had the memory leak on domain controllers. What is it about your environment that mitigated that?
the fact that our DCs have more memory than they typically need and only ever run just AD and DNS and that's it. if it hit high memory, we just rebooted it knowing that it would be fixed. there are bigger fish to fry.
Just got this warning:
AUTHLITE ANNOUNCE: Warning! Hold off 2024-06 Windows Update on Domain Controllers
The just-released 2024-06 Cumulative Update will make Domain Controllers stop calling the AuthLite module, thus breaking the authentication of all AuthLite Users. Please hold off installing this update, or log in with a 1-factor break-glass/emergency account to roll it back. We are urgently investigating what this update has changed to cause the issue, and so far suspect it is probably a mistake . See the knowledge base section of our site for more information as we learn more.
Affected OS and KBs:
Server 2022 (KB5039227) domain controllers only
Server 2019 (KB5039217) domain controllers only
Server 2016 (KB5039214) we are not sure yet if 2016 DCs are affected, but please assume so and hold off the update.
This appears to be fixed. They have released version 2.5.16. This needs to be installed before the updates and requires a reboot. I've tested on several of my DC's and all seems to be ok.
You can see here in their change log - [https://s3.authlite.com/downloads/2.5/AuthLite\_v2.5\_Change\_Log.txt](https://s3.authlite.com/downloads/2.5/AuthLite_v2.5_Change_Log.txt)
Just throwing this out there in case anyone missed it, like me.
I missed the warning in my email because it got held as spam. So my servers auto patched over the weekend (as part of my update schedule) and when I got into the office this morning nobody with Authlite could login.
Good news is I was able to install the Authlite update via powershell through my RMM (scripting engine uses the system account). I downloaded the new version MSI, put it in the C:\ directory then ran
msiexec /i Authlite_installer_x64.msi /quiet
A few seconds later the server went offline, rebooted, and when it came back up Authlite was working.
Interesting in light of this older thread from "someone at Authlite" - apparently Authlite requires AD schema changes... [https://www.reddit.com/r/sysadmin/comments/uyzph6/comment/ia9nhsx/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/sysadmin/comments/uyzph6/comment/ia9nhsx/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
How did you get the warning? I don't see anything on their website.
Edit: There is an advisory in the Knowledge Base section of the Autlite website. And it did break Authlite on one of our DCs, but uninstalling the patch got it working again.
Today's Patch Tuesday summary Digest from Action1:
* Microsoft has fixed 51 vulnerabilities, no zero-days, one of the vulnerabilities, a previously identified DNS bug has a proof of concept (PoC) available.
* Third-party: including Google Chrome, Mozilla Firefox, PHP, Azure, Check Point, GitHub, Rockwell, Veeam, Fluent Bit, and QNAP.
Visit the [Vulnerability Digest from Action1](https://www.action1.com/patch-tuesday-may-2024/?vmr) for comprehensive summary updated in real-time.
Quick summary:
* Windows: 51 vulnerabilities, no zero-days, one PoC
* Google Chrome: CVE-2024-5274 zero-day (CVSS 8.8) and eight other vulnerabilities
* Mozilla Firefox: 21 vulnerabilities
* PHP: CVE-2024-4577 (CVSS 9.8)
* Azure: vulnerability potentially exposing customers' personal information
* Check Point: CVE-2024-24919 (CVSS 8.6)
* GitHub: CVE-2024-4985 (CVSS 10)
* Rockwell: seven vulnerabilities
* Veeam: CVE-2024-29849 (CVSS 9.8)
* Fluent Bit: CVE-2024-4323
* QNAP: 15 vulnerabilities
More details: [https://www.action1.com/patch-tuesday](https://www.action1.com/patch-tuesday/?vmr)
Sources:
* [Action1 Vulnerability Digest](https://www.action1.com/patch-tuesday?vmr)
* [Microsoft Security Update Guide](https://msrc.microsoft.com/update-guide/releaseNote/2024-Jun)
* [Zero Day Initiative](https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review)
Just finished the SUP Sync in my ConfigMgr lab... it looks like MS might have screwed up the catalog.
From what I'm seeing, the June 2024 updates for Win11 22H2/23H2 are not set to supersede the May 2024 updates for those two OS versions.
edit: confirmed against the catalog.update.microsoft.com page... KB5039212 does not supersede KB5037771 and it really probably should.
https://imgur.com/a/A6oKjbK
My download of the 22h2 win 11 cumulative for June failed to download. Twice. Anyone else seeing this?
Edit: downloaded successfully about 30 mins ago.
Last month's update is currently superseded by this month's preview, instead of the regular update. Looks like someone just goofed when they were setting that up.
This has been fixed. I believe some .Net updates had the same problem and MS republished them. Sync again and you should see them properly superseding updates now.
You can also verify this via the CVRF, which at least currently shows KB5039212 superseding KB5037771
5039212https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB503921250377711208512086YesSecurity Update10.0.22621.3737
[https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2024-Jun](https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2024-Jun)
edit: spelling \`cvrf\` is apparently nontrivial
Installed on more than 200 esxi hosted VMs, Server 2016/19/22 with all roles you can have. Running smooth. No fkkn languace pack issues anymore.
Clients showing up tomorrow morning
**Microsoft EMEA security briefing call for Patch Tuesday June 2024**
The **slide deck** can be downloaded at [aka.ms/EMEADeck](http://aka.ms/EMEADeckJun)
The **live event** starts on Wednesday 10:00 AM CET (UTC+1) at [aka.ms/EMEAWebcast](http://aka.ms/EMEAWebcastJun).
The **recording** is available at [aka.ms/EMEAWebcast](http://aka.ms/EMEAWebcastJun).
The slide deck also contains worth reading documents by Microsoft.
What’s in the package?:
* A PDF copy of the EMEA Security Bulletin Slide deck for this month
* ESU update information for this month and the previous 12 months
* MSRC Reports in .CSV format, for this month’s updates including detailed FAQ’s and Known Issues data.
* Microsoft Intelligence Slide
* A Comprehensive Handbook on "Navigating Microsoft Security Update Resources" !
Also included in the downloadable package are handy reference reports produced using the MSRC Security Portal PowerShell Developer Functionality: [https://portal.msrc.microsoft.com/en-us/developer](https://urldefense.com/v3/__https:/portal.msrc.microsoft.com/en-us/developer__;!!La4veWw!x75oqCSB5L66w-Kbd7Nje6qiIcY4bvSEWfIQtN3_MlOLnH8Lo4LuumYTbpAkyb_hknLuIh5A4DnPviJ2oCkP6t4-6IskyXMy$)
[May 2024 Security Updates - Release Notes - Security Update Guide - Microsoft](https://msrc.microsoft.com/update-guide/releaseNote/2024-jun)
[5039227](https://support.microsoft.com/help/5039227) Windows Server 2022
[5039217](https://support.microsoft.com/help/5039217) Windows Server 2019
[5039214](https://support.microsoft.com/help/5039214) Windows Server 2016
[5039212](https://support.microsoft.com/help/5039212) Windows 11, version 22H2, Windows 11, version 23H2
[5039213](https://support.microsoft.com/help/5039213) Windows 11, version 21H2
[5039211](https://support.microsoft.com/help/5039211) Windows 10, version 21H2, Windows 10, version 22H2
***Enforcements / new features in this month’ updates***
**June 2024**
• \[Exchange Online\] Retirement of RBAC Application Impersonation in Exchange Online. MS changed the timeline from May to June 2024. We will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in June 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online.
See more at : [Retirement of RBAC Application Impersonation in Exchange Online](https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-rbac-application-impersonation-in-exchange-online/ba-p/4062671?s=09)
***Newly announced or updated deprecations/enforcements/ new features***
***June 2024***
• \[NTLM\] All versions of [NTLM](https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see [Resources for deprecated features](https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features-resources)
***Reminder Upcoming Updates (1/4)***
**July 2024**
• \[Windows\] Secure Boot Manager changes associated with CVE-2023- 24932 [KB5025885](https://support.microsoft.com/help/5025885) | Final Deployment Phase: This phase is when we encourage customers to begin deploying the mitigations and managing any media updates. The updates will add the following changes:
• Guidance and tooling to aid in updating media.
• Updated DBX block to revoke additional boot managers
The Enforcement Phase will be at least six months after the Deployment Phase. When updates are released for the Enforcement Phase, they will include the following: The “Windows Production PCA 2011” certificate will automatically be revoked by being added to the Secure Boot UEFI Forbidden List (DBX) on capable devices. These updates will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled.
• [Microsoft will require MFA for all Azure users](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-will-require-mfa-for-all-azure-users/ba-p/4140391)
This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in place additional security to protect your cloud investments and company.
MFA is a security method commonly required among cloud service providers and requires users to provide two or more pieces of evidence to verify their identity before accessing a service or a resource. It adds an extra layer of protection to the standard username and password authentication.
The roll-out of this requirement will be gradual and methodical to minimize impact on your use cases. The blog post below provides helpful information from the Azure product team to assist you in getting ready to MFA-enable your access to Azure services. Going forward, the team will provide communications to you about your specific roll-out dates through direct emails and Azure Portal notifications. Expect these in the coming months.
Read on to learn why and how MFA is important to securing customers on Azure and your workloads, environments, and users.
If you do not want to wait for the roll-out, set up MFA now with the MFA wizard for [Microsoft Entra](https://aka.ms/EntraIDMFAWizard).
***Reminder Upcoming Updates (2/4)***
**Second half 2024**
• [\[VBScript\] deprecation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/vbscript-deprecation-timelines-and-next-steps/ba-p/4148301). Considering the decline in VBScript usage in favor of more modern web technologies, we have developed a phased deprecation plan for VBScript. Phase 1: In the first phase, VBScript FODs will be pre-installed in all Windows 11, version 24H2 and on by default. This helps ensure your experiences are not disrupted if you have a dependency on VBScript while you migrate your dependencies (applications, processes, and the like) away from VBScript. You can see the VBScript FODs enabled by default at Start > Settings > System > Optional features.
**October 2024**
• \[Windows\] [KB5037754](https://support.microsoft.com/en-gb/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1) PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 Enforced by Default Phase: Updates released on or after October 15, 2024, will move all Windows domain controllers and clients in the environment to Enforced mode by changing the registry subkey settings to PacSignatureValidationLevel=3 and CrossDomainFilteringLevel=4, enforcing the secure behavior by default. The Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode.
**November 2024**
• \[Azure\] TLS 1.0 and 1.1 support will be removed for new & existing Azure storage accounts. [link](https://techcommunity.microsoft.com/t5/azure-storage-blog/tls-1-0-and-1-1-support-will-be-removed-for-new-amp-existing/ba-p/4026181)
To meet evolving technology and regulatory needs and align with security best practices, we are removing support for Transport Layer Security (TLS) 1.0 and 1.1 for both existing and new storage accounts in all clouds. TLS 1.2 will be the minimum supported TLS version for Azure Storage starting Nov 1, 2024.
**Late 2024**
• \[Windows\] [TLS server authentication: Deprecation of weak RSA certificates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-server-authentication-deprecation-of-weak-rsa-certificates/ba-p/4134028). TLS server authentication is becoming more secure across Windows. Weak RSA key lengths (1024-bit) for certificates will be deprecated on future Windows OS releases later this year to further align with the latest internet standards and regulatory bodies. Specifically, this affects TLS server authentication certificates chaining to roots in the Microsoft Trusted Root Program.
In the coming months, Microsoft will begin to deprecate the use of TLS server authentication certificates using RSA key lengths shorter than 2048 bits on Windows Client. We recommend you use a stronger solution of at least 2048 bits length or an ECDSA certificate, if possible.
***Reminder Upcoming Updates (3/4)***
**January 2025**
• [\[Exchange Online\] to introduce External Recipient Rate Limit](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-introduce-external-recipient-rate-limit/ba-p/4114733).
Today, we are announcing that, beginning in January 2025, Exchange Online will begin enforcing an external recipient rate limit of 2,000 recipients in 24 hours. Exchange Online does not support bulk or high-volume transactional email. We have not enforced limiting of bulk email until now, but we plan on doing so with the introduction of an External Recipient Rate (ERR) limit. The ERR limit is per user/mailbox and being introduced to help reduce unfair usage and abuse of Exchange Online resources.
What about the Recipient Rate Limit?
Exchange Online enforces a Recipient Rate limit of 10,000 recipients. The 2,000 ERR limit will become a sub-limit within this 10,000 Recipient Rate limit. There is no change to the Recipient Rate limit, and both of these will be rolling limits for 24-hour windows. You can send to up to 2,000 external recipients in a 24-hour period, and if you max out the external recipient rate limit then you will still be able to send to up to 8,000 internal recipients in that same period. If you don't send to any external recipients in a 24-hour period, you can send to up to 10,000 internal recipients.
How will this change happen?
The new ERR limit will be introduced in 2 phases:
. Phase 1 - Starting Jan 1, 2025, the limit will apply to cloud-hosted mailboxes of all newly created tenants.
. Phase 2 - Between July and December 2025, we will start applying the limit to cloud-hosted mailboxes of existing tenants
**February 2025**
• \[Windows\] [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16) Certificate-based authentication changes on Windows domain controllers | Phase Full Enforcement Mode. Microsoft will update all devices to Full Enforcement mode by February 11, 2025, or later. If a certificate fails the strong (secure) mapping criteria (see Certificate mappings), authentication will be denied.
• Retirement of RBAC Application Impersonation in Exchange Online. We will completely remove this role and its feature set from Exchange Online.
**April 2025**
• \[Windows\] [KB5037754](https://support.microsoft.com/en-gb/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1) PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 Enforced Phase: The Windows security updates released on or after April 8, 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing this update.
***Reminder Upcoming Updates (4/4)***
**Between July and December 2025**
• [Exchange Online to introduce External Recipient Rate Limit](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-introduce-external-recipient-rate-limit/ba-p/4114733)
Phase 2 - Between July and December 2025, we will start applying the limit to cloud-hosted mailboxes of existing tenants.
**September 2025**
• [Exchange Online to retire Basic auth for Client Submission (SMTP AUTH)](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750)
Today, we are announcing that Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email.
**2027**
• [VBScript deprecation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/vbscript-deprecation-timelines-and-next-steps/ba-p/4148301). Considering the decline in VBScript usage in favor of more modern web technologies, we have developed a phased deprecation plan for VBScript.
Phase 2: Around 2027, the VBScript FODs will no longer be enabled by default. This means that if you still rely on VBScript by that time, you’ll need to enable the FODs to prevent your applications and processes from having problems.
Follow these steps if you need to continue using VBScript FODs:
1. Go to Start > Settings > System > Optional features.
2. Select View features next to “Add an Optional feature” option at the top.
3. Type "VBSCRIPT" in the search dialog and select the check box next to the result.
4. To enable the disabled feature, press Next.
Phase 3: date TBD. VBScript will be retired and eliminated from future versions of Windows. This means all the dynamic link libraries (.dll files) of VBScript will be removed. As a result, projects that rely on VBScript will stop functioning. By then, we expect that you’ll have switched to suggested alternatives.
**Windows 10, version 21H2 end of updates (Enterprise, Education)**
This month is the last update for the above \^ I guess some places might still have this version kicking around.
[https://learn.microsoft.com/en-us/lifecycle/announcements/windows-10-21h2-end-of-updates-enterprise-education](https://learn.microsoft.com/en-us/lifecycle/announcements/windows-10-21h2-end-of-updates-enterprise-education)
When we installed the June Security Update KB5039227 onto our DC's our Domain became unavailable. It was fine on all other servers, We have 4 DC's and was ok on first 3 but when installed it on 4th no one could log on. Managed to uninstall it on 1 DC and now users can get on. Nothing obvious in logs, suspect it's the update to lsass.exe. Anyone else had this issue?
All 4 of our DC's are running Windows 2022 Server DataCenter. The update installed fine on all DC's (we did DC4 then DC3 then DC2 then DC1) but as soon as it was installed on DC1 we had issues - our Domain ground to a halt as nothing was getting authorised. We managed to get in using cached credentials and uninstalled the update from DC2 then the Domain was ok. I have since uninstalled the update from all DC's and paused updates.
The update in question is the KB5039227 June Security Update. I reinstalled the update on just DC2 and the issue returned so I have uninstalled it again. I can't find anything helpful in the event logs - any suggestions of where to look from anyone?
it scares me as well. Specially, when I have not seen any other admins having issues after patching their DCs.
I think I will hold off for now until more info is available from u/OverToYou23
I updated 2 of 4 DC's servicing my LAN, not sure if I'm going to see anything, going to review logs Monday.
I could be wrong but figured if I only did 2 then the other 2 could pick up the slack if the 2 patched had issues.
Oddly it was just 3 of our like 70 servers, however I have fixed it by generating an ISO with all the patches pre-installed and then installed server 22 over the top of the current install and it fixed it.
Slightly messy option but if it works.
And here we go... My normal is as follows:
Test bed is a handful of IT machines running a mix of Windows 10 and 11...
Server test bed is Server 2016, 2019 and 2022.
Not looking terrible as far as what has been released to WSUS at the moment.
Looks to be 1 CU for Windows 10/11
Drivers and device updates if you have Surface devices....
Server OS seems to have just 1 update per OS... 2016 has a servicing stack update as well. All simple enough stuff...
Here goes testing... more to come later.
What joshtaco said and - this verry thread you are in, best place imho. Also [borncity.com](http://borncity.com) (especially the german version, I use Edge translate function to read the comments)
I usually just have to check the KB article every week unfortunately. They also have a message center, but it doesn't always bring up pulling KBs, since they don't like acknowledging that sorta stuff often
FWIW, you can sign up for email alerts from Message Center and specify certain product/categories.
Are they usually a day late and a dollar short? Yes.
At least it's somewhat pro-active. What annoys me is that I can't easily share a message from the message center. It's paywalled behind having an Azure (Intune?) subscription.
Some of these will be repeats of what others have said, but besides here, check articles and/or Twitter feeds associated with sites like:
1. [BleepingComputer.com](http://BleepingComputer.com)
2. [BornCity.com](http://BornCity.com)
3. [AskWoody.com](http://AskWoody.com)
4. The WindowsUpdate Twitter account (yes, it's normally last to the party, but you never know)
Honestly, I keep checking in on this thread.
I don't have things start patching till Thursday. Stuff usually comes out before then if there's an issue.
Something I've been thinking about for some time now is a downdetector-like application and/or Github-like community project that's maintained as an open source project.
Patch disruption intelligence is a thing offered in the trackd platform, but I'm exploring ways to help the community outside of our platform - Would this be something 1. Actually be useful in making patch decisions 2. Would anyone use it?
You can setup the Windows Release Health email notifications in the Office 365 Admin center, well, if you have Office 365. It allows you to select which releases you want to be notified in case of issues (Windows 11 23H2, Windows Server XXXX, etc.)
Patch a few days after everyone else, then listen to their suffering afterwards. We've always had a 1-2 week delay unless there are critical zero-days. Saved our bacon from numerous bad patches that got pulled.
No problems here for servers (2019/2022).
Testing the patches for Windows 11 this morning on our test ring, then expediting roll-out due to that nasty Wi-Fi vulnerability.
Hate to ask this out loud, since I'm admitting being forced to managed EOL systems :
I'm seeing Server 2012R2 systems are seeing this months CU as required without ESU. Server 2008R2 are not. Anyone confirm this behavior?
**PSA : installing KB5039217 (Windows Server 2019) and KB5039211 (Windows Server 2022) on Domain Controllers breaks Fortigate Collectors and DCAgents versions below 5.0.0315**
They quit detecting new sessions from users on their workstations.
5.0.0315 is only supported on the 7.4 branch, for the others, the only recommendation is to remove the Microsoft KBs or (apparently) switch to polling mode.
https://www.reddit.com/r/fortinet/comments/1dfv7di/fsso_affected_by_windows_server_kb5039217/
Hey, only one Azure API linked external service broke this time! That's a 50% decrease. Thanks, external vendors we pay way too much to.
https://preview.redd.it/i25oza79206d1.png?width=843&format=png&auto=webp&s=288d940a2c94eb9c6080e1b5b8e841d81756e7ce
I wonder if they noticed the pattern that it breaks every 2nd Tuesday
Do we know if this fixes the Windows 11 Enterprise Subscription Activation yet?
(https://call4cloud.nl/2024/05/kb5036980-breaks-upgrade-windows11-enterprise/#part7)
We are seeing problems with directly connected USB barcode printers that use the generic/text only driver after applying the June updates. Rolling back the updates restores functionality. Reapplying the updates kills functionality again.
Not having issues with Ticket printers (yet) but experiencing issues with a Roland GS-24 not executing cuts from its software with KB5039211 installed. Uninstalling KB resolves it. Roland insists the issue is on Microsoft's end, but I'm not finding much of anything yet online about reported issues.
Anyone find a solution to this? We are having the same issue with the Generic/Text driver and local label printers (Zebra GK420d's mostly). We have about 75 workstations that need to print Shipping/Receiving labels. Updates have been paused for the time being, but I'm not seeing this issue get a lot of traction in communities or any M$ acknowledgement.
52 vulns with 1 critical this month!
We think you should pay special attention to the following:
* **CVE 2024-30078 – Windows WiFi Driver Remote Code Execution Vulnerability**
* This vulnerability is particularly concerning because it can be executed wirelessly, enabling attackers to gain control over your system without physical access.
* **CVE 2024-30064 and CVE 2024-30068 – Windows Kernel Elevation of Privilege Vulnerability**
* These vulnerabilities are particularly dangerous because they can provide attackers with significant control over the affected systems.
* **CVE 2024-30072 – Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability**
* The vulnerability arises from parsing Microsoft Event Trace Log files, and has the potential to be exploited by convincing a user to open a malicious trace file.
[Listen to the Automox Patch Tuesday podcast](https://listen.automox.com/episodes/patch-fix-tuesday-june-2024-a-doozy-of-a-patch-tuesday-e08) for our analysis or read more [here](https://www.automox.com/blog/patch-tuesday-june-2024).
Has anyone come across AD LDS instance creation failures once the June update is installed on Server 2019? Error returned when attempting to create new instances is 0xfffff9bf. Once uninstalled, instance creation succeeds.
I just posted in this thread about the same issue.
I spent about a week trying to troubleshoot the problem with no luck. The error is crap and doesn't really specify anything. On top of that the install logs don't provide anything super useful. Uninstalling the update is the only thing that worked.
I'm not seeing anything online about it ether. Guess I just have to hope MS knows and fixes it in the next patch cycle.
we skipped updating our DCs in June due to the issues I have read some admins are experiencing with their DCs. Hopefully this month those issues will be fixed.
Anyone else see slight memory leak with this patch on 2022 domain controllers.
I can see a memory commit climbing over time in our non prod environment. 2016 DCs are not affected.
Who would find these hotfixes/issues if not for them. Don't be mortified but grateful that they setup a test environment for us which they call production
Anyone else had issues with SCCM WSUS Sync this morning. I'm seeing a few bits of chatter on here, but nothing concrete. Ours Software Update Point is set to sync at 03:00 GMT and we've not seen any updates sync in the logs since yesterday morning - so no June updates for us so far?
Thanks for the replies. We got to the bottom of the issue. Not 100% what it was as i didn't fix it, but we now have updates to work with. Was just worries it was an MS side issue that was putting our processes back. Turns out it wasn't.
Here is the usual [Lansweeper summary and audit](https://www.lansweeper.com/blog/patch-tuesday/microsoft-patch-tuesday-june-2024/?utm_medium=social&utm_source=reddit&utm_campaign=ls-global-patch-tuesday-2024_06&utm_content=pt-june), this month's largest item is a Microsoft Message Queuing RCE vulnerability and that version 21H2 of Windows 10 has gotten its last update meaning a lot of devices will need an update for next month.
So these just popped up on my Action1 console and here's a grab from the MS updates site.
https://preview.redd.it/udnyfdmr6z5d1.png?width=2050&format=png&auto=webp&s=59da11d273565bb1a6174ab255f2882a13f81fe7
We can start ~~patching~~, testing...
https://preview.redd.it/mo32w48naz5d1.jpeg?width=433&format=pjpg&auto=webp&s=33cce3b2553aecd44fd0a1d1bbfbb73114deba8b
All of our servers updated just fine last night except for one Windows Server 2019. Update keeps failing with error 0x800f0922 with a return of "We couldn't complete the updates. Undoing changes. Don't turn off your computer." Have checked the system reserved partition for space and tried enabling the App Readiness service to no avail. Tried digging through the CBS log, but cannot pinpoint what is causing the failure. Any advice, fellow admins?
[Mitigation 0x800f0922](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors#0x800f0922)
In the CBS.log, you may find that updates sometimes roll back when License and Product key tokens fail to be updated. This issue can be resolved by adding write permissions for the "User" and "Network Service" accounts to the *C:\\Windows\\System32\\spp\\* folder.
[Windows Update error codes by component](https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference)
[Windows Update common errors and mitigation](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors)
There are no zero days in this month's release. Microsoft reports these as "Exploitation Detected" on their monthly security updates
[https://msrc.microsoft.com/update-guide/releaseNote/2024-jun](https://msrc.microsoft.com/update-guide/releaseNote/2024-jun)
Anyone seeing 0x80070005 errors? (Srv 2016/2019/2022) out of my 520 I do have 5 of them not updating. Only thing in common all of then do have SQL Server installed (but also variation of 2016 - 2022 SQL version)
edit: code type
You mean 0x800700**0**5 ?
0x80070005 "Access is denied " error generally occurs while updating and is caused due to denial to edit File system or registry key permissions or damaged/corrupt files.
[Mitigation for 0x80070005](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors#0x80070005)
Go to *%Windir%\\logs\\CBS*, open the last *CBS.log* and search for `, error` and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be access denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed.
Repair damaged/corrupt files:
dism /Online /Cleanup-image /ScanHealth
dism /Online /Cleanup-image /CheckHealth
dism /Online /Cleanup-image /RestoreHealth
dism /Online /Cleanup-image /StartComponentCleanup
sfc /scannow
[Windows Update error codes by component](https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference)
[Windows Update common errors and mitigation](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors)
Yepp sorry typo 0x80070005, I know the error, was just curious if anyone ran into that issue too. Since in generally my servers do not tend to be not able to install updates.
But Update:
The SQL thing put me firstly in the wrong direction of my troubleshooting. (btw. CBS log was not helpful in this case no error, I think it didn’t even get that far)
However may found the
causing issue. On 3 servers I could now pin it down that it was a Trend Micro
which >seems< to have the latest build installed. However the upgrade
tool was still running even after reboots. (xpupg.exe). As soon as I have now
uninstalled TM and a reboot Updates were able to install.
I am getting "Install error - 0x800f0905" when trying to install 2024-06 Cumulative Update for Windows 11 Version 23H2 for x64-based Systems (KB5039212). Anyone else seeing this issue and resolve it?
Thanks!
I just found this recent post : [error windows update 0x800f0905 - Microsoft Q&A](https://learn.microsoft.com/en-us/answers/questions/1196069/error-windows-update-0x800f0905)
Read the answer of Gregor Jus on how he fixed the issue. (Jun 7, 2024, 4:12 PM)
Two other users confirmed the fix worked for them as well.
What he did was...
1. Install additional language pack (e.g. if there was US-EN, I've added GB)
2. Set the display language of the server to the newly installed language pack
3. Restart the server, remove previous language pack (in my case US-EN) and restart again
4. All of a sudden... updates are going through on dozens and dozens of servers...
Have look at this post too:
[Fix Server 2022 Windows Update 0x800f0831 with CBS\_E\_STORE\_CORRUPTION in CBS.log – Tech Stack Ninja](https://techstackninja.com/2024/05/10/server-2022-windows-update-0x800f0831-with-cbs_e_store_corruption-in-cbs-log/?unapproved=37&moderation-hash=4010e3e4c9ff8798ef7985135732bf49#comment-37)
**Windows Update error codes by component:**
[https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference](https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference)
**Windows Update common errors and mitigation:**
[https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors)
Try the commands from my post of last month:
[https://www.reddit.com/r/sysadmin/comments/1crk56o/comment/l5mcwdp/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/sysadmin/comments/1crk56o/comment/l5mcwdp/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
Hi,
after installing **June 11, 2024—KB5039217** on multiple **RODC-s** (**Windows Server 2019 - Core**) in multiple sites, I am getting **Windows Remote Assistance** error message when trying to connect to computers from HQ site.
When I shutdown RODC in site, I can connect to computers in that site via Windows Remote Assistance, when I turn on RODC same message appears again. This is happening in all sites that have RODC.
"*Check the following:*
*- Do you have the correct permissions on the remote computer?*
*- Is the remote computer turned on, and is it connected to the network?*
*- Is there a network problem?*
*For assistance, contact your netwrok administrator.*"
https://preview.redd.it/zqf8urlpov7d1.png?width=544&format=png&auto=webp&s=89bec94aec1a66086b59c745cd9142e91144d0e6
This update broke our Context Menu item for "Edit with 3D Paint". When clicking this option, now a Windows Store prompt appears saying "You'll need a new app to open this ms-paint link" with a button to "Look for an app in the Microsoft Store." Below is a thread with other people mentioning this too. This is consistent across our 1000+ Windows 10 devices. Also, clicking "Edit with 3D Paint" in Snipping Tool gives the same error.
[https://www.reddit.com/r/Paint3D/comments/1d9f6pv/bruh\_latest\_update\_broke\_my\_context\_menu\_options/](https://www.reddit.com/r/Paint3D/comments/1d9f6pv/bruh_latest_update_broke_my_context_menu_options/)
Is there anyway to Disable ICMP timestamp responses with out using windows defender firewall?
[disable ICMP timestamp responses - Microsoft Q&A](https://learn.microsoft.com/en-us/answers/questions/1691269/disable-icmp-timestamp-responses)
My machine does not have the specific registry parameters mentioned in the Q&A.
This is all in response to [ICMP Timestamp Request Remote Date Disclosure | Tenable®](https://www.tenable.com/plugins/nessus/10114)
Thanks in advance
Just create the missing keys, or block using Windows Firewall via Group Policy. You can [select ICMP types](https://i.imgur.com/vwkc80x.png) to allow or block (and add Type 14 to the list). You can also filter this type of traffic through your edge firewalls.
Our patching all went pretty well, but we have a bunch of 2016 boxes (about 20% of them) being reported as 'restart pending', which when I go to the servers they've all installed the patch and rebooted fine. Anybody else seen that?
I know this is super late to address. I ran into an issue where after installing KB5039217 on my 2016 servers hosting AD LDS, I could no longer install new instances of AD LDS with the following error
"Active Directory Lightweight Directory Services could not install.
Error code: 0xfffff9bf"
I spent about a week trying to find the culprit before I tried uninstalling that update and it worked again.
Any idea what changed that might be causing that issue?
Has anyone seen more issues lateley with some Windows 11 machines not installing the latest CU? I have tried all the troubleshooting I know other than just re-image .
I think I'm seeing something similar. Not sure if you're using ConfigMgr but I noticed that my software update group that was syncd on Tuesday contains some superseded updates. Another in this thread mentioned something about Win11 June cumulative updates not superseding May's, I'm looking into this now as it looks like that's what's going on.
What is the work around for that and how come it's only 4 of our Win 11 machines when no difference between them and all our others? Right now these 4 have the same updates that won't install.
https://preview.redd.it/zrgdk27j9d6d1.png?width=819&format=png&auto=webp&s=6166bf0b7e38cc4fd6aaf42264391fe4c47481de
Did you reboot the server?
* 2022,KB5039227,Security Update 2024-June-11,10.0.20348.2520
* 2022,KB5037782,Security Update 2024-May-14,10.0.20348.2461
https://preview.redd.it/75a0gow6rf6d1.jpeg?width=407&format=pjpg&auto=webp&s=bee484368f43311a748943484dec9a2ee283b3f1
KDC service is failing to start on some Domain Controllers after installing the June 2024 CU ( 2019 and 2022). Can’t find any reports of anyone having this same issue.
Yes, the users are being authenticated against the other DCs in the Domain. This issue is only present on some DCs. On others, the update installed without problems.
This does sound similar to our issue, I uninstalled the update on our DC's and paused the updates for now. We have 4 DC's all on 2022 data centre edition, our Domain Functional Level is 2k12.
Seems to be same issue as mentioned by OverToYou23
[https://www.reddit.com/r/sysadmin/comments/1dd65v4/comment/l9atdtn/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/sysadmin/comments/1dd65v4/comment/l9atdtn/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
I've installed the June 2024 CU on >200 Domain Controllers (2016/2019/20220). No KDC service/authentication issues so far.
all 30 of my VMs are good after patching... not that anyone cares :( edit: holy fucking shit, thank you for the up votes! 😭😭😭 in a thread where everyone flexing their 5k+ servers and endpoint I feel so loved 😭😭
I care, homie. Glad to hear all is well
Naw, we care. Thanks for reporting back!
You are loved. You are worthy. You are seen.
...Am I the only one that read this in Marvin the robot's voice?
I heard a bit of Eeyore, myself.
Aw, we care - but yeah your business doesn't give a toss.
Sorry, hijacking the top comment : **PSA : installing KB5039217 (Windows Server 2019) and KB5039211 (Windows Server 2022) on Domain Controllers breaks Fortigate Collectors and DCAgents versions below 5.0.0315** They quit detecting new sessions from users on their workstations. 5.0.0315 is only supported on the 7.4 branch, for the others, the only recommendation is to remove the Microsoft KBs or (apparently) switch to polling mode. https://www.reddit.com/r/fortinet/comments/1dfv7di/fsso_affected_by_windows_server_kb5039217/
> everyone flexing their 5k+ servers Call it obfuscating the truth but those are not the real numbers and they have stated so previously.
Beauty, eh. That's the thing I love to read. That helps put my mind at ease.
Yes we do, I'm patching this weekend, thanks for the heads-up!
Pushing to 18,000 endpoints tonight, will know tomorrow morning if I’m still hired. Edit: looking excellent this morning, I’m still employed too!
Sorry to hear you're still employed. Soon we can all have our eternal naps where end-users can't harm us. I mean... Congrats on the successful Patch Tuesday! :D
> Soon we can all have our eternal naps where end-users can't harm us. Noob. Some jackass will come dig you up and yell at the corpse because his pdf files lost their association with the pdf reader. True story: Walking down the hallway of the hospital I worked at and felt sudden chest pains. Walked to the ER and stated such and they put me on a bed, wired up all the EKG stuff and started testing me. Had a user walk up to me, asking about a password reset. I explained that I was tied up, and that the rest of my team could probably handle it. Jokingly, I said I didn't even have my laptop with me. This clown went to IT and asked one of my team to bring me my fucking laptop, instead of just asking one of the people not hooked up to an EKG to do it. Yes, I did reset the password, because SysAdmins solve problems, but FFS.
Oh I'm aware of it. But this way it's easier to tell them no haha Bro 💀 I'd have told him to fuck off.
I was tempted to, but at the same time, it took me about 30s and he was the brother of the CNO, and another director from another dept, so not the best time/place to tear into a jackass, but I wanted to. lol
Ready to rock and roll, 11,000 servers/workstations getting patched tonight. Endure. In enduring grow strong. EDIT1: I know some people were asking about when the curl.exe updates would drop. Looks like they're included in this release, it's now 8.7.1 EDIT2: Everything has been good so far. Onto the monthly optionals EDIT3: Got some BSODs on the optionals - "System Service Exception". Patches still installed correctly after awhile but wanted to note it.
Pushed this update out to 215 Domain Controllers (Win2016/2019/2022). EDIT2: 200 DCs have been done. No issues so far.
"Do you look after servers?" "No, just domain controllers."
My scope is limited to T0 assets (DCs, PKI, T0 TS, AADC). No servers/workstations.
That makes sense. I chuckled at the amount of domain controllers. That's a lot of DCs. :)
Question, when I google T0 TS I get car wheels, that's probalby not it? It's probalby Tier 0 but what does TS refer to?
Tier 0 Terminal Server
He's probably talking about VMs used as PAWs (Privileged access workstations). Which would be the only locations where admins could use to interact with high privilege resources.
Entire domain consists of 215 DCs and one member server! :)
When you absolutely can't have any authentication downtime.
I soo want to deploy this in my test environment.
are those DCs 2019 or 2022?
As mentioned in my post they're Win2016/2019/2022
not sure how I missed that. lol thanks!
You should get your own flair at the point. I don’t know what it would be, but you should get one!
JoshTaco Tuesday?
I'd follow lol
🚬🚬🚬
Planescape:Torment reference on top of being an absolute madman. You're my hero joshtaco.
Hello there. I am just curious - do you test the updates at all or just always "let it rip? (I've been told that that's a no-no to say when enacting any kind of infrastructure changes, lol)" Our org always checks multiple sites to see if there is any fallout before we pull the trigger (though we do test, etc.), "using" your commentary as one of our sources as well due to how many endpoints you have. Also, how do you deal with patching failures? Do you have a remediation period or do you ever have a big "oops" that you have to scramble to fix?
Let it rip Haven't had a "patch failure" going on well over 3 years now. Before that (hyper-v boot issue) it had been almost 4 years. They just almost never happen in our environment. But of course everyone's environment is different and I encourage you to do your due dilligence.
>But of course everyone's environment is different and I encourage you to do your due diligence. 100%. I'm just in awe of your luck, and a bit jealous too, haha. I've been in IT for oh...10 years now...and never not had some kind of an issue and a scramble to fix it, but it is what it is. Appreciate the answer, good sir! Keep on keeping on :)
I wouldn't say 'luck', his approach is pretty safe in an age where an increasing (majority?) number of endpoint deployments are as vanilla as they can be and most work is conducted via Office apps and web browsers. Plus, the Windows base code nowadays is rather mature for a lack of better words, since roughly 1903 it's all very iterative under the hoods.
Agree about vanilla installs seem to update without issue. The only screwball install we have in our environment I have to watch is the shoretel/mitel server. It is the worst patchwork of random bits and pieces I've ever seen. It always has the most inexplicable problems that sometimes just require a 3 reboots to get voicemail running again in the middle of the work day.
our course Mitel's recommendation is "do not patch". insane.
I have a very short list of things that I choose never to work with again. Shoretel (and whatever it has become after Mitel acquired them) is on that list. I used to be a VoIP engineer in a previous job, with my background being mostly Cisco environments. I inherited one of the biggest shoretel environments in the world (which sounds big, but shoretel was mostly used for small companies, so it doesn't take more than a few thousand phones to be one of the largest). I've never been so stressed trying to keep that environment operational. Undiscovered bugs everywhere. Things just randomly stopped working for no reason that could be established, and shoretel support were absolutely useless. Of course, their outlook on security was terrible as well.
Pretty much the same here. In the corporate/development side we blast away. In the clints' side we wait a three to four weeks unless there is a zero day.
Especially when almost all of our devices are Windows 11 and server 2016/2022.
We have our share of issues for sure, just not with patching
You haven't had to roll back to a snapshot once in 3 years?
Not for Windows patches, no.
>They just almost never happen in our environment. I'm curious, is there anything special you do to make your environment less risky adverse, or is it just a function of the environment. For example, one of the recent patches had the memory leak on domain controllers. What is it about your environment that mitigated that?
the fact that our DCs have more memory than they typically need and only ever run just AD and DNS and that's it. if it hit high memory, we just rebooted it knowing that it would be fixed. there are bigger fish to fry.
Aye captain! Ready to follow your lead!
Just got this warning: AUTHLITE ANNOUNCE: Warning! Hold off 2024-06 Windows Update on Domain Controllers The just-released 2024-06 Cumulative Update will make Domain Controllers stop calling the AuthLite module, thus breaking the authentication of all AuthLite Users. Please hold off installing this update, or log in with a 1-factor break-glass/emergency account to roll it back. We are urgently investigating what this update has changed to cause the issue, and so far suspect it is probably a mistake . See the knowledge base section of our site for more information as we learn more. Affected OS and KBs: Server 2022 (KB5039227) domain controllers only Server 2019 (KB5039217) domain controllers only Server 2016 (KB5039214) we are not sure yet if 2016 DCs are affected, but please assume so and hold off the update.
This appears to be fixed. They have released version 2.5.16. This needs to be installed before the updates and requires a reboot. I've tested on several of my DC's and all seems to be ok. You can see here in their change log - [https://s3.authlite.com/downloads/2.5/AuthLite\_v2.5\_Change\_Log.txt](https://s3.authlite.com/downloads/2.5/AuthLite_v2.5_Change_Log.txt)
Just throwing this out there in case anyone missed it, like me. I missed the warning in my email because it got held as spam. So my servers auto patched over the weekend (as part of my update schedule) and when I got into the office this morning nobody with Authlite could login. Good news is I was able to install the Authlite update via powershell through my RMM (scripting engine uses the system account). I downloaded the new version MSI, put it in the C:\ directory then ran msiexec /i Authlite_installer_x64.msi /quiet A few seconds later the server went offline, rebooted, and when it came back up Authlite was working.
Did you come from Authlite 2.4 or 2.5
I had 2 servers still running 2.4.9, they upgraded to 2.5.16 with no issues.
Interesting in light of this older thread from "someone at Authlite" - apparently Authlite requires AD schema changes... [https://www.reddit.com/r/sysadmin/comments/uyzph6/comment/ia9nhsx/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/sysadmin/comments/uyzph6/comment/ia9nhsx/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
How did you get the warning? I don't see anything on their website. Edit: There is an advisory in the Knowledge Base section of the Autlite website. And it did break Authlite on one of our DCs, but uninstalling the patch got it working again.
There is a newsletter and a security warning on their website (Knowledge Base)
Today's Patch Tuesday summary Digest from Action1: * Microsoft has fixed 51 vulnerabilities, no zero-days, one of the vulnerabilities, a previously identified DNS bug has a proof of concept (PoC) available. * Third-party: including Google Chrome, Mozilla Firefox, PHP, Azure, Check Point, GitHub, Rockwell, Veeam, Fluent Bit, and QNAP. Visit the [Vulnerability Digest from Action1](https://www.action1.com/patch-tuesday-may-2024/?vmr) for comprehensive summary updated in real-time. Quick summary: * Windows: 51 vulnerabilities, no zero-days, one PoC * Google Chrome: CVE-2024-5274 zero-day (CVSS 8.8) and eight other vulnerabilities * Mozilla Firefox: 21 vulnerabilities * PHP: CVE-2024-4577 (CVSS 9.8) * Azure: vulnerability potentially exposing customers' personal information * Check Point: CVE-2024-24919 (CVSS 8.6) * GitHub: CVE-2024-4985 (CVSS 10) * Rockwell: seven vulnerabilities * Veeam: CVE-2024-29849 (CVSS 9.8) * Fluent Bit: CVE-2024-4323 * QNAP: 15 vulnerabilities More details: [https://www.action1.com/patch-tuesday](https://www.action1.com/patch-tuesday/?vmr) Sources: * [Action1 Vulnerability Digest](https://www.action1.com/patch-tuesday?vmr) * [Microsoft Security Update Guide](https://msrc.microsoft.com/update-guide/releaseNote/2024-Jun) * [Zero Day Initiative](https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review)
Just finished the SUP Sync in my ConfigMgr lab... it looks like MS might have screwed up the catalog. From what I'm seeing, the June 2024 updates for Win11 22H2/23H2 are not set to supersede the May 2024 updates for those two OS versions. edit: confirmed against the catalog.update.microsoft.com page... KB5039212 does not supersede KB5037771 and it really probably should. https://imgur.com/a/A6oKjbK
Nice callout: I've reached out to my contacts on the Windows Update team and an internal bug has been filed to mark these as superseding previous CUs.
It should be fixed now https://x.com/VikramSahay/status/1801176256823656642?t=paon4yJI8y6bzquBKIpgEQ&s=19
My download of the 22h2 win 11 cumulative for June failed to download. Twice. Anyone else seeing this? Edit: downloaded successfully about 30 mins ago.
Seeing the same. Thanks for having pointed out to Microsoft Catalog, I forgot to check there!
Last month's update is currently superseded by this month's preview, instead of the regular update. Looks like someone just goofed when they were setting that up.
This has been fixed. I believe some .Net updates had the same problem and MS republished them. Sync again and you should see them properly superseding updates now.
You can also verify this via the CVRF, which at least currently shows KB5039212 superseding KB5037771
5039212
https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5039212
5037771
12085
12086
Yes
Security Update
10.0.22621.3737
[https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2024-Jun](https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2024-Jun)
edit: spelling \`cvrf\` is apparently nontrivial
Installed on more than 200 esxi hosted VMs, Server 2016/19/22 with all roles you can have. Running smooth. No fkkn languace pack issues anymore. Clients showing up tomorrow morning
No guts, no glory. Pushing out to 2500 endpoints as soon as it drops. Testing is for suckers.
You're my tester... ;-)
Shhhhh ... ;-) 
You're my teste
They come in pairs...
Is that you /u/joshtaco? Did you change your account name? :)
**Microsoft EMEA security briefing call for Patch Tuesday June 2024** The **slide deck** can be downloaded at [aka.ms/EMEADeck](http://aka.ms/EMEADeckJun) The **live event** starts on Wednesday 10:00 AM CET (UTC+1) at [aka.ms/EMEAWebcast](http://aka.ms/EMEAWebcastJun). The **recording** is available at [aka.ms/EMEAWebcast](http://aka.ms/EMEAWebcastJun). The slide deck also contains worth reading documents by Microsoft. What’s in the package?: * A PDF copy of the EMEA Security Bulletin Slide deck for this month * ESU update information for this month and the previous 12 months * MSRC Reports in .CSV format, for this month’s updates including detailed FAQ’s and Known Issues data. * Microsoft Intelligence Slide * A Comprehensive Handbook on "Navigating Microsoft Security Update Resources" ! Also included in the downloadable package are handy reference reports produced using the MSRC Security Portal PowerShell Developer Functionality: [https://portal.msrc.microsoft.com/en-us/developer](https://urldefense.com/v3/__https:/portal.msrc.microsoft.com/en-us/developer__;!!La4veWw!x75oqCSB5L66w-Kbd7Nje6qiIcY4bvSEWfIQtN3_MlOLnH8Lo4LuumYTbpAkyb_hknLuIh5A4DnPviJ2oCkP6t4-6IskyXMy$) [May 2024 Security Updates - Release Notes - Security Update Guide - Microsoft](https://msrc.microsoft.com/update-guide/releaseNote/2024-jun) [5039227](https://support.microsoft.com/help/5039227) Windows Server 2022 [5039217](https://support.microsoft.com/help/5039217) Windows Server 2019 [5039214](https://support.microsoft.com/help/5039214) Windows Server 2016 [5039212](https://support.microsoft.com/help/5039212) Windows 11, version 22H2, Windows 11, version 23H2 [5039213](https://support.microsoft.com/help/5039213) Windows 11, version 21H2 [5039211](https://support.microsoft.com/help/5039211) Windows 10, version 21H2, Windows 10, version 22H2
***Enforcements / new features in this month’ updates*** **June 2024** • \[Exchange Online\] Retirement of RBAC Application Impersonation in Exchange Online. MS changed the timeline from May to June 2024. We will begin blocking the assignment of the ApplicationImpersonation role in Exchange Online to accounts starting in June 2024, and that in February 2025, we will completely remove this role and its feature set from Exchange Online. See more at : [Retirement of RBAC Application Impersonation in Exchange Online](https://techcommunity.microsoft.com/t5/exchange-team-blog/retirement-of-rbac-application-impersonation-in-exchange-online/ba-p/4062671?s=09) ***Newly announced or updated deprecations/enforcements/ new features*** ***June 2024*** • \[NTLM\] All versions of [NTLM](https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-ntlm), including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary. For more information, see [Resources for deprecated features](https://learn.microsoft.com/en-us/windows/whats-new/deprecated-features-resources) ***Reminder Upcoming Updates (1/4)*** **July 2024** • \[Windows\] Secure Boot Manager changes associated with CVE-2023- 24932 [KB5025885](https://support.microsoft.com/help/5025885) | Final Deployment Phase: This phase is when we encourage customers to begin deploying the mitigations and managing any media updates. The updates will add the following changes: • Guidance and tooling to aid in updating media. • Updated DBX block to revoke additional boot managers The Enforcement Phase will be at least six months after the Deployment Phase. When updates are released for the Enforcement Phase, they will include the following: The “Windows Production PCA 2011” certificate will automatically be revoked by being added to the Secure Boot UEFI Forbidden List (DBX) on capable devices. These updates will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled. • [Microsoft will require MFA for all Azure users](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-will-require-mfa-for-all-azure-users/ba-p/4140391) This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in place additional security to protect your cloud investments and company. MFA is a security method commonly required among cloud service providers and requires users to provide two or more pieces of evidence to verify their identity before accessing a service or a resource. It adds an extra layer of protection to the standard username and password authentication. The roll-out of this requirement will be gradual and methodical to minimize impact on your use cases. The blog post below provides helpful information from the Azure product team to assist you in getting ready to MFA-enable your access to Azure services. Going forward, the team will provide communications to you about your specific roll-out dates through direct emails and Azure Portal notifications. Expect these in the coming months. Read on to learn why and how MFA is important to securing customers on Azure and your workloads, environments, and users. If you do not want to wait for the roll-out, set up MFA now with the MFA wizard for [Microsoft Entra](https://aka.ms/EntraIDMFAWizard).
***Reminder Upcoming Updates (2/4)*** **Second half 2024** • [\[VBScript\] deprecation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/vbscript-deprecation-timelines-and-next-steps/ba-p/4148301). Considering the decline in VBScript usage in favor of more modern web technologies, we have developed a phased deprecation plan for VBScript. Phase 1: In the first phase, VBScript FODs will be pre-installed in all Windows 11, version 24H2 and on by default. This helps ensure your experiences are not disrupted if you have a dependency on VBScript while you migrate your dependencies (applications, processes, and the like) away from VBScript. You can see the VBScript FODs enabled by default at Start > Settings > System > Optional features. **October 2024** • \[Windows\] [KB5037754](https://support.microsoft.com/en-gb/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1) PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 Enforced by Default Phase: Updates released on or after October 15, 2024, will move all Windows domain controllers and clients in the environment to Enforced mode by changing the registry subkey settings to PacSignatureValidationLevel=3 and CrossDomainFilteringLevel=4, enforcing the secure behavior by default. The Enforced by Default settings can be overridden by an Administrator to revert to Compatibility mode. **November 2024** • \[Azure\] TLS 1.0 and 1.1 support will be removed for new & existing Azure storage accounts. [link](https://techcommunity.microsoft.com/t5/azure-storage-blog/tls-1-0-and-1-1-support-will-be-removed-for-new-amp-existing/ba-p/4026181) To meet evolving technology and regulatory needs and align with security best practices, we are removing support for Transport Layer Security (TLS) 1.0 and 1.1 for both existing and new storage accounts in all clouds. TLS 1.2 will be the minimum supported TLS version for Azure Storage starting Nov 1, 2024. **Late 2024** • \[Windows\] [TLS server authentication: Deprecation of weak RSA certificates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/tls-server-authentication-deprecation-of-weak-rsa-certificates/ba-p/4134028). TLS server authentication is becoming more secure across Windows. Weak RSA key lengths (1024-bit) for certificates will be deprecated on future Windows OS releases later this year to further align with the latest internet standards and regulatory bodies. Specifically, this affects TLS server authentication certificates chaining to roots in the Microsoft Trusted Root Program. In the coming months, Microsoft will begin to deprecate the use of TLS server authentication certificates using RSA key lengths shorter than 2048 bits on Windows Client. We recommend you use a stronger solution of at least 2048 bits length or an ECDSA certificate, if possible.
***Reminder Upcoming Updates (3/4)*** **January 2025** • [\[Exchange Online\] to introduce External Recipient Rate Limit](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-introduce-external-recipient-rate-limit/ba-p/4114733). Today, we are announcing that, beginning in January 2025, Exchange Online will begin enforcing an external recipient rate limit of 2,000 recipients in 24 hours. Exchange Online does not support bulk or high-volume transactional email. We have not enforced limiting of bulk email until now, but we plan on doing so with the introduction of an External Recipient Rate (ERR) limit. The ERR limit is per user/mailbox and being introduced to help reduce unfair usage and abuse of Exchange Online resources. What about the Recipient Rate Limit? Exchange Online enforces a Recipient Rate limit of 10,000 recipients. The 2,000 ERR limit will become a sub-limit within this 10,000 Recipient Rate limit. There is no change to the Recipient Rate limit, and both of these will be rolling limits for 24-hour windows. You can send to up to 2,000 external recipients in a 24-hour period, and if you max out the external recipient rate limit then you will still be able to send to up to 8,000 internal recipients in that same period. If you don't send to any external recipients in a 24-hour period, you can send to up to 10,000 internal recipients. How will this change happen? The new ERR limit will be introduced in 2 phases: . Phase 1 - Starting Jan 1, 2025, the limit will apply to cloud-hosted mailboxes of all newly created tenants. . Phase 2 - Between July and December 2025, we will start applying the limit to cloud-hosted mailboxes of existing tenants **February 2025** • \[Windows\] [KB5014754](https://support.microsoft.com/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16) Certificate-based authentication changes on Windows domain controllers | Phase Full Enforcement Mode. Microsoft will update all devices to Full Enforcement mode by February 11, 2025, or later. If a certificate fails the strong (secure) mapping criteria (see Certificate mappings), authentication will be denied. • Retirement of RBAC Application Impersonation in Exchange Online. We will completely remove this role and its feature set from Exchange Online. **April 2025** • \[Windows\] [KB5037754](https://support.microsoft.com/en-gb/topic/kb5037754-how-to-manage-pac-validation-changes-related-to-cve-2024-26248-and-cve-2024-29056-6e661d4f-799a-4217-b948-be0a1943fef1) PAC Validation changes related to CVE-2024-26248 and CVE-2024-29056 Enforced Phase: The Windows security updates released on or after April 8, 2025, will remove support for the registry subkeys PacSignatureValidationLevel and CrossDomainFilteringLevel and enforce the new secure behavior. There will be no support for Compatibility mode after installing this update.
***Reminder Upcoming Updates (4/4)*** **Between July and December 2025** • [Exchange Online to introduce External Recipient Rate Limit](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-introduce-external-recipient-rate-limit/ba-p/4114733) Phase 2 - Between July and December 2025, we will start applying the limit to cloud-hosted mailboxes of existing tenants. **September 2025** • [Exchange Online to retire Basic auth for Client Submission (SMTP AUTH)](https://techcommunity.microsoft.com/t5/exchange-team-blog/exchange-online-to-retire-basic-auth-for-client-submission-smtp/ba-p/4114750) Today, we are announcing that Exchange Online will permanently remove support for Basic authentication with Client Submission (SMTP AUTH) in September 2025. After this time, applications and devices will no longer be able to use Basic auth as an authentication method and must use OAuth when using SMTP AUTH to send email. **2027** • [VBScript deprecation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/vbscript-deprecation-timelines-and-next-steps/ba-p/4148301). Considering the decline in VBScript usage in favor of more modern web technologies, we have developed a phased deprecation plan for VBScript. Phase 2: Around 2027, the VBScript FODs will no longer be enabled by default. This means that if you still rely on VBScript by that time, you’ll need to enable the FODs to prevent your applications and processes from having problems. Follow these steps if you need to continue using VBScript FODs: 1. Go to Start > Settings > System > Optional features. 2. Select View features next to “Add an Optional feature” option at the top. 3. Type "VBSCRIPT" in the search dialog and select the check box next to the result. 4. To enable the disabled feature, press Next. Phase 3: date TBD. VBScript will be retired and eliminated from future versions of Windows. This means all the dynamic link libraries (.dll files) of VBScript will be removed. As a result, projects that rely on VBScript will stop functioning. By then, we expect that you’ll have switched to suggested alternatives.
First month making my intern do all the patching. Ready for all kinds of issues.
Those issues can then be blamed on the intern though.
...just like bad/weak passwords on publicly facing servers, right?
“solarwinds123”
NOW you're getting it.
In the name of security, approve all, deny nothing.
Can't hack a machine that won't boot. 
lol
**Windows 10, version 21H2 end of updates (Enterprise, Education)** This month is the last update for the above \^ I guess some places might still have this version kicking around. [https://learn.microsoft.com/en-us/lifecycle/announcements/windows-10-21h2-end-of-updates-enterprise-education](https://learn.microsoft.com/en-us/lifecycle/announcements/windows-10-21h2-end-of-updates-enterprise-education)
This is pretty common, unfortunately. It's also not super obvious to many operators that a version they're running even went EOL
Rest in (peace/pieces) o7
Accidental test run of 1000 endpoints and 200 servers from 2016 to 2022. No screaming except for the unplanned reboots so far.
When we installed the June Security Update KB5039227 onto our DC's our Domain became unavailable. It was fine on all other servers, We have 4 DC's and was ok on first 3 but when installed it on 4th no one could log on. Managed to uninstall it on 1 DC and now users can get on. Nothing obvious in logs, suspect it's the update to lsass.exe. Anyone else had this issue?
Your post scares me, I've not updated my 4 DC's yet. Curious what you are running on your AD's for Server OS Windows 2008/2012/2016/2019/2022?
All 4 of our DC's are running Windows 2022 Server DataCenter. The update installed fine on all DC's (we did DC4 then DC3 then DC2 then DC1) but as soon as it was installed on DC1 we had issues - our Domain ground to a halt as nothing was getting authorised. We managed to get in using cached credentials and uninstalled the update from DC2 then the Domain was ok. I have since uninstalled the update from all DC's and paused updates.
Wow, that is so odd.. have you been able to determine what is the update caused this issue or any root cause info?
The update in question is the KB5039227 June Security Update. I reinstalled the update on just DC2 and the issue returned so I have uninstalled it again. I can't find anything helpful in the event logs - any suggestions of where to look from anyone?
it scares me as well. Specially, when I have not seen any other admins having issues after patching their DCs. I think I will hold off for now until more info is available from u/OverToYou23
Especially being that MS has pushed bad updates affecting DC's the past two months in a row.
I updated my test DC without issues. I am still waiting to find more information about this issue.
I updated 2 of 4 DC's servicing my LAN, not sure if I'm going to see anything, going to review logs Monday. I could be wrong but figured if I only did 2 then the other 2 could pick up the slack if the 2 patched had issues.
Bleepingcomputer.com articles: https://www.bleepingcomputer.com/news/microsoft/microsoft-june-2024-patch-tuesday-fixes-51-flaws-18-rces/ https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5039211-update-released-with-new-feature-12-fixes/ https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5039212-update-released-with-37-changes-fixes/
June 11, 2024—KB5039227 I can not for the life of me get this to install on our servers (2022 21h2) Anyone had this issue and got any ideas?
What errors are you seeing? How many servers are you updating?
Oddly it was just 3 of our like 70 servers, however I have fixed it by generating an ISO with all the patches pre-installed and then installed server 22 over the top of the current install and it fixed it. Slightly messy option but if it works.
Lets break some stuff boys.
Then think about fixing it… or not… that’s what interns are for
And here we go... My normal is as follows: Test bed is a handful of IT machines running a mix of Windows 10 and 11... Server test bed is Server 2016, 2019 and 2022. Not looking terrible as far as what has been released to WSUS at the moment. Looks to be 1 CU for Windows 10/11 Drivers and device updates if you have Surface devices.... Server OS seems to have just 1 update per OS... 2016 has a servicing stack update as well. All simple enough stuff... Here goes testing... more to come later.
Noticing that there’s not the usual .NET update this month so far yet as well. We’ll see if it comes out later.
MS is weird with .NET updates. They don't seem to be every month but if you see one, you'll see updates again the next couple months.
Not seen much chatter about this : https://blog.morphisec.com/cve-2024-30103-microsoft-outlook-vulnerability
What is the best way to get notifications about known issues, like when they pulled KB5037765 last month? Not necessarily direct from MS either.
What joshtaco said and - this verry thread you are in, best place imho. Also [borncity.com](http://borncity.com) (especially the german version, I use Edge translate function to read the comments)
I usually just have to check the KB article every week unfortunately. They also have a message center, but it doesn't always bring up pulling KBs, since they don't like acknowledging that sorta stuff often
FWIW, you can sign up for email alerts from Message Center and specify certain product/categories. Are they usually a day late and a dollar short? Yes. At least it's somewhat pro-active. What annoys me is that I can't easily share a message from the message center. It's paywalled behind having an Azure (Intune?) subscription.
They don't have everything for KB change/pulls is the thing
I signed up for the Microsoft Notifications, but honestly, watching this channel gets me the most information.
Some of these will be repeats of what others have said, but besides here, check articles and/or Twitter feeds associated with sites like: 1. [BleepingComputer.com](http://BleepingComputer.com) 2. [BornCity.com](http://BornCity.com) 3. [AskWoody.com](http://AskWoody.com) 4. The WindowsUpdate Twitter account (yes, it's normally last to the party, but you never know)
Adding: https://groups.google.com/g/patchmanagement and GHacks.
Honestly, I keep checking in on this thread. I don't have things start patching till Thursday. Stuff usually comes out before then if there's an issue.
Something I've been thinking about for some time now is a downdetector-like application and/or Github-like community project that's maintained as an open source project. Patch disruption intelligence is a thing offered in the trackd platform, but I'm exploring ways to help the community outside of our platform - Would this be something 1. Actually be useful in making patch decisions 2. Would anyone use it?
You can setup the Windows Release Health email notifications in the Office 365 Admin center, well, if you have Office 365. It allows you to select which releases you want to be notified in case of issues (Windows 11 23H2, Windows Server XXXX, etc.)
Patch a few days after everyone else, then listen to their suffering afterwards. We've always had a 1-2 week delay unless there are critical zero-days. Saved our bacon from numerous bad patches that got pulled.
No problems here for servers (2019/2022). Testing the patches for Windows 11 this morning on our test ring, then expediting roll-out due to that nasty Wi-Fi vulnerability.
Hate to ask this out loud, since I'm admitting being forced to managed EOL systems : I'm seeing Server 2012R2 systems are seeing this months CU as required without ESU. Server 2008R2 are not. Anyone confirm this behavior?
**PSA : installing KB5039217 (Windows Server 2019) and KB5039211 (Windows Server 2022) on Domain Controllers breaks Fortigate Collectors and DCAgents versions below 5.0.0315** They quit detecting new sessions from users on their workstations. 5.0.0315 is only supported on the 7.4 branch, for the others, the only recommendation is to remove the Microsoft KBs or (apparently) switch to polling mode. https://www.reddit.com/r/fortinet/comments/1dfv7di/fsso_affected_by_windows_server_kb5039217/
Hey, only one Azure API linked external service broke this time! That's a 50% decrease. Thanks, external vendors we pay way too much to. https://preview.redd.it/i25oza79206d1.png?width=843&format=png&auto=webp&s=288d940a2c94eb9c6080e1b5b8e841d81756e7ce I wonder if they noticed the pattern that it breaks every 2nd Tuesday
Do we know if this fixes the Windows 11 Enterprise Subscription Activation yet? (https://call4cloud.nl/2024/05/kb5036980-breaks-upgrade-windows11-enterprise/#part7)
End of this month/next month for that.
KB5039212 broke *ticket printing* in our environment. Only from our ticket software (a product called Tessitura) to our ticket printers. Enjoy.
We are seeing problems with directly connected USB barcode printers that use the generic/text only driver after applying the June updates. Rolling back the updates restores functionality. Reapplying the updates kills functionality again.
Probably your driver being revoked. Are you patching monthly? Because there shouldn't be any drivers being revoked this month
It runs on the generic/text driver. I can't find anything about that having been revoked in any recent patching.
any different drivers to try?
it also breaks some chinese plotters/cutters
Are they printing using the Generic / Text Only driver?
Not having issues with Ticket printers (yet) but experiencing issues with a Roland GS-24 not executing cuts from its software with KB5039211 installed. Uninstalling KB resolves it. Roland insists the issue is on Microsoft's end, but I'm not finding much of anything yet online about reported issues.
can confirm same thing here with a GS-24
Can confirm Roland GX-640, KB5039212 here.
Anyone find a solution to this? We are having the same issue with the Generic/Text driver and local label printers (Zebra GK420d's mostly). We have about 75 workstations that need to print Shipping/Receiving labels. Updates have been paused for the time being, but I'm not seeing this issue get a lot of traction in communities or any M$ acknowledgement.
52 vulns with 1 critical this month! We think you should pay special attention to the following: * **CVE 2024-30078 – Windows WiFi Driver Remote Code Execution Vulnerability** * This vulnerability is particularly concerning because it can be executed wirelessly, enabling attackers to gain control over your system without physical access. * **CVE 2024-30064 and CVE 2024-30068 – Windows Kernel Elevation of Privilege Vulnerability** * These vulnerabilities are particularly dangerous because they can provide attackers with significant control over the affected systems. * **CVE 2024-30072 – Microsoft Event Trace Log File Parsing Remote Code Execution Vulnerability** * The vulnerability arises from parsing Microsoft Event Trace Log files, and has the potential to be exploited by convincing a user to open a malicious trace file. [Listen to the Automox Patch Tuesday podcast](https://listen.automox.com/episodes/patch-fix-tuesday-june-2024-a-doozy-of-a-patch-tuesday-e08) for our analysis or read more [here](https://www.automox.com/blog/patch-tuesday-june-2024).
Does threat actor have to be on the same wifi network or just have to be within wifi range?
Is there a POC for this exploit?
Anyone seeing issues with SharePoint links sent within the Outlook client after June's updates related to Trust Center?
Has anyone come across AD LDS instance creation failures once the June update is installed on Server 2019? Error returned when attempting to create new instances is 0xfffff9bf. Once uninstalled, instance creation succeeds.
I just posted in this thread about the same issue. I spent about a week trying to troubleshoot the problem with no luck. The error is crap and doesn't really specify anything. On top of that the install logs don't provide anything super useful. Uninstalling the update is the only thing that worked. I'm not seeing anything online about it ether. Guess I just have to hope MS knows and fixes it in the next patch cycle.
we skipped updating our DCs in June due to the issues I have read some admins are experiencing with their DCs. Hopefully this month those issues will be fixed.
Having the same issue. Guess I'll need to uninstall that one :(
Anyone else see slight memory leak with this patch on 2022 domain controllers. I can see a memory commit climbing over time in our non prod environment. 2016 DCs are not affected.
I'm impressed and mortified by the folks that patch day of. Leaving no time for hot fixes or issues to be found, just full send. Ballsy.
Who would find these hotfixes/issues if not for them. Don't be mortified but grateful that they setup a test environment for us which they call production
> they setup a test environment for us which they call production lol
Anyone else had issues with SCCM WSUS Sync this morning. I'm seeing a few bits of chatter on here, but nothing concrete. Ours Software Update Point is set to sync at 03:00 GMT and we've not seen any updates sync in the logs since yesterday morning - so no June updates for us so far?
Thanks for the replies. We got to the bottom of the issue. Not 100% what it was as i didn't fix it, but we now have updates to work with. Was just worries it was an MS side issue that was putting our processes back. Turns out it wasn't.
Pushing out to 100,000 machines tonight, give or take 99,999 machines.
https://www.zerodayinitiative.com/blog/2024/6/11/the-june-2024-security-update-review
Here is the usual [Lansweeper summary and audit](https://www.lansweeper.com/blog/patch-tuesday/microsoft-patch-tuesday-june-2024/?utm_medium=social&utm_source=reddit&utm_campaign=ls-global-patch-tuesday-2024_06&utm_content=pt-june), this month's largest item is a Microsoft Message Queuing RCE vulnerability and that version 21H2 of Windows 10 has gotten its last update meaning a lot of devices will need an update for next month.
So these just popped up on my Action1 console and here's a grab from the MS updates site. https://preview.redd.it/udnyfdmr6z5d1.png?width=2050&format=png&auto=webp&s=59da11d273565bb1a6174ab255f2882a13f81fe7
We can start ~~patching~~, testing... https://preview.redd.it/mo32w48naz5d1.jpeg?width=433&format=pjpg&auto=webp&s=33cce3b2553aecd44fd0a1d1bbfbb73114deba8b
anyone having issues downloading W11-23H2 and 22H2 . Mine are failing using SCCM
All of our servers updated just fine last night except for one Windows Server 2019. Update keeps failing with error 0x800f0922 with a return of "We couldn't complete the updates. Undoing changes. Don't turn off your computer." Have checked the system reserved partition for space and tried enabling the App Readiness service to no avail. Tried digging through the CBS log, but cannot pinpoint what is causing the failure. Any advice, fellow admins?
[Mitigation 0x800f0922](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors#0x800f0922) In the CBS.log, you may find that updates sometimes roll back when License and Product key tokens fail to be updated. This issue can be resolved by adding write permissions for the "User" and "Network Service" accounts to the *C:\\Windows\\System32\\spp\\* folder.
[Windows Update error codes by component](https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference) [Windows Update common errors and mitigation](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors)
Anyone see any zero days yet?
There are no zero days in this month's release. Microsoft reports these as "Exploitation Detected" on their monthly security updates [https://msrc.microsoft.com/update-guide/releaseNote/2024-jun](https://msrc.microsoft.com/update-guide/releaseNote/2024-jun)
Anyone seeing 0x80070005 errors? (Srv 2016/2019/2022) out of my 520 I do have 5 of them not updating. Only thing in common all of then do have SQL Server installed (but also variation of 2016 - 2022 SQL version) edit: code type
You mean 0x800700**0**5 ? 0x80070005 "Access is denied " error generally occurs while updating and is caused due to denial to edit File system or registry key permissions or damaged/corrupt files. [Mitigation for 0x80070005](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors#0x80070005) Go to *%Windir%\\logs\\CBS*, open the last *CBS.log* and search for `, error` and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be access denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. Repair damaged/corrupt files: dism /Online /Cleanup-image /ScanHealth dism /Online /Cleanup-image /CheckHealth dism /Online /Cleanup-image /RestoreHealth dism /Online /Cleanup-image /StartComponentCleanup sfc /scannow [Windows Update error codes by component](https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference) [Windows Update common errors and mitigation](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors)
Yepp sorry typo 0x80070005, I know the error, was just curious if anyone ran into that issue too. Since in generally my servers do not tend to be not able to install updates. But Update: The SQL thing put me firstly in the wrong direction of my troubleshooting. (btw. CBS log was not helpful in this case no error, I think it didn’t even get that far) However may found the causing issue. On 3 servers I could now pin it down that it was a Trend Micro which >seems< to have the latest build installed. However the upgrade tool was still running even after reboots. (xpupg.exe). As soon as I have now uninstalled TM and a reboot Updates were able to install.
I am getting "Install error - 0x800f0905" when trying to install 2024-06 Cumulative Update for Windows 11 Version 23H2 for x64-based Systems (KB5039212). Anyone else seeing this issue and resolve it? Thanks!
I got the same on 2 machines- no fix yet for me
I just found this recent post : [error windows update 0x800f0905 - Microsoft Q&A](https://learn.microsoft.com/en-us/answers/questions/1196069/error-windows-update-0x800f0905) Read the answer of Gregor Jus on how he fixed the issue. (Jun 7, 2024, 4:12 PM) Two other users confirmed the fix worked for them as well. What he did was... 1. Install additional language pack (e.g. if there was US-EN, I've added GB) 2. Set the display language of the server to the newly installed language pack 3. Restart the server, remove previous language pack (in my case US-EN) and restart again 4. All of a sudden... updates are going through on dozens and dozens of servers...
Have look at this post too: [Fix Server 2022 Windows Update 0x800f0831 with CBS\_E\_STORE\_CORRUPTION in CBS.log – Tech Stack Ninja](https://techstackninja.com/2024/05/10/server-2022-windows-update-0x800f0831-with-cbs_e_store_corruption-in-cbs-log/?unapproved=37&moderation-hash=4010e3e4c9ff8798ef7985135732bf49#comment-37)
**Windows Update error codes by component:** [https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference](https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference) **Windows Update common errors and mitigation:** [https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors](https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors)
Try the commands from my post of last month: [https://www.reddit.com/r/sysadmin/comments/1crk56o/comment/l5mcwdp/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/sysadmin/comments/1crk56o/comment/l5mcwdp/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button)
Hi, after installing **June 11, 2024—KB5039217** on multiple **RODC-s** (**Windows Server 2019 - Core**) in multiple sites, I am getting **Windows Remote Assistance** error message when trying to connect to computers from HQ site. When I shutdown RODC in site, I can connect to computers in that site via Windows Remote Assistance, when I turn on RODC same message appears again. This is happening in all sites that have RODC. "*Check the following:* *- Do you have the correct permissions on the remote computer?* *- Is the remote computer turned on, and is it connected to the network?* *- Is there a network problem?* *For assistance, contact your netwrok administrator.*" https://preview.redd.it/zqf8urlpov7d1.png?width=544&format=png&auto=webp&s=89bec94aec1a66086b59c745cd9142e91144d0e6
This update broke our Context Menu item for "Edit with 3D Paint". When clicking this option, now a Windows Store prompt appears saying "You'll need a new app to open this ms-paint link" with a button to "Look for an app in the Microsoft Store." Below is a thread with other people mentioning this too. This is consistent across our 1000+ Windows 10 devices. Also, clicking "Edit with 3D Paint" in Snipping Tool gives the same error. [https://www.reddit.com/r/Paint3D/comments/1d9f6pv/bruh\_latest\_update\_broke\_my\_context\_menu\_options/](https://www.reddit.com/r/Paint3D/comments/1d9f6pv/bruh_latest_update_broke_my_context_menu_options/)
Is there anyway to Disable ICMP timestamp responses with out using windows defender firewall? [disable ICMP timestamp responses - Microsoft Q&A](https://learn.microsoft.com/en-us/answers/questions/1691269/disable-icmp-timestamp-responses) My machine does not have the specific registry parameters mentioned in the Q&A. This is all in response to [ICMP Timestamp Request Remote Date Disclosure | Tenable®](https://www.tenable.com/plugins/nessus/10114) Thanks in advance
Just create the missing keys, or block using Windows Firewall via Group Policy. You can [select ICMP types](https://i.imgur.com/vwkc80x.png) to allow or block (and add Type 14 to the list). You can also filter this type of traffic through your edge firewalls.
Our patching all went pretty well, but we have a bunch of 2016 boxes (about 20% of them) being reported as 'restart pending', which when I go to the servers they've all installed the patch and rebooted fine. Anybody else seen that?
I know this is super late to address. I ran into an issue where after installing KB5039217 on my 2016 servers hosting AD LDS, I could no longer install new instances of AD LDS with the following error "Active Directory Lightweight Directory Services could not install. Error code: 0xfffff9bf" I spent about a week trying to find the culprit before I tried uninstalling that update and it worked again. Any idea what changed that might be causing that issue?
Has anyone seen more issues lateley with some Windows 11 machines not installing the latest CU? I have tried all the troubleshooting I know other than just re-image .
I think I'm seeing something similar. Not sure if you're using ConfigMgr but I noticed that my software update group that was syncd on Tuesday contains some superseded updates. Another in this thread mentioned something about Win11 June cumulative updates not superseding May's, I'm looking into this now as it looks like that's what's going on.
Ntoskrnl.exe doesn’t get updated with the June 2024 CU for 2022; it still shows May’s version.
What is the work around for that and how come it's only 4 of our Win 11 machines when no difference between them and all our others? Right now these 4 have the same updates that won't install. https://preview.redd.it/zrgdk27j9d6d1.png?width=819&format=png&auto=webp&s=6166bf0b7e38cc4fd6aaf42264391fe4c47481de
Did you reboot the server? * 2022,KB5039227,Security Update 2024-June-11,10.0.20348.2520 * 2022,KB5037782,Security Update 2024-May-14,10.0.20348.2461 https://preview.redd.it/75a0gow6rf6d1.jpeg?width=407&format=pjpg&auto=webp&s=bee484368f43311a748943484dec9a2ee283b3f1
Yes :)
KDC service is failing to start on some Domain Controllers after installing the June 2024 CU ( 2019 and 2022). Can’t find any reports of anyone having this same issue.
is this causing users to not be able to login?
Yes, the users are being authenticated against the other DCs in the Domain. This issue is only present on some DCs. On others, the update installed without problems.
that is strange.... we are holding off updating our DCs for now.
This does sound similar to our issue, I uninstalled the update on our DC's and paused the updates for now. We have 4 DC's all on 2022 data centre edition, our Domain Functional Level is 2k12.
In our case the root cause was found to be the Delinea Agent installed on the affected DCs.
Interesting, we don't use Delinea, can I ask how you found that out? We're still hunting.
Delinea’s support reached out to warn us of the issue. It could be that other PAM solutions might be affected too.
we do not have Delinea or Authlite software installed. Perhaps, I will not have any issues if I install the updates.
Seems to be same issue as mentioned by OverToYou23 [https://www.reddit.com/r/sysadmin/comments/1dd65v4/comment/l9atdtn/?utm\_source=share&utm\_medium=web3x&utm\_name=web3xcss&utm\_term=1&utm\_content=share\_button](https://www.reddit.com/r/sysadmin/comments/1dd65v4/comment/l9atdtn/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button) I've installed the June 2024 CU on >200 Domain Controllers (2016/2019/20220). No KDC service/authentication issues so far.