[German]Microsoft has adapted its Media Creation Tool to create installation images of Windows 10 with build 17134.112. In addition, Microsoft has removed the targeted for Windows 10 V1803 with the July 2018 patchday.

If you create a Windows 10 installation image with the Microsoft Media Creation Tool (MCT) for Windows 10 V1803 you received the Windows 10 April Update (V1803). This means, you have to install cumulative updates after a fresh installation.

MCT loads Windows 10 17134.112

The colleagues of German site deskmodder.de reports here that the Media Creation Tool now downloads and creates an installation image (ISO or USB stick) with build 17134.112. This is the version level for Windows 10 V1803 with the June 2018 patch level (see Patchday: Windows 10 updates June 12, 2018).

Windows 10 V1803 is Semi Annual Channel (SAC)

And another change is to be announced. Crysta T. Lacey (@PhantomofMobile) pointed out to me on Twitter that Windows 10 V1803 is now Semi Annual Channel (SAC).

IT IS SAC NOW, TARGETED HAS BEEN DROPPED. SHOULD SEE ISO’s NOW.

ICYMI: @SBSDiva @AdminKirsty @woodyleonhard @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @MPECSInc @etguenni @SwiftOnSecurity @pcper @SGgrc @MalwareJake @GossiTheDog @ryanshrout @JobCackahttps://t.co/z8nXj4e8a7

— Crysta T. Lacey (@PhantomofMobile) 10. Juli 2018

This means, the restriction ‘Targeted’ within the life cycle model (see tabelle below) has been removed.

(Source: Microsoft; Click to zoom)

This means that Microsoft no longer limits the distribution of Windows 10 V1803 as a feature update to different targets. Windows 10 V1803 is in Semi Annual Channel (SAC).

Similar articles:
Microsoft: Windows 10 V1803 is business ready, install it …

[German]Microsoft is releasing cyclically Servicing Stack Updates (SSU) for Windows (Windows 7, Windows 8.1 and Windows 10). But what should you know about that SSUs and what’s behind them?

An example of such a servicing stack update is KB4132216 from May 2018, which is available for Windows 10 version 1607. Microsoft generally says, that SSUs should improve the stability of the (Windows 10) servicing stack. Depending on the update, further improveds are mentioned.

Servicing Stack Update (SSU) explained

Recently German blog reader Markus K. pointed out to me an article from Microsoft Japan about this subject. The Ask Core team (Microsoft Japan Windows Technology Support) has published an article About the service stack update program that improves the update installation process. Almost in parallel I also received a Twitter notification from @PhantomofMobile – thanks for that:

SERVICING STACK UPDATES(SSU) EXPLAINED from Japan(Translated)

ICYMI: @SBSDiva @AdminKirsty @woodyleonhard @thurrott @maryjofoley @bdsams @mehedih_ @ruthm @MPECSInc @etguenni @SwiftOnSecurity @pcper @SGgrc @MalwareJake @GossiTheDog @ryanshrout @JobCackahttps://t.co/DvPATMRAoN

— Crysta T. Lacey (@PhantomofMobile) 12. Juli 2018

This SSU program updates the service stack (servicing stack). This updates the component CBS (Component Based Servicing), which is responsible for the installation process of the operating system. The purpose of installing a service stack update (SSU) is to improve the installation process of the operating system, including the installation of the update program.

Cumulative updates require SSUs

Servicing stack updates (SSUs) must always be installed separately from the cumulative updates for Windows 10 (and prior to installation). I had pointed this out several times in various blog posts about Windows 10 updates. If this is ignored, installation errors may occur during cumulative updates.

SSUs can’t be uninstalled

Microsoft Japan writes in its blog that the scope of modifications to SSUs is limited – only the CBS components are updated. Servicing stack updates (SSU) cannot be uninstalled by default.

If there are issues with Windows after a Servicing Stack Update has been installed, you can restore an older system image backup or try System Restore (if active) to roll back the system.

I posted the article Uninstalling ‘uninstallable’ Windows Updates, that shows ways to uninstall such an ‘uninstallable’ package for test purposes. However, this is not a permanent solution, since the following cumulative updates can usually no longer be installed.

Microsoft Japan gives some more hints about these updates in the article. For example, to find out the last SSU, Microsoft recommends searching the support area using this URL. But maybe the information above will help you.

[German]Microsoft has released a number of new updates for Windows 10 on July 16, 2018. Here is an overview of this Windows 10 updates, that fixes a couple of known issues from older July 10, 2018 updates.

The updates are documented at this Microsoft web site dokumentiert.

Update KB4345421 for Windows 10 V1803

Update KB4345421 for Windows 10 V1803 changes OS build to 17134.167 and contains the following fixes:

• Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
• Addresses an issue with the DHCP Failover server that may cause enterprise clients to receive an invalid configuration when requesting a new IP address. This results in a loss of connectivity.
• Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
• Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

This fixes the biggest bugs like BlueScreens or the DHCP IP address problem under this Windows 10 version. Microsoft is not aware of any other problems. The update is available via Windows Update or in the Microsoft Update Catalog.

Update KB4345420 for Windows 10 V1709

Update KB4345420 for Windows 10 V1709 changes OS build to 16299.550 and contains the following fixes:

• Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
• Addresses an issue with the DHCP Failover server that may cause enterprise clients to receive an invalid configuration when requesting a new IP address. This results in a loss of connectivity.
• Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
• Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

The update is available via Windows Update or in the Microsoft Update Catalog . The known issues like the message “Reading scheduled jobs from file is not supported in this language mode” or the non-functioning operators like & etc. when Device Guard is active, see kb article).

Update KB4345419 for Windows 10 V1703

Update KB4345419 für Windows 10 V1703 changes OS build to 15063.1208 and contains the following fixes:

• Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
• Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
• Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

No other issues are known. The update is available via Windows Update or in the Microsoft Update Catalog.

Update KB4345418 for Windows 10 V1607 (LTSB)

Update KB4345418 for Windows 10 V1607 (LTSB) changes OS build to 14393.2367 and contains the following fixes:

• Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
• Addresses an issue with the DHCP Failover server that may cause enterprise clients to receive an invalid configuration when requesting a new IP address. This results in a loss of connectivity.
• Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
• Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

No other issues are known. The update is available via Windows Update or in the Microsoft Update Catalog.

Update KB4345455 for Windows 10 V1507 (LTSB)

Update KB4345455 for Windows 10 V1507 (LTSB) changes OS build to 10240.17918 and contains the following fixes:

• Addresses an issue that may cause some devices running network monitoring workloads to receive the 0xD1 Stop error because of a race condition after installing the July update.
• Addresses an issue that may cause the restart of the SQL Server service to fail occasionally with the error, “Tcp port is already in use”.
• Addresses an issue that occurs when an administrator tries to stop the World Wide Web Publishing Service (W3SVC). The W3SVC remains in a “stopping” state, but cannot fully stop or it cannot be restarted.

No other issues are known. The update is available via Windows Update or in the Microsoft Update Catalog.

Microsoft has released an update directly to the Windows Update client (of the above updates) to improve reliability. Any device running Windows 10 configured to receive updates automatically from Windows Update, including Enterprise and Pro editions, will be offered the latest Windows 10 Feature Update based on device compatibility and Windows Update for Business deferral policy. This does not apply to long-term servicing editions.

Similar articles:
Adobe Flash Player Version 30.0.0.134
Microsoft Office Patchday (July 3, 2018)
Patchday: Windows 10-Updates July 10, 2018
Patchday: Updates for Windows 7/8.1/Server July 10, 2018
Patchday Microsoft Office Updates (10. Juli 2018)
Microsoft Patchday: Other Updates July 10, 2018

.Net Framework: Update KB4340558 drops error 0x80092004?
DHCP-Bug in Update KB4338814 (Windows 10 Version 1607)
July 2018 Patchday issues, KB4018385 pulled – Part I

[German]Just a hint for a Windows 10 setup (if necessary as in-place upgrade), which should be executed on encrypted media (e.g. Veracrypt drive). There is a setup option ReflectDrivers, which can be used from Windows 10 Anniversary Update (version 1607).

What the problem?

If a Windows installation or feature update is running, the target partitions should be unencrypted – especially if they are encrypted with third party tools such VeraCrypt. So it is necessary to decrypt the system disk before installation, install Windows 10 and then encrypt the partition again.

ReflectDrivers Setup Option helps

The approach outlined in the paragraph above can be avoided by using the ReflectDrivers setup option. Microsoft introduced this option in Windows 10 Anniversary Update (version 1607) or later and described it in the document Windows Setup Command-Line Options.

Specifies the path to a folder that contains encryption drivers for a computer that has third-party encryption enabled.

Setup /ReflectDrivers <folder_path>

This setting is new for Windows 10, version 1607.
Make sure that <folder_path> contains only a minimal set of encryption drivers. Having more drivers than necessary in <folder_path> can negatively impact upgrade scenarios.

So you can specify a path to the folder where the encryption driver is located for the option during setup. This approach was described in the VeraCrypt forum to support an upgrade for VeraCrypt encrypted hard drives. The poster wrote in April 2018:

I have implemented compatibility with Windows 10 upgrades through SetupConfig.ini and ReflectDrivers mechanisms and I have uploaded installer for version 1.23-BETA0 that contains this to this site.

Now automatic upgrades will work out of the box when system encryption is on and manual upgrades can be performed by typing:

setup.exe /ReflectDrivers "C:\Program Files\VeraCrypt" /PostOOBE C:\ProgramData\VeraCrypt\SetupComplete.cmd

I have done tests using upgrades from 1703 to 1709. The only issue I encountered is if the system is partially encrypted in UEFI case but this is a marginal case and it should never happen in practice.

I am looking to users who are willing to test this version in order to confirm its reliability before rolling it out. Thank you.

So for VeraCrypt there is an approach to upgrade Windows 10 to a new version. (via)

In mid-July MS released the Insider Build 17113 in Fast Ring (see Windows 10 Insider Preview Build 17713 released). Now it becomes known that version 17713.1002 kills the Windows Defender Application Guard. It is probably update KB4345215 which causes this problem.

[German]Microsoft für released cumulative updates fir Windows 10 version 1607, 1703, 1709 and 1803 on July 25, 2018. Here is an Overview about these updates.

Update KB4340917 for Windows 10 V1803

Update KB4340917 is for Windows 10, Version 1803 and changes OS build to 17134.191. It has the following improvements:

• Addresses an issue that causes devices within Active Directory or Hybrid AADJ++ domains to unexpectedly unenroll from Microsoft Intune or third-party MDM services after installing provisioning package updates (PPKG). This issue occurs on devices that are subject to the Auto MDM Enrollment with AAD Token Group Policy. If you ran thescript Disable-AutoEnrollMDMCSE.PS1 as a workaround for this issue, run Enable-AutoEnrollMDMCSE.PS1 from a PowerShell window in Administrator mode after installing this update.

• Addresses additional issues with updated time zone information. 
• Improves the ability of the Universal CRT Ctype family of functions to handle EOF as valid input. 
• Addresses an issue with registration in the “Push to Install” service.
• Addresses an issue with Roaming User Profiles where the AppData\Local and AppData\Locallow folders are incorrectly synchronized at user logon and logoff. For more information, see KB4340390. 
• Addresses issues related to peripherals that use Quality of Service (QoS) parameters for Bluetooth connections. 
• Addresses an issue that causes SQL Server memory usage to grow over time when encrypting data using a symmetric key that has a certificate. Then, you execute queries that open and close the symmetric key in a recursive loop. 
• Addresses an issue where using an invalid password in a wireless PEAP environment that has SSO enabled submits two authentication requests with the invalid password. The excess authentication request may cause premature account lockouts in environments with low account lockout thresholds. To enable the changes, add the new registry key DisableAuthRetry (Dword) on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\
  PPP\EAP\26 using regedit, and set it to 1. 
• Addresses an issue that prevents OpenType fonts from printing in Win32 applications. 
• Addresses an issue with DNS Response Rate Limiting that causes a memory leak when enabled with LogOnly mode. 
• Addresses an issue in a RemoteApp session that may result in a black screen when maximizing an app window on a secondary monitor.
• Addresses an issue in IME that causes unexpected finalization of strings during Japanese input in applications such as Microsoft Outlook.

The update is offered via Windows Update, if you (so Microsoft) let check for updates via the settings page. It can also be downloaded via Microsoft Update Catalog. The update has a known issue, see kb article.

Update KB4338817 for Windows 10 V1709

Update KB4338817 is for Windows 10, Version 1709 and changes OS build to 16299.579. It has the following improvements:

• Addresses an issue that causes devices within Active Directory or Hybrid AADJ++ domains to unexpectedly unenroll from Microsoft Intune or third-party MDM services after installing provisioning package updates (PPKG). This issue occurs on devices that are subject to the “Auto MDM Enrollment with AAD Token” Group Policy. If you ran the script “Disable-AutoEnrollMDMCSE.PS1” as a workaround for this issue, run “Enable-AutoEnrollMDMCSE.PS1” from a PowerShell window running in Administrator mode after installing this update.

• Inserts a CR before LF if there was none. 
• Enables debugging of WebView content in UWP apps using the Microsoft Edge DevTools Preview app available in the Microsoft App Store. 
• Addresses an issue in which Microsoft Edge DevTools becomes unresponsive when the console is flooded with messages. 
• Addresses an issue that causes a black screen to appear for several minutes after installing Windows updates before going to the desktop. 
• Addresses additional issues with updated time zone information. 
• Improves the PDF file experience in Microsoft Edge by addressing PDF file open, print, and reliability issues. 
• Addresses an issue in which moving a Microsoft Foundation Class (MFC) application window might leave behind a dithered pattern on the desktop. 
• Addresses an issue that causes power options to appear on the Windows security screen even when the per-user Group Policy to hide power options is set. 
• Addresses an issue in which the correct lock screen image won’t show when all of the following are true:
  • GPO policy “Computer Configuration\Administrative Templates\Control Panel\Personalization\Force a specific default lock screen and logon image” is enabled.
  • GPO policy “Computer Configuration\Administrative Templates\Control Panel\Personalization\Prevent changing lock screen and logon image” is enabled
  • Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\
    System\DisableLogonBackgroundImage is set to 1.
• Addresses an issue in which a warning appears stating that the application is from an “unknown publisher” when running an application as an elevated user (Administrator).
• Addresses an issue that causes sporadic authentication issues when using Web Account Manager.
• Addresses an issue that sometimes causes the single-sign-on scenario to fail and presents the the logon tile when connecting to a Remote Desktop server. 
• Addresses an issue in which the memory usage of LSASS continues to grow until it is necessary to restart the system. 
• Addresses an issue in which the default domain for an Azure Active Directory-joined machine is not set on the logon screen automatically. 
• Addresses an issue that causes SQL Server memory usage to grow over time when encrypting data using a symmetric key that has a certificate. Then, you execute queries that open and close the symmetric key in a recursive loop.
• Addresses an issue in which using an invalid password in a wireless PEAP environment that has SSO enabled causes the submission of two authentication requests with the invalid password. The excess authentication request may cause premature account lockouts in environments with low account lockout thresholds. To enable the changes, add the new registry key, “DisableAuthRetry” (Dword) on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\
  PPP\EAP\26 using regedit, and set it to 1. 
• Addresses an issue that may cause the BITS service to become unresponsive when the service cannot connect to Internet resources. 
• Addresses an issue that prevents printing on a 64-bit OS when 32-bit applications impersonate other users (typically by calling LogonUser). This issue occurs after installing monthly updates starting with KB4034681, released in August 2017. To resolve the issue for the affected applications, install this update, and then do one of the following:
  • Use Microsoft Application Compatibility Toolkit to globally enable the Splwow64Compat App Compat Shim.
  • Use the following registry setting, and then restart the 32-bit application: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print Setting: Splwow64Compat
    Type: DWORD Value1: 1    
• Addresses an issue with DNS Response Rate Limiting that causes a memory leak when enabled with LogOnly mode. 
• Addresses an issue that sometime prevents a system from shutting down or being placed in Hibernation. This issue occurs on the first boot after performing disk encryption on an SSD drive. 
• Addresses an issue that prevents access to SMB shares using IP addresses if SMB hardening is enabled. 
• Addresses an issue in which using mandatory (read-only) user profiles for RDP might result in the error code, “Class not registered (0x80040151)”.
• Addresses an issue in which not all network printers are connected after a user logs on. The HKEY_USERS\User\Printers\Connections Key shows the correct network printers for the affected user. However, the list of network printers from this registry key is not populated in any app, including Microsoft Notepad or Devices and Printers. Printers may disappear or become non-functional.
• Addresses an issue that causes in-place upgrades to Windows 10 version 1709 to stop responding at the “Making sure you’re ready to install” screen. This occurs while performing device inventory on devices that have installed monthly updates since April 2018.
  Note  WSUS can also deliver Dynamic Updates (DU) to devices when configured to sync Dynamic Update content. Verify that Dynamic Updates haven’t been disabled by the /DynamicUpdate Disable setup switch.
• Addresses a rendering issue that occurs while dynamically modifying the classname or ID of elements on a page.
• Addresses an issue that prevents Memory Analyzer and Performance Analyzer from working properly in Microsoft Internet Explorer 11 Developer Tools.

The update is offered via Windows Update, if you (so Microsoft) let check for updates via the settings page. It can also be downloaded via Microsoft Update Catalog. The update has a known issues, see kb article.

Update KB4338827 for Windows 10 V1703

Update KB4338827 is for Windows 10, Version 1703 and changes OS build to 15063.1235. It has the following improvements:

• Addresses additional issues with updated time zone information. 
• Changes the music metadata service provider used by Windows Media Player. 
• Addresses an issue in which some characters were not rendered correctly using the Meiryo font in vertical writing mode. 
• Addresses an issue that may cause the operating system to stop responding when transitioning from Sleep to Hibernation. 
• Addresses an issue in which the memory usage of LSASS continues to grow until it is necessary to restart the system. 
• Addresses an issue that may cause dual-signed files to report a failure when they should report success. This occurs when running Windows Defender Application Control in audit mode. 
• Addresses an issue that causes SQL Server memory usage to grow over time when encrypting data using a symmetric key that has a certificate. Then, you execute queries that open and close the symmetric key in a recursive loop. 
• Addresses an issue that prevents printing on a 64-bit OS when 32-bit applications impersonate other users (typically by calling LogonUser). This issue occurs after installing monthly updates starting with KB4034681, released in August 2017. To resolve the issue for the affected applications, install this update, and then do one of the following:
  • Use Microsoft Application Compatibility Toolkit to globally enable theSplwow64Compat App Compat Shim.
  • Use the following registry setting, and then restart the 32-bit application: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print Setting: Splwow64Compat
    Type: DWORD Value1: 1    
• Addresses an issue in which Wi-Fi credentials must be entered each time a device restarts and tries to reconnect to Wi-Fi using Group Policy-distributed Preferred Network Profiles.
• Addresses an issue in which using an invalid password in a wireless PEAP environment that has SSO enabled causes the submission of two authentication requests with the invalid password. The excess authentication request may cause premature account lockouts in environments with low account lockout thresholds. To enable the changes, add the new registry key, “DisableAuthRetry” (Dword) on HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\
  PPP\EAP\26 using regedit, and set it to 1.
• Addresses an issue in which Wi-Fi credentials must be entered each time a device restarts and tries to reconnect to Wi-Fi using Group Policy-distributed Preferred Network Profiles.
• Addresses an issue in which not all network printers are connected after a user logs on. The HKEY_USERS\User\Printers\Connections Key shows the correct network printers for the affected user. However, the list of network printers from this registry key is not populated in any app, including Microsoft Notepad or Devices and Printers. Printers may disappear or become non-functional.

The update is offered via Windows Update, if you (so Microsoft) let check for updates via the settings page. It can also be downloaded via Microsoft Update Catalog. The update has a known issues, see kb article.

Update KB4338822 for Windows 10 V1607

Update KB4338822 is for Windows 10, Version 1607 (only Enterprise) and Windows Server 2016 available and raises the os build to14393.2395. Details may be obtained from kb article.

[German]Microsoft has released two Intel Microcode updates KB4100347 and KB4090007 on July 24, 2018. One update is for Windows 10 V1803, the other for Windows 10 V1709. 

Update KB4100347 for Windows 10 V1803

Update KB4100347 (Intel Microcode Update) is available for Windows 10 V1803 and closes the following vulnerability:

Intel recently announced that they have completed their validations and started to release microcode for recent CPU platforms related to Spectre Variant 2 (CVE 2017-5715 [“Branch Target Injection”]).

The update applies to several Intel processors listed in the KB article. It is a standalone update for Windows 10 version 1803 (Windows 10 April 2018 update) and Windows Server version 1803 (Server Core). This update is distributed across the Microsoft Update Catalog, and also includes Intel microcode updates that were released when released for these operating systems (RTM).

Microsoft intends to offer additional microcode updates from Intel for this operating system via the KB article as soon as they are available for Microsoft. Vulnerability protection is enabled by default for Windows client systems, so no action is required.

Please make sure that protection against Spectre Variant 2 for servers is enabled via the registry settings documented in the article Windows Server guidance to protect against speculative execution side-channel vulnerabilities.

Microsoft advises: Check with your device manufacturer and Intel through their websites for microcode recommendations for your device before applying this update to your device.

Update KB4090007 for Windows 10 V1709

Update KB4090007 is the same Intel Microcode update as described above, but is available for Windows 10 V1709. The list of supported updates is listed in the KB article. There you will also find further details and the link to the Microsoft Update Catalog.

[German]Microsoft has released new Insider Previews (17723 and 18204) of Windows 10. Some new features for future Windows 10 builds are also known.

Two new Insider Preview builds 17723 and 18204

Microsoft has released two insider previews for two different development branches (Redstone 5 build 1772 , and build 18204 for skip ahead branch 19H1). Redstone 5 build will end as Windows 10 V1809 in autumn 2018. The skip ahead branch, named 19H1 will end in Windows 10 Build released in Spring 2019. The announcement has been made within the Windows Blog. There one can inform oneself about the innovations as well as the known issues. Basically the builds for RS5 and Skip Ahead are identical, you will add new features later in 19H1 which are not considered in RS5.

[German]Microsoft has added a new features to the Insider Preview Builds released last night. It’s possible, to add a feature ‘Virtual Machines’. Seems as a kind of platform virtualization support w/o Hyper-V.

Currently not too much about that feature is known. Tero Alhonen (@teroalhonen) has spotted and tweeted it.

Windows 10 19H1 enables platform support for virtual machines without Hyper-V pic.twitter.com/zHp5renLO1

— Tero Alhonen (@teroalhonen) 26. Juli 2018

Currently it’s in Redstone 5 and also in 19H1 Insider Preview, but it seems non functional. This feature is also available in Home edition, according to German blog reader.

[German]Since Windows 8.1, Microsoft has introduced the Sleep Study module for power management. Here is some information about Sleep Study and also issues with this tool are addressed.

I confess, the Sleep Study function has never came to my attention. This blog post was inspired by a post from Microsoft in June 2018 on the diagnostic possibilities of this module. 

What is Sleep Study?

Tracking system activity and battery consumption during standby mode can be difficult. The reason: Tracking even unnecessary activity in Windows can affect battery consumption itself. For example, traditional logging on a hard disk has the undesirable side effect that the battery charge is consumed excessively when the hard disk is activated for logging.

Microsoft has therefore introduced the software tool Sleep Study from Windows 8.1 upward. It is available in all Windows PCs that implement the modern standby power model. Sleep Study can measure power consumption in standby mode with minimal impact on battery consumption. The Sleep Study tool is designed so that it does not generate activities that could affect the standby performance it measures.

Microsoft published the article Modern standby SleepStudy in 2017, which describes the tool. The Sleep Study tool gives (according to the article) an overview of each standby session. This information includes active time, idle time and power consumption. A session starts when the system goes into modern standby mode and ends when it leaves it.

Use Sleep Study for diagnose

Sleep Study provides information about the causes of activities that occur during each standby session. This function enables an easy examination of long-term activities. The tool can be called with the command

powercfg.exe /SleepStudy

further call options are described in this Microsoft article. This allows you to specify a time for monitoring or generate a report. In June 2018 Microsoft published the blog postSleep Study: Diagnose what’s draining your battery while the system sleeps. The article deals with the use of the tool. 

(Sleep Study-Call, Source: Microsoft)

Sleep Study issues

The tool can be quite useful to track down issues with power consumption in standby mode, but it can also be quite problematic. During my research I came across this Microsoft Answers forum post titled Sleep Study Writing All Over C: Drive, an SSD from March 2017. I found also a German Technet forum entry mentions a similar issue. In both cases, users had the problem that an enabled sleep study would fill the hard disk or SSD and then cause problems. In the latter case, it was the third-party tool Nero TuneItUp that caused the problems. 

Another positive news: Microsoft has probably fixed some older display errors like the BlackScreen bug or the missing brightness control in Windows 10 April Update (V1803).

The didn’t recognized that, until I found this article from June 2018. Update KB4284835 for Windows 10 V1803 from June 2018 contains some quality improvements. Among other things, it lists:

• Addresses an issue with the brightness controls on some laptops after updating to the Windows 10 April 2018 Update.
• Addresses an issue that caused the system to start up to a black screen. This issue occurs because previous updates to the Spring Creators Update were incompatible with specific versions of PC tune-up utilities after installation

If the brightness control on notebooks is inaccessible, this is probably due to an incorrect graphics driver being installed.

[German]Microsoft has announced the general availability of LEDBAT for the upcoming Windows Server 2019 version. But LEDBAT can already be used in Windows 10 and Windows Server 2016 optional in an experimental mode.

Some background: Optimizing TCP stack

In July 2016, Microsoft announced five new features (some on an experimental basis) for the TCP stack of Windows Server 2016 and Windows 10 Anniversary Update (V1607). The Register has discussed the following new features in this blog post. 

1. TCP Fast Open (TFO) for zero RTT TCP connection setup. IETF RFC 7413
2. Initial Congestion Window 10 (ICW10) by default for faster TCP slow start
3. TCP Recent ACKnowledgment (RACK) for better loss recovery (experimental IETF draft)
4. Tail Loss Probe (TLP) for better Retransmit TimeOut response (experimental IETF draft)
5. TCP LEDBAT for background connections IETF RFC 6817

Microsoft argued at the time that the changes were necessary “to reduce latency (of Internet connections via TCP), improve reliability and promote better network citizenship”.

Especially #5 TCP LEDBAT is interesting. According to Wikipedia, LEDBAT (Low Extra Delay Background Transport) offers the ability to quickly transfer data over the Internet without clogging the network.

LEDBAT was developed by Stanislav Shalunov and is used by Apple for software updates and by BitTorrent for most of its transmissions. It is estimated that 13-20% of Internet traffic is handled by LEDBAT. LEDBAT is a delay-based overload control algorithm that utilizes the entire available bandwidth while limiting the increase in delay. It does this by measuring the one-sided delay and using changes in the measurements to limit the overload caused by the LEDBAT flow itself on the network.

This article deals with Traffic Shaping using ConfigMgr and LEDBAT under Windows 10/Server 2016. Another article discusses bandwith management in Windows using Microsoft’s LEDBAT++

Full support for Microsoft LEDBAT in Server 2019

Now Microsoft has declared LEDBAT as GA (General Availability) for Windows Server 2019. This is reported by The Register in this article. Microsoft employee Daniel Havey has probably contacted The Register and told the editors that LEDBAT has reached full support for Windows Server 2019 (this OS version is still in the preview phase). At the same time, Havey published this blog posts with more details using LEDBAT under Windows Server 2019. The article mentions also how to use LEDBAT in SCCM.

(Source: Microsoft)

[German]Within the blog post I like to document another strange observation made by an administrator on a German Windows 10 Enterprise. The Windows Defender Application Guard displays a user interface in either Czech or Polish.

Windows Defender Application Guard

Windows Defender Application Guard (WDAG) is available as a security feature since Windows 10 Enterprise version 1709. Designed for Windows 10 and Microsoft Edge, Application Guard helps isolate the untrusted Web sites defined by your organization. An administrator can define for a company what belongs to the trustworthy websites, cloud resources and internal networks. Anything not included in the list is considered as untrustworthy. Microsoft has published this WDAG description with details. This article describes how to activate WDAG, and this English article describes, how to use WDAG to secure Edge.

Wrong language in WDAG window

Let’s come to the issue, German blog reader Werner P. is facing. Werner wrote within an e-mail, that he has a newly unpacked Fujitsu Q957 with Windows 10 Enterprise V1803 that has been updated to the least recent patch level. Windows 10 Enterprise is set up in German, as shown in the following screenshot.

If nothing noticeable – and if I put the WDAG into operation on this client, I assume that the administration windows are displayed in German. But Werner wrote:

I have a strange behavior when activating Windows Defender Application Guard on a newly unpacked and updated Fujitsu Q957.

The system language (and also the language in the normal Edge) is German – when I start the Defender Application Guard, I have the Application Guard window at once in Czech or Polish.

Werner send me the screenshot below showing that strange behavior. Edge has a German GUI, while the message in WDAG is Czech or Polish.

(Windows Defender Application Guard with wrong language, click to zoom)

Werner mentiones that he found nothing similar to this error searching the Internet (I was also not successful). Uninstalling and reinstalling this feature is, according to Werner, unsuccessful. Besides a bug, I would think of a check of the system per DISM and the temporary change of the location in the settings. I suggested it to Werner.

Werner answered, that DISM didn’t helped, and the machine have had only a German language pack installed. He has added an Englisch language pack, switched the language, but without success. He assume, that the Fujitsu image is probably wrong and will try a Microsoft image. If that helps, I will add the information.

Since I don’t deal with the Windows Defender Application Guard, I post the topic here in this blog. Maybe one of you admins has an idea or is even affected. Let’s see if there’s any feedback. 

[German]Microsoft has now officially released an ISO installation file of Windows 10 Insider Preview Build 17713 for download after the build was recently released in the slow ring.

This allows Windows 10 insiders a clean-install of that (somewhat) buggy build (see Windows 10 Insider Preview Build 17713 released and Windows 10 Insider Build 17713.1002 breaks Defender Application Guard).

The ISO contains the SKUs Home, Pro and Education (Enterprise is available separately, see screenshot) as 64-bit version. If necessary/interested, the download is possible here. (via)

[German]It seems Microsoft is launching a new installation variant of Windows 10 Enterprise: Windows 10 Enterprise for Remote Sessions. Could it be the replacement for Windows Terminal Server?

There is not too much information – the new SKU is probably offered with the Windows Insider Preview Build 17713 (RS5) ISO (see Windows 10: Insider Preview Build 17713 available as ISO). Tero Alhonen @teroalhonen has posted some screenshots of the installation on Twitter. Here the selection in the setup dialog (just click on the screenshots to get the tweet and with the next click an enlarged representation of the picture).

Windows 10 Enterprise for Remote Sessions pic.twitter.com/rRtjJzHJV7

— Tero Alhonen (@teroalhonen) 1. August 2018

Below are screenshots of winver and its registry, after successful installation of Windows 10 Enterprise for Remote Sessions.

Windows 10 Enterprise for Remote Sessions pic.twitter.com/2jDTloUpN9

— Tero Alhonen (@teroalhonen) 1. August 2018

The next screenshot shows the Command Prompt window with four active remote connections.

Windows 10 Enterprise for Remote Sessions with four active remote connections pic.twitter.com/pqtu2h02kw

— Tero Alhonen (@teroalhonen) 1. August 2018

I got a feedback from one of my sources via Facebook (should no longer fall under NDA) who wrote: This could be the replacement for terminal servers that the rumour mill has been talking about for a long time. Windows Server as LTSC-like OS is too slow for the new features needed for Terminal Server as Windows 10 Desktop, so the Terminal Server now moves to the Windows Client.

Anyone who has already experimented in this direction or knows more details or articles from Microsoft?

[German]In enterprise environments, administrators may face the problem of having to distribute Windows 10 upgrades automatically, possibly via SCCM or similar tools. Here is a solution, using a batch file to deploy an in-place upgrade approach for Windows 10.

Josh Hefner, who presented the solution in his blog, writes that he recently faced the scenario with a client that he had no Configuration Manager infrastructure available. He normally uses Intune to manage workstations, but ran into problems configuring MDT to support Windows 10 upgrades.

Josh points out that there are still some known problems with MDT and Windows 10. These are described in this Technet article from 2015.

However, Josh Hefner had to automate the deployment of Windows 10 for end users. He is using a very elegant solution: Instead of distributing feature updates, he uses a cmd file to trigger an in-place upgrade of the client to the desired Windows 10 version.

(Install files, Source: joshheffner.com)

• First, copy all files of the installation image required for installation into a folder structure of a network drive (see above image)..
• Create a batch file Install.cmd within a the folder of the structure shown above, to start the deployment. The cmd file contains the following command.

start /wait .\Win10\setup.exe /auto upgrade /migratedrivers all /dynamicupdate enable /showoobe none /pkey XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Basically, the command only starts the setup.exe and lets the system upgrading via an in-place update. Parameters can be used to control the upgrade and also enter the product key for the client. You can read more details in Josh’s article.

Microsoft has released Windows 10 Insider Preview Build 17730 (Redstone 5) in the Fast Ring. The announcement was made as usual in the Windows blog, where you may read further details. This build is part of the RS5_RELEASE fork, which is planned to become Windows 10 V1809 (or similar) in fall 2018.

[German]Microsoft has responded to an open letter from MVP colleague Susan Bradley about problems and quality issues with Microsoft’s Windows update cycles.

The background – an open letter to Microsoft

Satisfaction with Windows, especially Windows 10 and Microsoft’s approach to Windows as a service and the updates provided is disastrous for both consumers and IT professionals. A survey conducted by Susan Bradley, a long-standing expert in patch management for Windows, explicitly confirmed this. As a result, Susan Bradley wrote an open letter to Microsoft management (including CEO Satya Nadella) to highlight the problems in practice.

Woody Leonhard had published this on his website askwoody.com and at ComputerWorld articles. Since I am in contact with him, I have addressed both the surveys and the open letter within my blog post Windows (10) Update Survey and an open letter to Microsoft.

Microsoft’s answers

Microsoft replied surprisingly, Woody Leonhard has published Microsoft’s answer at ComputerWorld within the Windows updaters express frustrations. Microsoft responds. Here are some excerpts and the quintessence.

Service Request # 143…….

Hello Susan,

My name is (redacted), and I’m a Customer Relationship Manager here at the Microsoft corporate offices in Redmond, Washington. Thank you for reaching out.

I would like to let you know that we got your concerns about the Windows 10 patch quality issues that you have brought to our attention.  I wanted to give you an update and let you know that at this time I working on finding the best venue to bring your concerns to our leadership team who would be better equipped in making any decisions that need to be made.

As a reminder: The open letter was addressed to Microsoft’s Board of Directors, Mr. Satya Nadella, and two Vice Presidents. The open letter expressed the general dissatisfaction with the update quality and the frequency of Windows as a service function updates at the base. Tenor: Something has to change, think about it.

In the text above, a Customer Relationship Manager answered, and issued a support number. He/she confirms the open letter has been noticed and assures that ‘ways are being sought to bring the matter to Microsoft’s leadership team, which is better able to make all necessary decisions’. It that the way at Microsoft to process an open letter to the CEO? But Microsoft stays tuned – Susan Bradley received another message from the Customer Relationship Manager.  Forwarding the open letter to the responsible team is confirmed.

Hello Susan,

This is (redacted) again with Microsoft customer services and support team. I would like to thank you for all the great feedback that you submitted in your previous letter that you sent to Microsoft.  I would like to tell you that I have forward[ed] your letter to a team that is better equipped to handle the concerns and feedback that you have stated in your letter.

Your letter clearly states the concerns that you have due to the quality and timing of Microsoft updates.  I would like to add that with Windows 10 Microsoft decided to be more proactive. This has always been the way we keep commercial versions of Windows on the market current.  There are also bug fixes. These updates can be vital. The Windows software environment and its associated hardware is incredibly complex. When these bugs are fixed, updates have to be issued to move them out to users. You want these updates to make sure everything works as expected.  Windows 10 is very different from earlier versions of Windows. Earlier versions of Windows consisted of a single product which was updated over time. Windows 10 consists entirely of a base install and then fluid updates. The updates aren’t add-ons from which to pick and choose but are part of the operating system.

After much Microsoft talk, which promises understanding for the expressed concerns, the text above says in my reading: “That’s just so decided by Microsoft, that’s what we do with Windows 10.”

Just to note, there were two key points that Susan Bradley addressed in her open letter. Point #1 was the clear statement that the vast majority of users and IT professionals consider the semi-annual feature updates to be a weak point, and IT professionals want something like feature updates every two years. The above answer (at least I didn’t notice anything) didn’t deal with this issue. It’s like in politics, where a question is bypassed with a rush of words on a side issue.

Point #2 was the poor quality of the latest Windows updates, which makes the job of IT professionals difficult or impossible. Microsoft told Susan Bradley in an answer, that everything is terribly complex and explains the difference between Windows 10 and other operating systems. First I thought, they just kidding, but it seems they are serious about that. Just to note: Things seems to be complex is Microsoft’s view, so the increase their pace and are releasing semi-annual features updates, to keep things (from an updater’s view) even more complex. Not a word about the update quality. But then the absolute hammer comes with the following paragraph:

I have provided a link below to our Feedback Hub.  In the future you could use the link to provide feedback and share your suggestions or comments on issues with Windows products.

My first thought ‘it was a bot, that answered’, but it seems it was a Microsoft employee, that wrote the text. Woody Leonhard wonders in his ComputerWorld article about Microsoft’s answer and notes: This is a strange answer that [they] send to someone who has been struggling with bad Windows patches for almost two decades – and writing loudly about it.

Then Wood Leonhard points out that Susan Bradly posted exactly three months before the open letter has been published a text in Feedback Hub about quality and loss of trust (link https:// aka.ms/AA1aitt). I haven’t linked the article here, because the contents of the feedback hub can only see who is using Windows 10 and the relevant infrastructure. Such posts can be rated as important by other users (called upvote). That only works if you are an active Windows 10 Insider Preview participant and are logged in under a Microsoft account with Windows 10. Strange thing, and I always have Microsoft’s ‘we are listening to our customers’ in my had – but they obviously kidding. Or what’s your thoughts?

Addendum: Susan Bradley answered the reply from Microsoft – details may be read here at askwoody.com.

[German]At the current Black Hat conference in Las Vegas, security researchers showed how easy it was to use Cortana ito bypass security functions under Windows 10. Microsoft has closed (come of) the vulnerabilities. 

That wizards like Siri, Google Now or Cortana are good for all kinds of surprises of the negative kind, has been shown in several cases – I had already addressed it in various German blog posts. In my German blog post Cortana: Interesse bei Unternehmen, aber Sicherheitslücke I mentioned also a vulnerability discovered in Windows 10, where Cortana can be misused for criminal purposes using PowerShell even when the system is locked. However, the vulnerability (CVE-2018-8140) was closed with the June 2018 patchday.

Cortana as Open Sesam

Under the title Open Sesame: Picking Locks with Cortana the CVE-2018-8140 vulnerability (see announcement here) was addressed again by a team from the Technion Israel Institute of Technology led by Professor Amichai Shulman. The security researchers had asked themselves how the language assistants in devices affect security in corporate environments.

Microsoft Cortana is used on mobile and IoT devices, but also on corporate computers, because it is enabled with Windows10 by default and is always ready to respond to user commands, even when the machine is locked. Interacting with a locked machine is a dangerous architectural decision. Early in 2018, security researchers discovered the Voice of Esau (VoE) exploit for a Cortana vulnerability. The VoE exploit allowed attackers to take over a locked Windows10 machine by combining voice commands and network functions to deliver a malicious payload to the affected machine.

At the Blackhat conference security researchers demonstrated how a powerful vulnerability in Cortana allows attackers to take over a locked Windows machine and execute arbitrary code. By exploiting the ‘Open Sesame’ vulnerability, attackers can view the content of sensitive files (text and media), browse any website, download and execute any executable files from the Internet, and may be granted elevated privileges.

German site heise.de has published this article with some details. After activating Cortana (“Hey, Cortana?”) it is sufficient to press any key on the keyboard. The search dialog of the operating system opens and shows, for example, preview images of photos or text documents. All this happens, mind you, on a locked Windows 10 screen.

If a USB stick is connected to the system, an executable file can be searched via Cortana and started with a simulated click. A query of the user account control can be bypassed if necessary (keyword: UAC Bypassing). This opens up the possibility of selecting and starting malware via the search function in order infect the locked system.

Alternatively, an HTTP page set up as watering-hole to distribute malware could be opened by voice command. According to heise.de the security researchers used the Remote Desktop Protocol to send voice commands via network directly to other victims system without having to use the microphone of the target computer.

Furthermore heise.de describes a fourth attack method, which uses malicious Cortana skills, which the attackers added to the Cortana channel before. Then these Cortana skills could be activated by voice command (including the release of the installation of an untrustworthy plug-in).

To make matters worse, exploiting the vulnerability does not involve external code or questionable system calls, so code focused defenses such as antivirus, anti-malware and IPS are usually blind to attack.

An interview with CNBC is available here. As mentioned above, the CVE-2018-8140 vulnerability has been closed since June 2018 patchday. The question remains how many other undetected security holes are still dormant. According to Professor Amichai Shulman, his students have discovered further security holes in Cortana. Since these are unfixed, details were not revealed. But even if they are fixed at some point, the attack vector won’t get smaller due to the inflation of Windows 10 features propagated by Microsoft’s developers. Or how do you see it?

Microsoft has released the Windows 10 Insider Preview Build 177353 (Redstone 5) in the Fast Ring. Furthermore the Windows 10 Insider Preview Build 18214 (19H1) for the Skip Ahead branch was released. 

Windows 10 Insider Build 17735

The Windows 10 Insider Preview Build 177353 belongs to the RS5_RELEASE-Fork, which should lead to Windows 10 V1809 (or v1810) in autumn 2018. The announcement has been made as usual within the Windows blog. There you will find a longer list of changes and bug fixes. Unfortunately there is also a long list of known problems in the blog post.

Windows 10 Insider Build 18214

The Windows 10 Insider Preview Build 18214 is only available for testers whose system is configured for the Skip Ahead branch. There the code name 19H1 applies, since this development branch is to lead to the spring upgrade in 2019. The announcement was also posted on the Windows blog. There you can inform yourself about the new features, changes and bug fixes as well as about known problems.