[German]Microsoft has just announced a support extension (i.e. the supply of security updates) for Windows 10 version 1709 (Enterprise and Education) until October 2020. The reason is the current corona virus pandemic.

Currently, many users are working remotely from home, as public life worldwide is largely at a standstill due to the coronavirus pandemic. Many people are now less interested in function updates and more concerned with family, colleagues and possibly customers. Microsoft is also monitoring the situation and is making the security of its employees, customers, partners and the community a top priority.

Windows 10 lifecycle

The dates from which a Windows 10 version is no longer supported with updates can be found on the Windows 10 Life Cycle page. Windows 10 Enterprise is scheduled to drop out of support on April 14, 2020.

(Source: Microsoft)

Support extension for Windows 10 version 1709

Microsoft has therefore evaluated the situation in the public health care sector, and looked at the impact of the end of support for Windows 10 version 1709 next month. Based on customer feedback, and in an effort to reduce one of the burdens currently facing administrators, Microsoft has made a decision.

The end of support for Windows 10 version 1709, which was originally planned for April 14, 2020 (the next patchday), will be postponed by six months. Windows 10 version 1709 Enterprise, Education and the IoT Enterprise editions of Windows 10 will continue to receive monthly security updates until October 13, 2020. The last security update for these editions of Windows 10 version 1709 will be released on October 13, 2020 instead of April 14, 2020.

Microsoft has made the information about extended support public in this Techcommunity article. I have become aware of it through the following tweet.

We are extending support of #Windows10 1709 ENT and EDU until October due #COVID19 https://t.co/NSdOlKBu8K

— Steven Thomas #Windows10 #AppCompat #WaaS #MSIX (@madvirtualizer) March 19, 2020

The security updates for Windows 10, version 1709 are released through the usual maintenance channels: Windows Update, Windows Server Update Services (WSUS) and the Microsoft Update Catalog. So there is no need to change anything in the current update management workflow. Also, all supported versions of Microsoft Configuration Manager (current branch) will continue to support updates for Windows 10 version 1709 until October 13, 2020.

[German]The Windows Platform Security Team discusses the technology that secure core PCs can protect Windows against attacks on the kernel, e.g. by compromised drivers.

I had already read the information recently, but again I became aware of this article via the following tweet.

Cool new blog on preventing Windows driver attacks against EDRs and EPP with Secured-core PCs. Check it out!! https://t.co/nRCG3VlwP9 pic.twitter.com/KRQt5Bn3ih

— Dave dwizzzle Weston (@dwizzzleMSFT) March 17, 2020

In this post, people from Microsoft discusses the way through the issue of gaining kernel privileges by exploiting legitimate kernel drivers.

Abusing kernel drivers for privilege escalation

Acquiring kernel privileges by exploiting legitimate but vulnerable kernel drivers has become an established tool of choice for advanced attackers. Several malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish and Sauron, as well as campaigns by the threat actor STRONTIUM, have exploited driver vulnerabilities (e.g. CVE-2008-3431, CVE-2013-3956, CVE-2009-0824, CVE-2010-1592, etc.) to gain kernel privileges and in some cases effectively disable security agents on compromised machines.

Secured Core PCs as a countermeasure

In October 2019 Microsoft introduced a new development, the Secured Core PCs with additional protection against firmware attacks. I had reported about it in the blog post Microsoft Introduces Secured Core PCs w. Firmware Protection.

Secured-core PCs are devices that use a range of security technologies to prevent firmware-level attacks. Microsoft intends to integrate software-based protection on operating systems and related services. Microsoft has worked internally and externally with OEM partners Lenovo, HP, Dell, Panasonic, Dynabook, and Getac to introduce a new class of devices called Secured Core PCs.

These Secured Core PCs must meet “a set of specific device requirements that apply the security best practices of isolation and minimal reliance on the firmware layer or device core that supports the Windows operating system. The devices are aimed at companies that handle highly sensitive information, such as financial institutions, government agencies, and so on.

Details of how Microsoft envisages securing Secured Core PCs using TPM 2.0 or higher, Windows Defender System Guard, HVCI Kernel DMA protection etc. can be read in this blog post. 

[German]In Windows 10 Version 2004, Microsoft will introduce so-called Hosted Apps in the Windows App Model. Here is some information about what Microsoft understands by this new app model.

Apps for Windows 10 are be delivered via signed MSIX packages. A package provides the identity so that it is known to the system and contains all files, assets, and registry information for the application it contains.

Many apps have scenarios where they want to host content and binaries from other apps. There are also scenarios where the host app is more like a runtime engine that loads script content. In addition, there is a desire for these hosted applications to look and behave like a separate application on the system, with their own startup tile, identity, and deep integration with Windows features such as background tasks, notifications, and sharing.

With the Hosted App Model, a retail kiosk application can be easily renamed, or a Python or Powershell script can now be treated as a separate application. Hosted apps are registered as independent apps on Windows, but require a host process to run. An example would be a script file that requires the host (such as Powershell or Python) to be installed. In itself it is just a file and has no way to appear as an application on Windows.

With the Hosted App Model, an app can declare itself as a host. Then packages can declare a dependency on that host and are called hosted applications. When the hosted app starts, the host executable is then launched with the identity of the hosted app package instead of its own identity. This allows the host to access the contents of the hosted app package, and when calling APIs, it does so using the identity of the hosted application.

The concept was presented a few days ago in the Windows blog. There you can read the details. The concept of hosted apps is only of interest to app developers – end users are unlikely to notice anything, except when a hosted app doesn’t work because the host can’t be contacted. (via)

[German]Microsoft has a new face for the Windows Insider program. After the departure of Dona Sarkar, Amanda Langowski will lead this program in the future.

In October 2019, it was announced that Dona Sarkar was leaving the Windows Insider program to work in the Azure developer area to take care of communication with developers in the PowerBI and PowerApps area. At that time there was speculation that the Microsoft Insider program was pretty much finished. I had reported about it in the blog post Dona Sarkar leaves Windows Insider program. A few days ago there has been signs that something happens in future. 

Awesome to have the one and only @amanda_lango on @ch9 LIVE to talk about the future of Flighting and Feedback for @Windows at the #MVPSummit.

You’ll hear a ton more from Amanda this year, so stay tuned! pic.twitter.com/4fU2KrxOA8

— Dona Sarkar (@donasarkar) March 18, 2020

During the virtual MVP-Summit Dona Sarkar already hinted on Twitter that you would soon hear something from Amanda Langowski.

Amanda Langowski as the new head of Insider program

Panos Panay has just announced on Twitter that Amanda Langowski will take over as head of the Windows Insider program.

Very pumped to introduce @amanda_lango as the new lead for the Windows Insider Program. Not only do I truly believe in the power of this program, but I’m also looking forward to working hand in hand with Amanda as we establish a vision for the future. https://t.co/tTerILvN8u

— Panos Panay (@panos_panay) March 23, 2020

Langowski has been with Microsoft for 20 years and has been involved in the coordination of beta programs, among other things. Furthermore she was responsible as Program Manager Lead and Senior Program Manager Lead for Windows Mobile and Windows Phone (hopefully not a bad omen). And then she was Principal Program Manager Lead for Windows and Devices. In 2016 she became the lead of the Flighting Platform Team (called Principal Program Manager for Windows Fundamentals, Flighting Platforms & Operations). This team not only coordinates the release of every new build that goes to insiders. The team is also responsible for managing Insider’s build options.

Langowski’s goal is to put the software developers in touch with the customers in order to incorporate their experience. In this article you will find more information about what you want to do big. I think the crucial point is the question how seriously the Windows Insider program is taken and what happens there in terms of quality.

[German]Windows 10 users are facing the behavior, that Windows Defender skips items during a scan and reports this. In the meantime the cause is clear and I present a solution in the blog post.

What is the Defender scanning problem?

Since several weeks some Windows 10 users have been experiencing a strange effect when scanning their systems using Windows Defender. Although the scan is successful, at the end of the process the virus scanner reports skipped items during the scan. The following message is then displayed.

Windows Defender skipped an item due to exclusions or network protection settings.

I had covered the case in more detail in the blog post Windows 10: Defender skips elements during scan. Since the affected users did not define exclusions for scanning, much indicated a problem with the network scan.

Cause and Workaround

The message from the Defender occurs, because the Defender doesn’t scan network files anymore by default. Something seems to have changed Microsoft’s behavior some time ago.

I feel it’s pity that Microsoft hasn’t documented this somewhere and doesn’t differentiate in its notification. The message is not wrong and makes sense with today’s knowledge (from the following sections) – because it will be displayed when a user-defined exception was found for the scan OR when the standard default of not scanning network files was followed. That’s what I conclude from the hint of Jens in this comment and from the hints given below.

Note: Below are a few hints, given as fixes, to avoid the notification, by allowing network scans. But Microsoft don’t recommend network scans. There is a simple reason: Performance. If multiple clients in a network – and also the AV software on a server, starts to scan (the same) network files, there is a lot of (senseless) traffic. I guess, that’s the reason, why Microsoft disables network scan in defender by default. If you feel in need to scan a NAS, you may use the fixes given below to allow network scans.

Fix #1: Allow network scan via GPO

To get rid of the above message, you can use Group Policy to allow Defender to scan files on the network.

1. On Windows 10 Pro or Enterprise, type the command gpedit.msc and use the context menu command Run as Administrator to launch the group policy editor.

2. Set the following Group Policy and enable it, if necessary, by typing the gpupdate /force command at an administrative prompt window to force the Group Policy to take effect.

Navigate in the left pane of the group policy editor to the following branch:

Computer Configuration –> Administrative Templates –> Windows Components –> Windows Defender Antivirus –> Scan

Select the policy Scan network files in the right pane via double click and set the GPO state for this policy to Enabled.

At least on my test system the message about skipped elements is gone and I get the above status display.

The guidelines for Defender have been described by Microsoft in this document.

Fix 2: Activation via Registry

There is no group policy editor available in Windows 10 Home. To access the registry editor regedit.exe, choose Run as administrator. Then navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan

There you create a 32-bit DWORD value DisableScanningNetworkFiles and enter the value 0 to allow scanning of the network files.

In this article DisableScanningMappedNetworkDrivesForFullScan is described, but this does not correspond to the GPO entry mentioned above.

Fix 3:  Activation via PowerShell

According to this Microsoft document, the following command can be executed in an administrative PowerShell console:

Set-MpPreference –DisableScanningNetworkFiles

to allow scanning of network files. The scan is not performed if the value 1 is specified.

By the way: Microsoft says “We do not recommend that you scan network files”. But at least now it is clear where the elements skipped during the scan come from.

Addendum: Read also the analysis from Lawrence Abrams at Bleeping Computer. He found out with an old Win 10 VM, that MS has changed the default settings for defender network scan in March 2020.

My recommendation: Just ignore the toast notification about the skipped elements during scan and don’t activate a network scan by default. See my explanation added to the above text.

[German]Microsoft has released the update KB4052623 for the Windows Defender anti-malware platform for Windows 10 on March 24, 2020. This update also fixes the irritating message that files were skipped during a scan.

What is the Defender scanning problem?

Since several weeks some Windows 10 users have been experiencing a strange effect when scanning their systems using Windows Defender. Although the scan is successful, at the end of the process the virus scanner reports skipped items during the scan. The following message is then displayed.

Windows Defender skipped an item due to exclusions or network protection settings.

I had covered the case in more detail in the blog post Windows 10: Defender skips elements during scan. Since the affected users did not define exclusions for scanning, much indicated a problem with the network scan.

I then proved in the blog post Windows 10: Fix for skipped Defender scans that the skipped files are elements of the network scan. This was also useful, since scans of network shares create an unnecessary load.

In the blog post I had advised to ignore the message for the time being, but at the same time I had specified workarounds to change this behavior. At the same time, I had reported the issue to Windows Update (Microsoft’s Twitter channel) with a link to my English blog post.

Update KB4052623 fixes the Bug

Already this morning I received a mail from blog reader Hans Thölen, who informed me about a new update:

Today I had on Windows Update the update for Windows Defender KB4052623 on offer. I have installed it. Then I reset the setting for scanning network files to not configured. With 2 times executed scans only the notification about the scan progress was displayed.

The notification of skipping did not appear both times. It seems that Microsoft has fixed the bug with this.

Also German blog reader left this comment, pointing out, that update KB4052623 raised the Antimalware-Scan-Engine to version 4.18.2003.8 and that the toast notification about skipped elements during a scan has been vanished. Got also a third comment from reader Pater with a similar observation. Thanks to all readers for the hints.

Update KB4052623 for Defender

Update KB4052623 (Update for Windows Defender Antimalware Platform) is available for the following operating systems.

• Windows 10 (Pro-, Enterprise, and Home editions)
• Windows Server 2019
• Windows Server 2016

In the support article, Microsoft writes that this package contains monthly updates and bug fixes for the Windows Defender anti-malware platform that is used by Windows Defender Antivirus in Windows 10. The support article describes a number of issues (secure boot issues, changed paths, increased network traffic) that may occur with this update.

Version 4.18.2001.10 of the scan engine is mentioned as the cause of the high network traffic (current version is 4.18.2003.8). Microsoft is working on a fix internally – and my guess is that someone removed the files from the network scan in the anti-malware platform around March 10, 2020. In the meantime, administrators can work around this problem by temporarily disabling network protection. I did specify some Group Policies for this purpose in the blog post Windows 10: Fix for skipped Defender scans.

Note: On my test machine, the notification is gone. I received also from 4 readers the same observation, but a 5th reader wrote, that he still see the notification.

Where can I find the update and version info?

Finally, here are two hints that might be of interest to some blog readers. I had spent the night looking for new updates under Windows Update, but only saw the update described in the article Windows 10 190x: Update KB4541335. To check if an update for Defender has arrived, go from the Settings page to Windows Security and select Virus & Threat Protection.

If you then scroll down the page, the latest update status should be displayed under Updates for Virus & Threat Protection. The screenshots here are obtained from my German Windows. And how to check the version of the antimalware engine?

Click to the Setting icon in the lower left pane of the Windows Security window. On the Settings page, scroll down and click on the About hyperlink. The page will then display all the information you need.

Similar articles:
Windows 10: Defender skips elements during scan
Windows 10: Fix for skipped Defender scans

On March 25, 2020, Microsoft released the Windows 10 Insider Preview Build 19592 (20H2 development branch) for Insiders in the Fast Ring. In the Windows Blog, Microsoft lists the new features, bug fixes and known issues of this build. Gives some improvements in tablet mode.

[German]Update KB4541329 released for Windows 10 version 1607 and Windows Server 2016 may cause printing issues on some systems (Terminal Server, Remote Desktop). Winspool.drv crashes and pulls the applications into the digital abyss.

Update KB4541329 for Windows 10 Version 1607

Update KB4541329 was released on March 17, 2020 for Windows 10 version 1607 and Windows Server 2016. This update improves application and device compatibility with Windows updates. It also fixes several bugs. Microsoft is also currently reporting only one known issue with this update. I reported about this update in the blog post Windows 10 and Windows 8.1 Updates .

Update KB4541329 causes printing issues/crashes

We have known since 2019 that Windows updates cause printing problems, and I briefly discussed the problem in the blog post Windows Windows 10: Issues with Updates KB4522015, KB4522016 / KB4517211 (Sept. 2019). Also in January 2020, some users seem to have had printing problems (see Are Windows 10 update related printing issues are back?). Now German blog reader Erich W. contacted me by e-mail and reported the following observation:

I haven’t been able to find anything in your blog about the Microsoft Update KB4541329.

I installed it last week shortly after its release on several 2016 servers. On two WTS servers I noticed that everything that has to do with printing – even calling the printer control – leads to closing the application.

Printing from all applications will close the application as soon as you want to print, Adobe, Browser, Word Excel etc.

I had thought that the profile of this user is broken, because it only occurred with one user. After a second user reported the same error on another Windows Terminal Server (WTS), I uninstalled the update and lo and behold, everything works fine again.

What I don’t understand why only 1 user. But anyway, maybe this info can help other users in your blog to solve the problem first.

Blog reader Erich W. is not alone with his problem. I had noticed it sporadically, but I had not yet noticed a big wave of problems. A British blogger living in Canada reports problems with KB4541329 – WINSPOOL.DRV and the Remote Desktop here. You can find this post on reddit.com: 

KB4541329 causing Excel to crash

A few users on a remote desktop server (2016) called this morning to complain that Excel (2016) would open and then crash shortly after. Logged on to server as admin does not show this behavior.

Stuff tried:
– Reboot server
– Repaired Office

What fixed it: Looks like a Microsoft update kb4541329 needs to be uninstalled because it causes Excel 2016 to crash on Windows 2016 server.

And just by the way, the uninstall takes about 10 mins in the 100% complete window.

There are other users in this thread who acknowledge these crashes. In the Microsoft Answers forum, a user also reports crashes of Excel when update KB4541329 is installed. In the Technet there is this Russian language post that deals with similar problems. The user writes: 

After installing update KB4541329, access to devices and printers no longer worked. When you try to connect from one server to another server, if the option to connect printers is enabled in the properties, the session crashes.

The affected person posted the errors that occurred in the log in the forum thread. Anyone else affected by this bug?

Similar articles:
Microsoft Office Patchday (March 2, 2020)
Microsoft Security Update Summary (March 10 2020)
Patchday: Updates für Windows 7/8.1/Server (March 10 2020)
Patchday Windows 10-Updates (March 10, 2020)
Patchday Microsoft Office Updates (March 10, 2020)
Windows 10 and Windows 8.1 Updates
Windows: Patchday Issues March 2020?

[German]Microsoft released update KB4552455 for Windows 10 version 2004 on March 26, 2020. This update is available for Windows insiders testing in the slow ring.

Microsoft has posted some details about this cumulative update for the not yet globally released Windows 10 version 2004 in this blog post. Update KB4552455 for Windows 10 20H1 raises the build to 19041.172. This cumulative update includes quality improvements. The most important change: An issue has been fixed that prevents the Windows logo key + J keyboard shortcut from focusing on certain Windows tips.

This update has a known issue: Narrator and NVDA users who are using the latest version of Microsoft Chromium Edge may experience some difficulty navigating and reading certain Web content. Narrator, NVDA, and the Edge teams are aware of these issues. Users of older versions of Microsoft Edge are not affected. NVAccess has released NVDA 2019.3 that solves the known Edge issue.

[German]There is a bug in all still supported versions of Windows 10 and Windows Server 2016/2019 – caused by recent updates. This can prevent applications from connecting to the Internet. A bugfix is not expected before April 2020.

In the Windows 10 release information you can find the information on March 26, 2020 that there is an issue with Internet connections via a proxy. 

Devices using a proxy might show limited or no internet connection status

Devices using a manual or auto-configured proxy, especially with a virtual private network (VPN), might show limited or no internet connection status in the Network Connectivity Status Indicator (NCSI) in the notification area. 

This might happen when connected or disconnected to a VPN or after changing state between the two. Devices with this issue, might also have issues reaching the internet using applications that use WinHTTP or WinInet.

Examples of apps that might be affected on devices in this state are as follows but not limited to Microsoft Teams, Microsoft Office, Office365, Outlook, Internet Explorer 11, and some version of Microsoft Edge.

If an application uses a proxy connection, there may be problems with the Internet connection. This especially affects Virtual Private Network (VPN) software and its connections. The network icon in the notification area of the taskbar may show limited or no Internet connection status in the Network Connectivity Status Indicator (NCSI).

(Source: Technet)

This can happen when a connection to a VPN is made or disconnected, or after the status between the two has changed. On affected devices, applications may also have difficulty reaching the Internet via WinHTTP or WinInet.

Examples of applications that could be affected on equipment in this state include Microsoft Teams, Microsoft Office, Office365, Outlook, Internet Explorer 11 and some versions of Microsoft Edge. The list of applications that cause problems is not limited to the above list of applications.

You may be able to temporarily resolve the problem by restarting the device. The following versions of Windows are affected.

• Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709
• Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709

As the cause of this bug, Microsoft states the cumulative update KB4535996 for Windows 10 version 190x and its server counterparts from February 27, 2020. KB4535996 is causing other issues (see links at the end of this article).

For older Windows 10 versions, other updates must be responsible. In the Japanese Technet, this article lists a number of updates for various versions of Windows 10 (see also the comment below). Microsoft is working on a solution and aims to publish a special update (out-of-band update) in the Microsoft catalogue by the beginning of April. (via)

Similar articles
Windows 10 Version 190x: Update KB4535996 (Feb. 27, 2020)
Windows 10 V190x: Issues with Update KB4535996

[German]On March 24, 2020, Microsoft released update KB4052623 for the Windows Defender anti-malware platform for Windows 10. Since that time, I have received reports of problems; the offline scan is said to be broken and there are unexpected errors. None of these bugs I can confirm.

Does Update KB4052623 fixes the Scan Skip Bug?

Since the second week of March, some Windows 10 users experience a strange effect when scanning their systems using Windows Defender. Although the scan runs through, at the end of the process the virus scanner reports skipped items during the scan. The following message is then displayed.

Windows Defender skipped an item due to exclusions or network protection settings.

I had covered the case in more detail in the blog post Windows 10: Defender skips elements during scan. Since the affected users did not define exclusions for scanning, much indicated a problem with the network scan. I then proved in the blog post Windows 10: Fix for skipped Defender scans that the skipped files are elements of the network scan. This was also useful, since scans of network shares create an unnecessary load.

After release of update KB4052623 I received feedback, that the toast notification about skipped items during scan is gone. I published the blog post Update KB4052623: Microsoft fixes Defender Scan Skip Bug. But I received some feedback from users, still facing the above message. Therefor I added a poll to my article Microsoft Defender: “Scan-Skip-Bug” mit Update KB4052623 anscheinend beseitigt at German news magazine heise. Hier is the result: 45% say, the notification is gone, but 24% says, they still receive this notification.

Does the update breaks Defender offline scan?

Windows Defender offers the option in the Windows Security window to perform an offline scan. Then the system boots into Windows PE and Defender performs the scan. This should enable the removal of certain malware.

German blog reader Hans Thölen run into a problem. Shortly after my posts about update KB4052623 Hans sent me an email with the following info:

Today I noticed that the “Windows Defender Offline” check no longer works. There is something wrong with the update KB4052623.

He also commented within my German blog.  I just started an offline scan of Defender on my Windows 10 test machine and it took me three attempts because the initiation dialogs disappeared. Alsothough the initial phase with the GUI progress bar felt very long, the offline scan worked. I got in Windows PE a command prompt window saying ‘Your PC is being scanned’. Windows Defender scanned thousands of items. The system has just booted back into Windows 10 V1909. So I can’t prove Hans’ error at the moment. Any of you who have problems with the offline scan?

Unexpected Defender failure

I have received this comment from blog reader EP (thanks) which refers to a post at askwoody.com. These reddit users have just received the message “Unexpected error. Sorry, we ran into a problem. Please try again” – but this does not refer to the update. Uninstalling the update solved the problem. I didn’t see this message. Anybody else is affected?

[German]In this blog post I like to take up a tiresome topic. It is about the performance and stability problems caused by virus scanners on Windows 10 clients as well as on server environments. What is the cause and what can I do?

The background to all of this: I have now been contacted twice by blog readers in March 2020 about the issues of Windows Defender as a performance brake on Windows Server 2016/2019. The blog readers have disabled Windows Defender on Windows Server 2016/2019 in order to work with reasonable performance. The whole issue has been addressed in the two articles linked at the end of this article.

Microsoft knows about the issues

When I researched the internet for alternative antivirus solutions for Windows Server (see my article Solution for slow start of Windows Server 2016?), I came across the Microsoft article Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows. The article was last updated in early March 2020.

The problem is that Windows Defender probably does not define exclude lists of files to be excluded from a scan. Then, for example, during update installation, the effect is that files in use would have to be scanned, but Defender cannot. This results in stability and performance problems. Windows Server 2016 may take an incredibly long time to restart during the installation of updates.

Instead of disabling Defender, Microsoft recommends in the linked support article what to do if you have stability and performance problems in Windows. The advice in this article applies to:

• Windows Server 2012, all editions
• Windows Server 2012 R2, all editions
• Windows Server 2016, all editions
• Windows Server 2019, all editions
• Windows 7, all editions
• Windows 8.1, all editions
• Windows 10, alle Editionen

and should apply to all virus scanners, not just Windows Defender. However, some third-party virus scanner vendors seem to do their homework and maintain exclusion lists of files to avoid such problems. Microsoft is well aware that there can be a performance problem with scanning files, especially updates. The company writes about this:

This article contains recommendations that may help an administrator determine the cause of potential instability on a computer that is running a supported version of Microsoft Windows when it is used together with antivirus software in an Active Directory domain environment or in a managed business environment.
Note We recommend that you temporarily apply these settings to evaluate system behavior. If your system performance or stability is improved by the recommendations that are made in this article, contact your antivirus software vendor for instructions or for an updated version or settings of the antivirus software.
Important This article contains information that shows how to help lower security settings or how to temporarily turn off security features on a computer. You can make these changes to understand the nature of a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect the computer.

It is therefore quite interesting what Microsoft is recommending within the article for administrators to test.

• When scanning certain files, problems with operating system performance and reliability may be experienced because of file locks.
• For this reason, Microsoft recommends that you exclude certain files from scanning for viruses, especially those related to updates.

For example, it is recommended that you scan the Windows Update database file or automatic updates (Datastore.edb) in the folder:

%windir%\SoftwareDistribution\Datastore

to be excluded from a scan. Disable scanning of the log files in the following folder: 

%windir%\SoftwareDistribution\Datastore\Logs

Also disable scanning of Windows security files in the folder:

%windir%\Security\Database

There are other files (group policy files, profile files) that may need to be omitted from the virus scan. The support article Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows  lists more folders and files that should be excluded from the virus scan. There are also concrete recommendations on how to do this (for example, do not make a global exclusion based on a file name extension). In addition, Microsoft recommends a test to see whether individual measures bring about an improvement or not. 

But there is more

During preparing this blog post I had a short mail exchange with German blog reader Alexander F., who provided me with hints for the article Windows Server 2019: Defender Performance Issues. Alexander wrote that ‘almost every enterprise antivirus software vendor integrates a so-called “Default Exclusion List” into their products’. The list specifies that certain directories and/or files of the operating system are excluded from a virus scan. These include the files specified in the above Microsoft support article.

For Windows Server 2016/2019, Microsoft has published this document, which addresses the exclusion criteria for real-time protection when using Microsoft Defender ATP.

Blog reader Karl has posted the following tweet in response to my article about the slow startup of Windows Server 2016 during update installation It indicates further exclusions that should be specified.

We all know how often 3rd party security solution trouble things.
Rather put these exclusions
Dism.exe
Tiworker.exe
Windows\Winsxs
Windows\SoftwareDistribution

I just upgraded my lab with 2020-03
2019 and core servers are your best friends.

— al Qamar (Karl Wester-Ebbinghaus) (@tweet_alqamar) March 28, 2020

Alexander F. also pointed out to me in his mail that depending on the product used, additional files belong on the “Default Exclusion List”. Here are some places where you can check if necessary.

• Exchange: Windows antivirus software on Exchange servers
• SQL: Antivirussoftware for SQL-Server

Perhaps these sources will help reduce or eliminate the stability and performance problems associated with Defender, so that Defender deactivation is not necessary.

Alexander F. also writes that there is another problem when using alternative antivirus software. Normally Defender should be disabled completely as soon as a third-party AV solution is installed. Alexander F. (who uses Sophos AV products for customers) has observed that this does not happen completely. This incomplete deactivation is the reason why Alexander F.r on Windows Server uninstalls Defender (as shown in the following articles).

Similar articles:
Windows Server 2019: Defender Performance Issues 
Solution for slow start of Windows Server 2016?
Windows Antivirus: Performance- & Stability issues

[German]A very short note for people who are still using an old and fresh installed Windows 10 version 1507 (RTM). It can now receive and install successfully both updates and feature upgrades.

Previously, the Windows 10 builds 1507 (RTM) and 1511 probably got stuck with a Windows update error when upgrading when they were fresh. Blog reader Karl knows about this in the following tweet.

Previously 1507 (SAC) and 1511 were stuck when on vanilla (RTM).
Now also 1507 will be able to get out of this state@Deskmodder @AskWoody @SBSDiva

— al Qamar (Karl Wester-Ebbinghaus) (@tweet_alqamar) March 28, 2020

Judging by the tweet above, all Windows 10 versions (even without dynamic updates) are now available. 

[German]Microsoft has released out-of-band updates for various versions of Windows 10 as of March 30, 2020 to fix the VPN bug caused by earlier updates from February 2020.

The Windows 10 VPN bug

There is a bug in all still supported versions of Windows 10 and Windows Server 2016/2019 – caused by an update from February 2020 – that can prevent applications from connecting to the Internet. The network icon in the notification area of the taskbar may show limited or no Internet connection status in the Network Connectivity Status Indicator (NCSI).

(Source: Technet)

This can happen when a connection to a VPN is made or disconnected, or after the status between the two has changed. On affected devices, applications may also have difficulty reaching the Internet via WinHTTP or WinInet. I had reported the bug in the blog post Windows 10: Bug prevents (VPN) Internet access. Microsoft had promised an update to fix the bug for April 2020.

Update fixes this VPN bug

Now it has probably gone faster than planned. Microsoft released several updates for Windows 10 on March 30, 2020, which should fix the VPN bug. For Windows 10 version 1909 this is update KB4554364. In the description of the update it says:

Updates an issue that might display the wrong internet connection status for certain VPN users or might prevent some applications from connecting to the internet.

The update is only provided via the Microsoft Update Catalog for download and manual installation. Here is the list of available updates:

• Windows 10, version 1909/1903 (KB4554364)
• Windows 10, version 1809 (KB4554354)
• Windows 10, version 1803 (KB4554349)
• Windows 10, version 1709 (KB4554342)

These updates are optional and should really only be installed by users who suffer from the bug in question.

[German]Sometime soon, Windows 10 will get a so-called news bar. Then important messages will be displayed above the taskbar during operation.

The whole service is free of charge, but is rumored to be extended only to Enterprise editions that pay for the news ticker. Rafael Rivera has tracked down a leading prototype of this news bar (beta) and presented the whole thing in the following tweet.

Here’s what Microsoft’s News Bar (beta) looks like. Yes, it’s a periodically scrolling appbar sitting on top of the Windows Taskbar. pic.twitter.com/IwHNACI2l5

— Rafael Rivera (@WithinRafael) March 30, 2020

Ha ha, I just kidding! It was a joke a la Microsoft on April foolsday – of course the News Bar is not only coming for Windows 10 Enterprise – this is a feature all SKUs desperately need. At least that’s what someone from marketing whispered in the hallway. Ok, these guys brought that April’s foolsday joke a bit too early – sorry for that. 

[German]Microsoft has released version 0.16.0 of PowerToys for Windows 10 users a few hours ago. The new version brings the ImageResizer and the Window Walker.

PowerToys were free programs under Windows 95/98, with which certain Windows features could be optimized or adapted. Inspired by the PowerToys project under Windows 95, some developers dared to restart. The intended was to give power users the ability to get more efficiency out of the Windows 10 shell and customize it for individual workflows. The announcement tool place at the beginning of May 2019 (Windows 10: PowerToys will come as Open Source). More information can be found in the articles linked at the end of this blog.

(PowerToys Settings)

The PowerToys known from Windows 9x are also available in the version for Windows 10 Open Source and free of charge.

Update to PowerToys 0.16.0

Clint Rutkas has announced the release of PowerToys 0.16.0 on 31 March 2020 in the following tweet .

0.16 for #PowerToys is released! 4 new utilities and working on stability fixes. https://t.co/Seny8v20SY

— Clint Rutkas (@ClintRutkas) March 31, 2020

With this new version come four new tools:

• Markdown Preview pane extension
• SVG Preview pane extension
• Image Resizer Window Shell-Extension
• Window Walker, eine Alt-Tab Alternative

There are also various improvements to the FacyZone module:

• Multi-monitor improvement: Zone switching now works between monitors!
• Simplified UX: Layout hot-swap and flashing due to missing multi-monitor function removed

Clint Rutkas also states that there have been over 100 bug fixes for bugs. Details and the download can be found on this GitHub page.

[German]Microsoft released the Windows Admin Center as Preview 1910.2 on March 31, 2020. The preview is available for Windows Insider. Here is some information on this topic, which might be of interest for administrators in corporate environments

Windows Admin Center

The Windows Admin Center is an administration program for Microsoft Windows and Windows Server operating systems. It is designed to simplify and centralize the administration of clients and servers. The Center, which is a web-based graphical user interface, is opened via the Microsoft Edge or Google Chrome Internet browsers. It enables the user to access the server remotely. Microsoft has published this document about the Windows Admin Center veröffentlicht and says:

Windows Admin Center is a locally deployed, browser-based app for managing Windows servers, clusters, hyper-converged infrastructure, as well as Windows 10 PCs. It comes at no additional cost beyond Windows and is ready to use in production.

Help for installation can be found on this Microsoft page. Tips for getting started with the Windows Admin Center can be found on this Microsoft page.

Windows Admin Center Preview 1910.2

In this blog post Brandon LeBlanc has announced Preview 1910.2 for March 31, 2020. This version contains platform accessibility updates and numerous bug fixes. In addition, based on user feedback, some frequently requested features have been implemented.

Files-Tool supports cut, copy und paste

The file tool now supports clipboard operations. When users select a folder or file in the File Tool, they have the option to cut or copy the file or folder.

After the file or folder is cut or copied, the paste option becomes available and a user can paste the file or folder to another path.

Service restart

When managing computers with the Services tool, there is now the possibility to restart a service. It is no longer necessary to start and stop a service to restart it.

Other new features

Microsoft has introduced additional new functions in the preview. These include the functions listed below:

• Cluster quick update: On the cluster dashboard, updates for connected nodes appear under the Alerts section.
• File upload:  If the upload of a large file fails, you can now retry the file upload.
• Virtual machine filters: When viewing a list of VMs with multiple filters applied, the VMs do not disappear after some time.
• Azure Update Management login: Users no longer get a login error when trying to set up Azure Update Management after setting up Azure monitoring
• Active Directory account creation: Microsoft has fixed a bug in Active Directory Domain Services that allowed accounts to be created with passwords that did not meet the complexity requirements.

In addition to the new features and fixes mentioned above, Microsoft is working on improving the user experience (e.g. keyboard navigation improvements). In addition, reported errors related to CredSSP authentication have also been corrected. More details can be found in the blog post.

[German]The settings in Windows 10 are permanent under construction – or in other words ‘simply broken’. Things that are changed in the control panel are simply not considered in the settings page. For example, Windows 10 doesn’t properly apply the defaults for installed Windows features between Control Panel and Settings.

It’s another small example that I just saw on Twitter. Currently it’s about enabling or disabling Windows features, which have been present in Windows for ages, but now appear twice in the GUI.

• We have a dialog box Windows Features available via control panel
• And we have Optional Features available within the Settings page

Blog reader Karl currently experiments a lot with Windows 10, both Insider Previews and Windows 10 V190x. He noticed that the settings for the features do not match between Control Panel and Settings.

@sudhagart @windowsinsider
This is another thing about servicing that should be worth a look. Easy to reproduce.
Removed features will errorneous remain in Apps > Optional Featureshttps://t.co/U3qoj2GngY
Affects 1903 or later, all insider builds.
might affect earlier releases pic.twitter.com/2M1aFgspoH

— al Qamar (Karl Wester-Ebbinghaus) (@tweet_alqamar) March 29, 2020

The screenshot from the above tweet shows what went wrong. On the right, there is the Windows Features window of the Control Panel. There, Internet Explorer 11 and Windows Media Player are disabled, i.e. removed as features. In the left part of the screenshot, however, both options appear as optional features. It’s again a proof how broken Windows 10 is.

[German]A brief question: Does somebody expects issues with Microsoft Teams after installing the out-of-band updates to fix the Windows 10 VPN internet connectivity bug (like update KB4554364)? One user reported, that the receive error 4c7 during Teams re-login.

Windows 10 Update KB4554364

First a short review. In all supported versions of Windows 10 and Windows Server 2016/2019 there is a bug – caused by an update from February 2020. This bug can prevent applications from connecting to the Internet.

The network icon in the notification area of the taskbar may show limited or no Internet connection status in the Network Connectivity Status Indicator (NCSI).

(Source: Technet)

This can happen when a connection to a VPN is made or disconnected, or after the status between the two has changed. On affected devices, applications may also have difficulty reaching the Internet via WinHTTP or WinInet (see also my blog post Windows 10: Bug prevents (VPN) Internet access).

On March 30, 2020, Microsoft released unscheduled updates to fix this VPN bug. The update is only available for download from the Microsoft Update Catalog and must be installed manually. Here is the list of updates available for the various Windows versions:

• Windows 10, Version 1909/1903 (KB4554364)
• Windows 10, Version 1809 (KB4554354)
• Windows 10, Version 1803 (KB4554349)
• Windows 10, Version 1709 (KB4554342)

I had reported about this in the blog post Windows 10: Updates fixes VPN bug. There I also wrote, that these updates are optional and should really only be installed by users who suffer from the bug in question.

Issues after installing Update KB4554364

German blog reader Ex0r has posted this comment in my German blog, referring to his German post at administrator.de. In his environment he has issues with several machines in connection with Microsoft teams after installing the update KB4554364 for Windows 10 version 1903/1909. He wrote:

some of my clients are affected by this story: KB4554364 für Windows 10

I rolled out the KB on the affected client. After that the team login went through immediately. A short time later, however, Teams dropped out again.

His clients have issues with Microsoft Teams, but I’m not sure what he means by ‘dropped out again’. Addendum: Blog reader Ex0r has responded to my request and writes

a team login is not possible after closing teams. Currently I get the error code “4c7” on two systems in the home office and in the VPN.

The blog reader asks, if anyone else has issues with VPN software in connection with MS Teams and the updates. In the user’s environment the Sophos (Open) VPN Client is used. The person says that they ‘feel’ that the update is buggy. Anyone else affected?

A possible workaround: Enable Forms Authentication

Blog reader Ex0r referred in his 2nd response to the blog post Seeing error code 4c7 in Microsoft Teams? Fix it now.The article suggests to enable Forms Authentication via the ADFS Microsoft Management Console (MMC), see also this MS support article. Blog reader Ex0r wrote:

I am working through this to rule out that it is because of this: https://windowsreport.com/error-4c7-microsoft-teams/ (we also rely on ADFS).

But considering that 99% of my other home office clients don’t have this problem, it’s very strange.

In a follow-up mail, the reader adds: The “workaround” mentioned in the above seems to work. Currently the team login works again.

Similar articles:
Windows 10: Bug prevents (VPN) Internet access
Windows 10: Updates fixes VPN bug

[German]Since April 1, 2020, there have been complaints from Windows 10 users in Italian Microsoft forums reporting WiFi problems in connection with an update. The socket error 0×2200021 is triggered. Here is some information about this. Update: It turns out, it has been an April prank – not that funny at all! We had enough to do to fight against real Windows errors and other mess – no need to have additional noise from such guys in MS Anwers forum – that’s going more and more downhill.

“Socket Error 0×2200021” and WiFi broken

Blog reader EP pointed me in a comment to this Softpedia article, that is based on this article from the Italian website HTNovo. HTNovo reports, that after installing the update KB4554364 under Windows 10 version 1903 or 1909 no WiFi connection can be established anymore. Affected users get the error message:

“Socket error 0×2200021. c:/windows/sywow64/appidpolicyengineApi.dll, instruction cannot be read.”

This information is then prayed up and down the web. But is this reliable?

Let’s take a closer look…

I then took the trouble to do some more research – and came to the conclusion that the facts outlined above are anything but conclusive. Yes, there seems to ben an error – which is unanimously reported as of April 1, 2020 (first thought about an April fools prank, but there has been too many posts). But already in this forum post there are doubts about the beautiful theory from above:

c:/windows/SyWOW64/AppIdPolicyEngineApi.dll Errors?

I’m Alvise, italian MVP. In italian community there is so much answers regard this error:

errore socket 0x2200021 c:/windows/SyWOW64/AppIdPolicyEngineApi.dll

this problem occur in build for Insider Program and normal build (from 1903 ) and make impossible to use wifi (can’t connect to any wifi)
There is some info about this? have any of you encountered the same problem?

There a MVP colleague already reports about the Windows Insider program, but also about Windows 10 version 1903. A search in the Italian-speaking Microsoft Answers forum produces several hits with the date April 1, 2020.

• Case 1: In this post (deleted) the user states that he use Windows 10 version 1909 with build 18363.720. This build shows me that the machine has the update KB4551762 dated March 12, 2020 installed.
• Case 2: In this post (deleted) the user states that he has Windows 10 version 1909 with the same build 18363.720 – ergo the old update is also installed there. This post (deleted) contains no further details.
• Case 3: In this post (deleted), the user states that he has Windows 10 version 2004 (an insider preview) with build 19040.172.

Notice the date April 1, 2020 in the posts (but this seems to mee not as an April fools prank) – and strangely enough only on Italian Windows 10 versions.

Don’t blame the ‘latest update

Investigating the Microsoft Answers forum posts from different users, I got the following picture:

• It concerns Windows 10 version 1909 in build 18363.720, i.e. update status KB4551762 from March 12, 2020, and thus definitely before the rollout of update KB4554364 from March 30, 2020.
• Or it concerns the current Windows Insider Preview of Windows 10 version 2004.

I do not know why this error occurs on March 31, /April 1, 2020 for Italian users. This user claims in the forum post that the problem occurred ‘after the last update’. But the indication Windows 10 Version 1909 Build 18363.720 shows that it must have been the update from March 12, 2020. I would not attribute the problem to update KB4554364 according to the information gathered above.

BTW: The VPN bug fix updates released on March 30, 2020, has been available only on Microsoft Update Catalog for manual downloading and installing!

Another strange observation: Typo in path!

What I also like to mention is, that the path to the dll is simply wrong – it contains a typo. Have a look at:

c:/windows/SyWOW64/

The right path is %windir$/SysWOW64/, so either something within the registry has been changed to the wrong path. Or something has been installed, that put some files into the wrong folder.

Addenum: Well, it turns out, it was an April fools prank from a group of people – and the way, how it has been established isn’t funny – imho. The abused as a group of different users the Microsoft Answers forum, where volunteers spend their spare time to help users – and then avoid, to delete or updated their posts. I read that confession about the April fools prank in one of six posts), after I created this article. It’s another reason for me, to avoid spending my time further in Microsoft Answers forum anymore – too much is going downhill during the last years.

Addendum 2: As a Microsoft Answers community moderator I expressed my disappointment and escalated one post to Microsoft’s staff. The posts were (finally) deleted by the Microsoft moderators after my intervention. I hope that the jokers were additionally blocked as users in the forum.

Other curiosities

If I search for AppIdPolicyEngineApi.dll on the web, I end up at the following tweet referring to more issues.

KB4554364 – Supposed Out of Band fix for Windows 10 bug that has been causing internet connectivity issues for users and preventing some Office 365 setups from reaching the cloud. https://t.co/Rt29WHX7JT

— David Johnson (@ve3ofa) March 31, 2020

In the above tweet, someone refers to reddit.com, where a user complains that the Internet connection bug that prevents Office Setup from connecting to the Internet was not fixed by KB4554364. He has Outlook hanging with ‘loading profile’ and cannot reach the cloud. The error is confirmed by other users.