June 2020 – Patching Issues – Print Spooler Errors

Update 18-Jun-20:
Microsoft have an Out of Cycle hotfix for the below Print Spooler issues. See link below for more details.

NP – this update is not available through WSUS Catalog. Need to download manually.

https://support.microsoft.com/en-us/help/4567512/windows-10-update-kb4567512

———————————

The June 2020 patches came out last week, and with that a fresh issue.

Below is the excerpt from the Microsoft known issues page:

Print spooler might error or close unexpectedly when attempting to print

After installing KB4560960, certain printers may be unable to print. Print Spooler may error or close unexpectedly when attempting to print and no output will come from affected printer. You might also encounter issues with the apps you are attempting to print from. You might receive an error from the app or the app may close unexpectedly. Note This issue might also affect software-based printers, for example printing to PDF.

Affected platforms:

• Client: Windows 10, version 2004; Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
• Server: Windows Server, version 2004; Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2012 R2; Windows Server 2012

The current fix is to uninstall KB4560960. Microsoft are currently working on a solution.

Reference – https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-2004#436msgdesc

Missing Patches – SCCM

Was patching over the weekend especially with the Remote Desktop Gateway bug deemed critical.

Noticed that none of the Windows Server 2012 R2 and Windows Server 2016 updates were  not appearing in SCCM.

Thought it was my WSUS server (in my internet facing environment) not downloading Windows Server updates. Confirmed by checking my WSUS.

Then remembered that SCCM also manages Updates as well.

See below process:

Go to Administration > Site Configuration > Sites.

Click on the Primary Site and then click Settings from the top pane.

Select Configure Site Components then Software update Point.

Click the Products tab.

Tick Windows Server 2012 R2 and Windows Server 2016.

Click Ok.

Go to Software Library > Software Updates.

Right click on All Software Updates and select Synchronize Software Updates.

The newly ticked classifications will sync and you will see the ‘new’ updates under All Software Updates.
Ready to deploy.

This caught me out this weekend. Luckily I remembered and fixed it quickly without too much effort.

 

September 2019 Microsoft Patching Issues

Below is a list of known Microsoft Patching issues from September 2019:

 Windows 10 v1703:

Issue	Workaround	Problematic KB#
Certain operations performed on files or folders on a Cluster Shared Volume may fail with error: “STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.	1.       Perform the operation from a process that has administrator privilege. 2.       Perform the operation from a node that doesnt have the CSV ownership.	KB4516068

 Windows 10 v1709:

Issue	Workaround	Problematic KB#
Certain operations performed on files or folders on a Cluster Shared Volume may fail with error: “STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.	1.       Perform the operation from a process that has administrator privilege. 2.       Perform the operation from a node that doesnt have the CSV ownership.	KB4516066

 

Windows 10 v1803:

Issue	Workaround	Problematic KB#
Certain operations performed on files or folders on a Cluster Shared Volume may fail with error: “STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.	1.       Perform the operation from a process that has administrator privilege. 2.       Perform the operation from a node that doesnt have the CSV ownership.	KB4516058
Reports that a small number of devices may black screen upon bootup after installing updates.	Restart the computer – CTRL > ALT > DELETE then Power button in the bottom right hand corner and restart. Microsoft working on a resolution in a future release.	KB4516058

 

Windows 7 & Windows Server 2008 R2:

Issue	Workaround	Problematic KB#
After installing KB4516033, may receive an error when opening or using Toshiba Qosimo AV Center.	Microsoft is working with Dynabook on this issue and expects a resolution late September.	KB4516033 – Security Only Update
After installing KB4516033, may receive an error when opening or using Toshiba Qosimo AV Center.	Microsoft is working with Dynabook on this issue and expects a resolution late September.	KB4516065 – Monthly Rollup
VBScript in Internet Explorer 11 should be disabled after the install of KB4507437 or KB4511872. However in some instance VBScript has not been disabled as intended.	To mitigate this issue, follow these steps: 1.       In Internet Explorer 11 select the Tools icon or press and hold the alt key on your keyboard and press the letter x to see the menu. 2.       Select Internet Options. 3.       Select the Security tab. 4.       Select the Internet icon in the Select a zone to view or change security settings field. 5.       Select the Default Level button. 6.       Select the Ok button to accept settings and close the dialog. 7.       Close Internet Explorer 11. On the next start, VBScript will be disabled.	KB4516065 – Monthly Rollup

 

Windows Server 2012:

Issue	Workaround	Problematic KB#
Certain operations performed on files or folders on a Cluster Shared Volume may fail with error: “STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.	1.       Perform the operation from a process that has administrator privilege. 2.       Perform the operation from a node that doesnt have the CSV ownership.	KB4516055

 

Windows Server 2012 R2:

Issue	Workaround	Problematic KB#
Certain operations performed on files or folders on a Cluster Shared Volume may fail with error: “STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.	3.       Perform the operation from a process that has administrator privilege. 4.       Perform the operation from a node that doesnt have the CSV ownership.	KB4516064

 

 

Windows Server 2016:

Issue	Workaround	Problematic KB#
Certain operations performed on files or folders on a Cluster Shared Volume may fail with error: “STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.	5.       Perform the operation from a process that has administrator privilege. 6.       Perform the operation from a node that doesnt have the CSV ownership.	KB4516044
After installing KB4467684, the cluster service might fail to start with the error “2245 (NERR_PasswordTooShort)” if the GPO “Minimum Password Length” is configured with greater than 14 characters.	Set the domain default GPO “Minimum Password Length” to less than or equal to 14 characters. Microsoft working on a resolution for a future release.	KB4516044

 

 

Windows Server 2019:

Issue	Workaround	Problematic KB#
Certain operations performed on files or folders on a Cluster Shared Volume may fail with error: “STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.	1.       Perform the operation from a process that has administrator privilege. 2.       Perform the operation from a node that doesnt have the CSV ownership.	KB4516044
Reports that a small number of devices may black screen upon bootup after installing updates.	1.       Restart the computer – CTRL > ALT > DELETE then Power button in the bottom right hand corner and restart. Microsoft working on a resolution in a future release.	KB4516044
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” This issue occurs in this update and in all the updates before June 18, 2019.	Microsoft are working on a resolution for a future update.	KB4516044

  

 Microsoft References:

 KB4516033 – Security Only Update

KB4516065 – Monthly Rollup

KB4516066

KB4516068

KB4516044

KB4516064

 

April 2019 Microsoft Patching Issues

There are several Windows Patches released for April 2019 that are causing problems:

Applies to Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.

• Issues with computers running Sophos Endpoint Protection managed by Sophos Central or Sophos Enterprise Console that cause machines to become unresponsive.
• Issues with Avast and Avira machines that cause machines to become unresponsive.

Solution if running Sophos:

If you are running Sophos, follow the below instructions:
– Add the following Windows exclusions to all Antivirus and HIPS policies in your Enterprise Console.

%programfiles%\Sophos\Sophos Anti-Virus

%programfiles(x86)%\Sophos\Sophos Anti-Virus

NP – only perform the above if the machine hasn’t rebooted.

If the machine has rebooted, uninstall all the April patches and apply the above solution.

Solution if running Avast:
Avast has released a micro-update to fix this issue.
Once the update has been maked ‘completed’, reboot your machine and leave for 15mins or so for the emergency updater to work. Then reboot the machine again.

Microsoft has temporarily blocked devices from receiving certain updates if Avira, Sophos or Avast are installed.

Sources:

https://community.sophos.com/kb/en-us/133945

https://kb.support.business.avast.com/GetPublicArticle?title=Windows-machines-running-Avast-for-Business-and-Cloud-Care-Freezing-on-Start-up

March 2019 Patching Issues – WDS

Update:
Microsoft has updated KB4489883 with a known issue surrounding the WDS issue.

Below extract is from:
https://support.microsoft.com/en-au/help/4489883/windows-8-1-update-kb4489883

After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension.

To mitigate the issue, disable the Variable Window Extension on WDS server using one of the following options: Option 1: Open an Administrator Command prompt and type the following: Wdsutil /Set-TransportServer /EnableTftpVariableWindowExtension:No Option 2: Use the Windows Deployment Services UI. Open Windows Deployment Services from Windows Administrative Tools. Expand Servers and right-click a WDS server. Open its properties and clear the Enable Variable Window Extension box on the TFTP tab. Option 3: Set the following registry value to 0: “HKLM\System\CurrentControlSet\Services\WDSServer\Providers\WDSTFTP\EnableVariableWindowExtension”. Restart the WDSServer service after disabling the Variable Window Extension. Microsoft is working on a resolution and will provide an update in an upcoming release.

There are known issues with Windows Deployment Services (WDS) and the March 2019 patches.

The problem patches are KB4489883 and KB4489881.
The issue currently affects Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019.

There are two workarounds:

1. Go to wds -> properties -> tftp settings and untick Enable variable window extension;
2. Uninstall the two problematic patches.