Patching Issues – 1 Giant Nerd

June 2020 – Patching Issues – Print Spooler Errors

Update 18-Jun-20:
Microsoft have an Out of Cycle hotfix for the below Print Spooler issues. See link below for more details.

NP – this update is not available through WSUS Catalog. Need to download manually.

https://support.microsoft.com/en-us/help/4567512/windows-10-update-kb4567512

———————————

The June 2020 patches came out last week, and with that a fresh issue.

Below is the excerpt from the Microsoft known issues page:

Print spooler might error or close unexpectedly when attempting to print

After installing KB4560960, certain printers may be unable to print. Print Spooler may error or close unexpectedly when attempting to print and no output will come from affected printer. You might also encounter issues with the apps you are attempting to print from. You might receive an error from the app or the app may close unexpectedly. Note This issue might also affect software-based printers, for example printing to PDF.

Affected platforms:

Client: Windows 10, version 2004; Windows 10, version 1909; Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1
Server: Windows Server, version 2004; Windows Server, version 1909; Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2012 R2; Windows Server 2012

The current fix is to uninstall KB4560960. Microsoft are currently working on a solution.

Reference – https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-2004#436msgdesc

Missing Patches – SCCM

Was patching over the weekend especially with the Remote Desktop Gateway bug deemed critical.

Noticed that none of the Windows Server 2012 R2 and Windows Server 2016 updates were not appearing in SCCM.

Thought it was my WSUS server (in my internet facing environment) not downloading Windows Server updates. Confirmed by checking my WSUS.

Then remembered that SCCM also manages Updates as well.

See below process:

Go to Administration > Site Configuration > Sites.

Click on the Primary Site and then click Settings from the top pane.

Select Configure Site Components then Software update Point.

MissingPatches#1

Click the Products tab.

Tick Windows Server 2012 R2 and Windows Server 2016.

MissingPatches#2

Click Ok.

Go to Software Library > Software Updates.

Right click on All Software Updates and select Synchronize Software Updates.

MissingPatches#3

The newly ticked classifications will sync and you will see the ‘new’ updates under All Software Updates.
Ready to deploy.

This caught me out this weekend. Luckily I remembered and fixed it quickly without too much effort.

September 2019 Microsoft Patching Issues

Below is a list of known Microsoft Patching issues from September 2019:

Windows 10 v1703:

Issue

Workaround

Problematic KB#

Certain operations performed on files or folders on a Cluster Shared Volume may fail with error:
“STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.

1. Perform the operation from a process that has administrator privilege.

2. Perform the operation from a node that doesnt have the CSV ownership.

KB4516068

Windows 10 v1709:

Issue

Workaround

Problematic KB#

Certain operations performed on files or folders on a Cluster Shared Volume may fail with error:
“STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.

1. Perform the operation from a process that has administrator privilege.

2. Perform the operation from a node that doesnt have the CSV ownership.

KB4516066

Windows 10 v1803:

Issue

Workaround

Problematic KB#

Certain operations performed on files or folders on a Cluster Shared Volume may fail with error:
“STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.

1. Perform the operation from a process that has administrator privilege.

2. Perform the operation from a node that doesnt have the CSV ownership.

KB4516058

Reports that a small number of devices may black screen upon bootup after installing updates.

Restart the computer – CTRL > ALT > DELETE then Power button in the bottom right hand corner and restart.
Microsoft working on a resolution in a future release.

KB4516058

Windows 7 & Windows Server 2008 R2:

Issue	Workaround	Problematic KB#
After installing KB4516033, may receive an error when opening or using Toshiba Qosimo AV Center.	Microsoft is working with Dynabook on this issue and expects a resolution late September.	KB4516033 – Security Only Update
After installing KB4516033, may receive an error when opening or using Toshiba Qosimo AV Center.	Microsoft is working with Dynabook on this issue and expects a resolution late September.	KB4516065 – Monthly Rollup
VBScript in Internet Explorer 11 should be disabled after the install of KB4507437 or KB4511872. However in some instance VBScript has not been disabled as intended.	To mitigate this issue, follow these steps: 1. In Internet Explorer 11 select the Tools icon or press and hold the alt key on your keyboard and press the letter x to see the menu. 2. Select Internet Options. 3. Select the Security tab. 4. Select the Internet icon in the Select a zone to view or change security settings field. 5. Select the Default Level button. 6. Select the Ok button to accept settings and close the dialog. 7. Close Internet Explorer 11. On the next start, VBScript will be disabled.	KB4516065 – Monthly Rollup

Windows Server 2012:

Issue

Workaround

Problematic KB#

Certain operations performed on files or folders on a Cluster Shared Volume may fail with error:
“STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.

1. Perform the operation from a process that has administrator privilege.

2. Perform the operation from a node that doesnt have the CSV ownership.

KB4516055

Windows Server 2012 R2:

Issue

Workaround

Problematic KB#

Certain operations performed on files or folders on a Cluster Shared Volume may fail with error:
“STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.

3. Perform the operation from a process that has administrator privilege.

4. Perform the operation from a node that doesnt have the CSV ownership.

KB4516064

Windows Server 2016:

Issue

Workaround

Problematic KB#

Certain operations performed on files or folders on a Cluster Shared Volume may fail with error:
“STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.

5. Perform the operation from a process that has administrator privilege.

6. Perform the operation from a node that doesnt have the CSV ownership.

KB4516044

After installing KB4467684, the cluster service might fail to start with the error “2245 (NERR_PasswordTooShort)” if the GPO “Minimum Password Length” is configured with greater than 14 characters.

Set the domain default GPO “Minimum Password Length” to less than or equal to 14 characters.

Microsoft working on a resolution for a future release.

KB4516044

Windows Server 2019:

Issue	Workaround	Problematic KB#
Certain operations performed on files or folders on a Cluster Shared Volume may fail with error: “STATUS_BAD_IMPERSONATION_LEVEL (0XC00000A5)”.	1. Perform the operation from a process that has administrator privilege. 2. Perform the operation from a node that doesnt have the CSV ownership.	KB4516044
Reports that a small number of devices may black screen upon bootup after installing updates.	1. Restart the computer – CTRL > ALT > DELETE then Power button in the bottom right hand corner and restart. Microsoft working on a resolution in a future release.	KB4516044
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.” This issue occurs in this update and in all the updates before June 18, 2019.	Microsoft are working on a resolution for a future update.	KB4516044

Microsoft References:

KB4516033 – Security Only Update

KB4516065 – Monthly Rollup

April 2019 Microsoft Patching Issues

There are several Windows Patches released for April 2019 that are causing problems:

Applies to Windows 7, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.

Issues with computers running Sophos Endpoint Protection managed by Sophos Central or Sophos Enterprise Console that cause machines to become unresponsive.
Issues with Avast and Avira machines that cause machines to become unresponsive.

Solution if running Sophos:

If you are running Sophos, follow the below instructions:
– Add the following Windows exclusions to all Antivirus and HIPS policies in your Enterprise Console.

%programfiles%\Sophos\Sophos Anti-Virus

%programfiles(x86)%\Sophos\Sophos Anti-Virus

NP – only perform the above if the machine hasn’t rebooted.

If the machine has rebooted, uninstall all the April patches and apply the above solution.

Solution if running Avast:
Avast has released a micro-update to fix this issue.
Once the update has been maked ‘completed’, reboot your machine and leave for 15mins or so for the emergency updater to work. Then reboot the machine again.

Microsoft has temporarily blocked devices from receiving certain updates if Avira, Sophos or Avast are installed.

Sources:

https://community.sophos.com/kb/en-us/133945

https://kb.support.business.avast.com/GetPublicArticle?title=Windows-machines-running-Avast-for-Business-and-Cloud-Care-Freezing-on-Start-up

SharePoint Workflow Issue Post September Patches

Last week I encountered an issue where the workflows setup in our SharePoint 2010 environment were failing.

It turns out that the September 2018 patches were to blame. Mainly a .NET Framework one. Basically it removes the trusted assemblies from the web.config files which means that the Web Application dont trust the assemblies when they are called.

The patch is rolled out to all versions of .NET Framework and all Operating Systems. A full list of the KBs can be found here

Error:

Server was unable to process request —> Failed to publish workflow…….
System.CodeDom.CodeBinaryOperatorExpression is not marked as authorized in the application configuration file.

NintexWorkflowError

Solution:

There has been no talk about a new patch to fix this issue, but the workaround is to re-add the trusted assemblies back into web.config.

On the SharePoint Web Front Ends, go to the web application that has the Workflow issues and navigate to the web.config file.
If you have multiple Web Front Ends, dont forget to repeat for all.

Within the Web.config, find the below and added the authorized assemblies below the

<System.Workflow.ComponentModel.WorkflowCompiler>

Add authorized type code here.

SharePoint 2007 and 2010

<authorizedType Assembly=”System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodePrimitiveExpression” Authorized=”True” />

SharePoint 2013 and 2016

<authorizedType Assembly=”System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089″ NameSpace=”System.CodeDom” TypeName=”CodePrimitiveExpression” Authorized=”True” />

Nintex Workflow

There is an additional assembly that needs to be added into the web.config for Nintex Workflow to work.

SharePoint 2007 and 2010

SharePoint 2013 and SharePoint 2016

Now you should be able to run your workflows without an issue.

For more information, Rodney Viana (MSFT for Microsoft SharePoint) first reported the issue here.