For Microsoft’s January patches, no all-clear (but)

I’m not prepared to present an all-clear to the safety patches launched Jan. 12, and I need to warn you about one particular replace that affects HyperV servers and a few shopper stage workstations.  

KB4535680, also referred to as Safety replace for Safe Boot DBX: January 12, 2021, makes enhancements to Safe Boot DBX for numerous supported Home windows variations. These embody Home windows Server 2012 x64-bit; Home windows Server 2012 R2 x64-bit; Home windows 8.1 x64-bit; Home windows Server 2016 x64-bit; Home windows Server 2019 x64-bit; Home windows 10, model 1607 x64-bit; Home windows 10; model 1803 x64-bit; Home windows 10, model 1809 x64-bit; and Home windows 10, model 1909 x64-bit. Key adjustments have an effect on “Home windows units that [have] Unified Extensible Firmware Interface (UEFI) primarily based firmware that may run with Safe Boot enabled.” The Safe Boot Forbidden Signature Database (DBX) prevents malicious UEFI modules from loading; this replace provides further modules to dam malicious attackers who may efficiently exploit the vulnerability, bypass safe boot, and cargo untrusted software program.

The patch description notes that, “When you have Home windows Defender Credential Guard (Digital Safe Mode) enabled, your machine will restart two instances.” Whereas that doesn’t sound like a lot of a recognized difficulty, I discovered that having a server with HyperV enabled affected the integrity of my digital machines. In my case, rebooting the host server twice triggered the digital machines to go right into a saved state. 

Usually, while you patch a HyperV host server, it’s regular to let the underlying hosted digital machines “do their factor.” When the HyperV host reboots, the digital machine might be set by default to return again on-line; the system will briefly pause the Hyper V Administration server, reboot the host machine, and upon reboot restart the digital machines.  It’s regular for me to depart my digital machines working whereas I reboot the host server.  On this case, when the HyperV host rebooted, the digital machines didn’t return into operational situation. I needed to reboot the HyperV host a third time, totally shutting it down then manually turning it again on to get my digital machines again up and working.

For those who set up this replace on HyperV servers, plan on manually shutting down the digital machine first.  This ensures that the digital machines might be in a steady situation – and stopped – earlier than the patch is put in.

Traditionally talking, these DBX updates haven’t been effectively behaved — even on consumer-based machines. Previous updates triggered points in HP methods that didn’t have the newest BIOS updates put in. In a doc posted in February 2020, HP detailed the issue. (Each HP and Microsoft word that “if the newest supported BIOS isn’t put in on the system, then Home windows 2004 set up, Home windows 2004 Replace, or the KB4524244 or KB4535680 replace could also be blocked for set up or obtain.”)

Copyright © 2021 IDG Communications, Inc.

Source Link

Leave a Reply

Your email address will not be published. Required fields are marked *